[isalist] Re: lockdown mode
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Tue, 3 Apr 2007 06:10:22 -0700
That's a shame and definitely your loss.
Tim is right; while ISA can ignore a specific client when it triggers
flood mitigation, this is not "lockdown".
Actually, alerts aren't the only thing that can cause lockdown, and
they're not even the most common.
Anything that can cause the Firewall service to hang or stop will create
the same effect.
This is what I alluded to with "crappy plug-ins".
PSS has logged *MANY* cases where a filter bug caused ISA to crash on a
regular basis, forcing a lockdown scenario.
The worst part of it is that they frequently wouldn't let PSS remove the
filter to validate the bug theory, citing "security requirements" while
simultaneously crying "SLA!!".
This is where reboots sometimes gave temporary relief but actually did
*nothing* to solve the problem.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
Sent: Tuesday, April 03, 2007 4:25 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: lockdown mode
Well I was looking for another answer, I will not be able to offer you
the position we have open.
Maybe next time ;-)
Regards
Diego R. Pietruszka
MSC (USA) - Interlink Transport Technologies
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Tuesday, April 03, 2007 1:58 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: lockdown mode
The "alert" configuration dictates the circumstances under which
lockdown occurs. You can define them to suit your needs.
Regarding your "attack" question, no, ISA doesn't go into lockdown
because of an attack. That would defeat the purpose ;)
If you want to restart the services first and ask questions later when a
lockdown occurs, that is completely your choice. I, however, would
choose to appreciate the security posture of "lockdown" mode (as
configured) and to perform due diligence in administration of my
enterprise firewall before I just restart the services that have told
you there is a serious issue in the very service that is protecting your
network. But that's just me.
t
----- Original Message -----
From: D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
<mailto:DPietruszka@xxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Monday, April 02, 2007 5:29 PM
Subject: [isalist] Re: lockdown mode
And who told you that you will be able to solve the problem?
Is the only reason for ISA to go to lock down mode an internal
fail? What if was an attack and that will not happen again?
--------------------------
Sent from my BlackBerry Wireless Device
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
<isalist-bounce@xxxxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx <isalist@xxxxxxxxxxxxx>
Sent: Mon Apr 02 19:52:11 2007
Subject: [isalist] Re: lockdown mode
http://www.ISAserver.org
-------------------------------------------------------
In this case, if you don't solve the problem that caused the
symptoms, you merely repeat the symptoms.
Discover and solve the problem first.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN
INTERLINK INFRA ASST MGR
Sent: Monday, April 02, 2007 4:02 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: lockdown mode
Well in a production environment I would restart the service
first and then ask ISA why that happened.
--------------------------
Sent from my BlackBerry Wireless Device
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
<isalist-bounce@xxxxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx <isalist@xxxxxxxxxxxxx>
Sent: Mon Apr 02 18:53:12 2007
Subject: [isalist] Re: lockdown mode
http://www.ISAserver.org
-------------------------------------------------------
Do what Tim said.
If you don't know why it happened, it's likely to happen again.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Monday, April 02, 2007 2:26 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: lockdown mode
You have to find out what caused ISA to go into Lockdown first,
rectify
the situation, and then restart the services.
t
----
Timothy Mullen, MVP, MCSE, MCT, MCSD
Vice President of Consulting Services
NGS Software
www.ngssoftware.com
Check out Thor's "Microsoft Ninjitsu: Blackbelt Edition" at
Blackhat
Vegas
2007!
http://www.blackhat.com/html/bh-usa-07/train-bh-us-07-tm-ms-bbe.html
----- Original Message -----
From: Michael Ross <mailto:mross@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Monday, April 02, 2007 1:54 PM
Subject: [isalist] lockdown mode
if an ISA box went into lockdown mode, how could you
make it
return to a normal state? (ISA 2004 SP2)
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
