Welcome to Management Pack Wiki! Your documentation pro for SCOM Management Packs
0 comment(s) Post a comment

Network Security Class

  • ID:  Network_Security_Class
  • Description:  Network Security component uses IPsec policies for authentication and encryption of DirectAccess connections. Multiple policies can be applied to a computer simultaneously, each providing a different function. The result of all of these policies working together is a DirectAccess client that can securely communicate with the DirectAccess server and intranet servers
  • Class Hierarchy: 
    Object
    Configuration Item
    Logical Entity
    Application Component
    Windows Application Component
    Network Security

  • Attributes:  Public, Hosted
Login
This is a critical (red) alarm generated because the Base Filtering Engine (BFE) service crashed. The Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode filtering. The alarm is cleared when the service comes back up. Disabling the BFE service will significantly reduce the security of the system and will also result in unpredictable behavior in IPsec management and firewall applications.  This is a critical (red) alarm generated because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service crashed. This alarm indicates that the 'Current State Entries' counter (under the ‘IPSec DOS Protection’ object in perfmon) has exceeded critical levels. 'Current state Entries' is the number of active state entries in the table. A state entry is a pair of IPv6 addresses that is authorized to pass through from a public to an internal interface. This alarm indicates that the 'Current State Entries' counter (under the ‘IPSec DOS Protection’ object in perfmon) has exceeded warning levels. 'Current state Entries' is the number of active state entries in the table. A state entry is a pair of IPv6 addresses that is authorized to pass through from a public to an internal interface This is a warning (yellow) alarm that is raised when the 'Inbound Rate Limit Discarded ICMPv6  Packets/sec' counter (under the ‘IPSec DOS Protection’ object in perfmon) exceeds a defined threshold. 'Inbound RateLimit Discarded ICMPv6 Packets/sec' is the rate at which ICMPv6 packets are received on a public interface and discarded because they exceeded the rate limit for ICMPv6 packets per second. This is a warning (yellow) alarm that is raised when the 'Inbound Rate Limit Discarded IPv6 IPsec Authenticated Packets/sec' counter (under the ‘IPSec DOS Protection’ object in perfmon) exceeds a defined threshold. 'Inbound Rate Limit DiscardedPv6 IPsec Authenticated Packets/sec' is the rate at which authenticated IKEv1, IKEv2, AuthIP, or ESP IPv6 packets are received on a public interface and discarded because they exceed the rate limit for IPv6 IPsec authenticated packets per second. An authenticated packet is an IPsec packet with an associated state entry. A state entry is a pair of IPv6 addresses that is authorized to pass through from a public to an internal interface. This is a warning (yellow) alarm for potential DoS attack and is raised when 'IKE DoS-prevention mode started' event (Event Id: 4646, Event Source: Microsoft Windows security auditing, Event Log Channel: Security) is generated. The alarm is cleared when the same event is generated again. This is a warning (yellow) alarm indicating that the 'Inbound Rate Limit Discarded IPv6 IPsec Unauthenticated Packets/sec' counter (under the ‘IPSec DOS Protection’ object in perfmon) has exceeded a defined threshold.  'Inbound Rate Limit Discarded IPv6 IPsec Unauthenticated Packets/sec' is  the rate at which unauthenticated IKEv1, IKEv2, AuthIP, or ESP IPv6 packets received on a public interface were discarded because they exceeded the rate limit for IPv6 IPsec unauthenticated packets per second. An unauthenticated packet is an IPsec packet without an associated state entry. A state entry is a pair of IPv6 addresses that is authorized to pass through from a public to an internal interface. This is a warning (yellow) alarm that is raised when the 'Packets That Failed Replay  Detection/sec' counter (under the 'IPsec Driver' object in perfmon) exceeds a defined threshold. 'Packets That Failed Replay Detection/sec' is the rate of packets that contained an invalid sequence number since the computer was last started. Increases in this counter might indicate a network problem or replay attack. This is a warning (yellow) alarm that is raised when the 'Incorrect SPI Packets/sec' counter (under the 'IPsec Driver' object in perfmon) exceeds a defined threshold. 'Incorrect SPI Packets/sec' is the rate of packets  for which the Security Parameter Index (SPI) was incorrect since the computer was last started. A large number of packets with bad SPIs within a short amount of time might indicate a packet spoofing attack. This alarm indicates that the 'Failed Main Mode Negotiations' counter (under the ‘IPsec AuthIP IPv6’ object in perfmon) has exceeded critical levels. This alarm indicates that the 'Failed Main Mode Negotiations' counter (under the ‘IPsec AuthIP IPv6’ object in perfmon) has exceeded warning levels. Network Security component uses IPsec policies for authentication and encryption of DirectAccess connections. Multiple policies can be applied to a computer simultaneously, each providing a different function. The result of all of these policies working together is a DirectAccess client that can securely communicate with the DirectAccess server and intranet servers DirectAccess is an optional feature of Windows Server 2008 R2 that will host, manage, and either terminate or pass-through IPsec sessions. The DirectAccess server is a server function and cannot be installed on a client computer running Windows 7

Download diagram as a Visio file

Properties

Display Name Description
Asset Status Asset status
Display Name Display name of the object.
Notes Notes
Object Status Object status

Discovered By

Name Description
Network Security Discovery Network Security component uses IPsec policies for authentication and encryption of DirectAccess connections.

Relations

Health Source
NameClassType
Owned By User Configuration Item Reference
Affects Customers Configuration Item Reference
Serviced By User Configuration Item Reference
Contains Configuration Item Configuration Item Membership
Is Related to Configuration Item Configuration Item Reference
Config Item References Location Configuration Item Reference
Entity Watched By Perspective Object Reference

Health Target
NameClassType
DirectAccess Server - Network Security Network Security Hosting

Class Knowledgebase

Summary

Network Security component uses IPsec policies for authentication and encryption of DirectAccess connections. Multiple policies can be applied to a computer simultaneously, each providing a different function. The result of all of these policies working together is a DirectAccess client that can securely communicate with the DirectAccess server and intranet servers

External References
This class does not contain any external references.

See Also for Windows 2008 R2 Direct Access Server Management Pack


Downloads for Windows 2008 R2 Direct Access Server Management Pack

Post a comment