 Get
latest ISA Server content at ISA
Server Guidance.
Send
feedback about this page. |
You can configure how Microsoft Internet Security and Acceleration (ISA) Server 2006 handles Internet Protocol (IP) packets, by configuring the following:
A single IP datagram can be divided into multiple datagrams of a smaller size, known as IP fragments. These fragments can be filtered by ISA Server.
All fragmented packets are dropped when ISA Server filters packet fragments. The teardrop attack and its variants involve sending fragmented packets and then reassembling them in such a way that may cause harm to the system. The teardrop attack works a little differently from the Ping of Death attack, but with similar results. The teardrop program creates IP fragments, which are pieces of an IP packet into which an original packet can be divided as it travels through the Internet. The problem is that the offset fields on these fragments, which are supposed to indicate the portion (in bytes) of the original packet that is contained in the fragment, overlap.
For example, normally two fragments offset fields might appear as:
Fragment 1: (offset) 100 - 300
Fragment 2: (offset) 301 - 600
This indicates that the first fragment contains bytes 100 through 300 of the original packet, and the second fragment contains bytes 301 through 600.
Overlapping offset fields would appear something like this:
Fragment 1: (offset) 100 - 300
Fragment 2: (offset) 200 - 400
When the destination computer tries to reassemble these packets, it is unable to do so. It may fail, stop responding, or restart.
Fragment filtering can interfere with streaming audio and video. In addition, L2TP over IPsec connections may not be successfully established because packet fragmentation may take place during certificate exchange. Disable fragment filtering if you have problems with streaming media and IPsec based VPN connections.
For instructions, see Enable IP fragment filtering.
When IP routing is disabled, ISA Server sends only the data (and not the original network packet) to the destination. Also, when disabled, ISA Server copies each packet, and then resends it through the driver in user mode.
When IP routing is enabled, ISA Server acts as a router. Some filtering is performed by the driver in user mode on the traffic passing through ISA Server.
For instructions, see Enable IP routing.
You can configure ISA Server to refuse all packets that have the flag IP Options in the header. The most problematic options are the source routing options. TCP/IP supports source routing, which is a means to permit the sender of network data to route the packets through a specific point on the network. There are two types of source routing:
The source route option in the IP header allows the sender to override routing decisions that are normally made by the routers between the source and destination computers. You can use source routing to map the network or to troubleshoot routing and communications problems. Source routing can also be used to force traffic through a route providing the best performance. Unfortunately, source routing can be exploited by attackers.
For example, an intruder can use source routing to reach addresses on the Internal network that normally are not reachable from other networks, by routing the traffic through another computer that is reachable from both the other network and the Internal network.
For instructions, see Enable IP options filtering.
| Get
latest ISA Server content at ISA
Server Guidance.
Send
feedback about this page. |