Alert when run a Port Scan against ISA Server 2006

  • Article

It is very common to a company have their security team conducting a port scan tests against servers and other devices within their network. When they perform this type of test against ISA Server the expected behavior can vary, because everything will depend on what ports are open, which services ISA Server is publishing to the internal and external network.

 

The other aspect that you need to consider is that when you are conducting such test against ISA Server, the IDS capabilities of ISA Server will trigger alerts that will look like this:

 

Figure 1 – Intrusion Detect Alert.

 

To cause this trigger to happen in my lab environment I installed software called Zenmap in the internal workstation ran the scan against ISA Server and the result was:

 

 

Figure 2 – Nmap Output

 

Notice that in this case I just have 3 ports open, you can see that better if you click in the Host Details tab, result will appears like this one below:

 

 

Figure 3 – Scan details

 

Why my ISA Server is listening in all ports?

 

Make no mistake about it; ISA Server doesn’t do that by itself. Your configuration will tell what ISA needs to do. If you configure your ISA Server to allow everything, it will allow everything; there is no magic (we hope we could have) that will make ISA Server to protect itself and the network that is supposed to protect if the configuration says otherwise.

 

So this whole thing that I’m explaining here is to tell this story about a call where this Security Admin was nervous that his port scan utility (he was using Nmap) was telling that ISA Server had all ports open. I could easily reproduce this behavior in lab and here it is how it looks like the scan result:

 

 

Figure 4 – All ports opened.

 

The question was: why ISA is listening in all ports?

Answer: because you are telling him to do that.

 

What happens is, if you create a firewall policy rule that allows all traffic to all networks, ISA Server will have this behavior, which is expected. Here it is the problematic rule that was allowing this to happen:

 

 

Figure 5 – You said to open all and ISA shall obey.

 

L no more comments…