[isalist] Re: lockdown mode
- From: "Thor \(Hammer of God\)" <thor@xxxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Tue, 3 Apr 2007 06:23:31 -0700
Re: [isalist] Re: lockdown modeYeah! What he said! :)
t
----- Original Message -----
From: Jim Harrison
To: isalist@xxxxxxxxxxxxx
Sent: Tuesday, April 03, 2007 6:10 AM
Subject: [isalist] Re: lockdown mode
That's a shame and definitely your loss.
Tim is right; while ISA can ignore a specific client when it triggers flood
mitigation, this is not "lockdown".
Actually, alerts aren't the only thing that can cause lockdown, and they're
not even the most common.
Anything that can cause the Firewall service to hang or stop will create the
same effect.
This is what I alluded to with "crappy plug-ins".
PSS has logged *MANY* cases where a filter bug caused ISA to crash on a
regular basis, forcing a lockdown scenario.
The worst part of it is that they frequently wouldn't let PSS remove the
filter to validate the bug theory, citing "security requirements" while
simultaneously crying "SLA!!".
This is where reboots sometimes gave temporary relief but actually did
*nothing* to solve the problem.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
Sent: Tuesday, April 03, 2007 4:25 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: lockdown mode
Well I was looking for another answer, I will not be able to offer you the
position we have open.
Maybe next time ;-)
Regards
Diego R. Pietruszka
MSC (USA) - Interlink Transport Technologies
------------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: Tuesday, April 03, 2007 1:58 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: lockdown mode
The "alert" configuration dictates the circumstances under which lockdown
occurs. You can define them to suit your needs.
Regarding your "attack" question, no, ISA doesn't go into lockdown because of
an attack. That would defeat the purpose ;)
If you want to restart the services first and ask questions later when a
lockdown occurs, that is completely your choice. I, however, would choose to
appreciate the security posture of "lockdown" mode (as configured) and to
perform due diligence in administration of my enterprise firewall before I just
restart the services that have told you there is a serious issue in the very
service that is protecting your network. But that's just me.
t
----- Original Message -----
From: D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
To: isalist@xxxxxxxxxxxxx
Sent: Monday, April 02, 2007 5:29 PM
Subject: [isalist] Re: lockdown mode
And who told you that you will be able to solve the problem?
Is the only reason for ISA to go to lock down mode an internal fail? What
if was an attack and that will not happen again?
--------------------------
Sent from my BlackBerry Wireless Device
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx <isalist-bounce@xxxxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx <isalist@xxxxxxxxxxxxx>
Sent: Mon Apr 02 19:52:11 2007
Subject: [isalist] Re: lockdown mode
http://www.ISAserver.org
-------------------------------------------------------
In this case, if you don't solve the problem that caused the symptoms, you
merely repeat the symptoms.
Discover and solve the problem first.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
Sent: Monday, April 02, 2007 4:02 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: lockdown mode
Well in a production environment I would restart the service first and then
ask ISA why that happened.
--------------------------
Sent from my BlackBerry Wireless Device
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx <isalist-bounce@xxxxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx <isalist@xxxxxxxxxxxxx>
Sent: Mon Apr 02 18:53:12 2007
Subject: [isalist] Re: lockdown mode
http://www.ISAserver.org
-------------------------------------------------------
Do what Tim said.
If you don't know why it happened, it's likely to happen again.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Monday, April 02, 2007 2:26 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: lockdown mode
You have to find out what caused ISA to go into Lockdown first, rectify
the situation, and then restart the services.
t
----
Timothy Mullen, MVP, MCSE, MCT, MCSD
Vice President of Consulting Services
NGS Software
www.ngssoftware.com
Check out Thor's "Microsoft Ninjitsu: Blackbelt Edition" at Blackhat
Vegas
2007!
http://www.blackhat.com/html/bh-usa-07/train-bh-us-07-tm-ms-bbe.html
----- Original Message -----
From: Michael Ross <mailto:mross@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Monday, April 02, 2007 1:54 PM
Subject: [isalist] lockdown mode
if an ISA box went into lockdown mode, how could you make it
return to a normal state? (ISA 2004 SP2)
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
