RE: PIX IDS Configuration

[Noonan, Wesley]

Title: /home/dishmael/.mail_template

I don't know if/how the PIX does that, but I do know that numerous PIX monitoring applications do exactly that.   Wes Noonan [EMAIL PROTECTED] 281-208-8993   -----Original Message----- From: David Ishmael [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 17, 2002 08:46 To: Brian Ford Cc: Claussen, Ken; [EMAIL PROTECTED] Subject: Re: PIX IDS Configuration   Thanks to all who took the time to respond.  I guess I was checking to see if the PIX could detect a port scan (especially the stealth scan from NMAP) and drop/reset (for 5 minutes) the connections using some sort of logic (for example) where a src address attempts to connect to more than 10 ports within a specified amount of time (say 1 minute) to ports that were not opened on the PIX.  Assuming this functionality isn't there, I was hoping that the PIX would at the very least send a syslog message stating that a port scan had been done for logging purposes. - Dave Brian Ford wrote: Ken, We always try to listen to you.  ;-) The PIX IDS consists of 59 atomic signatures as well as shunning and reset capabilities.  We chose the signatures that were there because they were common AND they were atomic. The intent was that the PIX would be part of a Cisco IDS solution.  We plan to continue development along those lines. If you have a promiscuous sensor in your Internet perimeter and your site gets scanned you can configure the PIX to send a TCP reset and shun the offending IP. While shunning is a wonderful thing.  Having a device proactively respond and shun an attacker has some inherent risks that many folks over look.  For example if the address of the attacker spoofs an upstream router you DOS yourself. The PIX itself is a very quiet device.  If you send traffic to the PIX it expects it to be an IPSec or tunnel connection (it responds to those).  Otherwise the PIX logs and drops packets that arrive addressed to the outside interface.  If you try and open a connection to a PIX that isn't configured for VPN or tunnel, it logs and drops the traffic. Liberty for All, Brian At 12:15 PM 4/16/2002 -0700, [EMAIL PROTECTED] wrote: Message: 1 Subject: RE: PIX IDS Configuration Date: Tue, 16 Apr 2002 13:53:03 -0400 From: "Claussen, Ken" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> No Port Scan/Sweep Signature included. The pix uses 59 (I think) = signatures from the Cisco Netranger Intrusion Detection Product. They = chose them from the supposedely worst/most common exploits. I would like = to see a feature where an offender could be auto-shunned such as the = real Netranger product supports with a managed edge router = configuration, but I am not holding my breath. It would also be nice if = they detect SYN Sweeps and block/Shun them after 4 succesive access = attempts in under 2 seconds (similar to the Snort Portscan module). Are = you listening Cisco?=20 http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/syslog/p= ixemsgs.htm#18407 List of Signatures and classifications If you are interested in IDS look into Snort, it provides far better = logging, configuration , and rule writing than the builtin Pix IDS. Not = to mention you can run Snort on Windows or Linux. A single sensor could = monitor all the firewall interfaces if it had enough network cards. I = have run three instances of Snort on the same box without a performance = problem (PIII-500/256MB RAM/ATA6610GB). Each instance can have its own = configuration and rule set, or they can share. for more info check: www.snort.org Official site www.silicondefense.com Compiled Windows Binaries and instructions Ken Claussen MCSE CCNA CCA=20 "In Theory it should work as you describe, but the difference between = theory and reality is the truth! For this we all strive" -----Original Message----- From: David Ishmael [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 16, 2002 12:17 PM To: [EMAIL PROTECTED] Subject: PIX IDS Configuration Hey all, got a quick PIX question for the list.  I've got a PIX running = version 6.1 and configured the internal IDS according to the = documentation as follows: ip audit name IDSattack attack action alarm drop reset ip audit name IDSinfo info action alarm ip audit interface outside IDSinfo ip audit interface outside IDSattack Where 'outside' is the outside interface.  I just ran a port scan = against an internal server from outside the network and the PIX didn't = respond.  Does the PIX not have an IDS signature for port scans?  Is the = configuration wrong?  Anybody ever used the PIX IDS?  Any help is always = appreciated... --=20 David Ishmael, CCNA/IVCP Sr. Engineer, Windward Consulting Group 2300 Corporate Park Drive Suite 400 Herndon, VA 20171 [EMAIL PROTECTED]=20 (571) 332-6234 "Engineers don't think outside the box, they redesign it" EMAIL DISCLAIMER The information contained in this message, and any attachment, is = confidential and proprietary information, and may be legally privileged. = It is intended for the above named recipient(s) only and is transmitted = in confidence. It should be safeguarded to prevent unauthorized, = negligent, or inadvertent use or disclosure. This message is proprietary = to Windward Consulting Group, Inc. and may not be disclosed, forwarded, = distributed, or reproduced, without the express permission of Windward. If this message is received in error, the sender should be notified and = the message and any attachments deleted. Email transmission cannot be guaranteed to be secure or error free as = information could be intercepted, corrupted, lost, destroyed, arrive = late or incomplete, or contain viruses. The sender therefore does not = accept liability for any errors or omissions in the contents of this = message which arise as a result of email transmission.=20 =A92002 Windward Consulting Group, Inc _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls   -- David Ishmael, CCNA/IVCP Sr. Engineer, Windward Consulting Group 2300 Corporate Park Drive Suite 400 Herndon, VA 20171 [EMAIL PROTECTED] (571) 332-6234 "Engineers don't think outside the box, they redesign it" EMAIL DISCLAIMER The information contained in this message, and any attachment, is confidential and proprietary information, and may be legally privileged. It is intended for the above named recipient(s) only and is transmitted in confidence. It should be safeguarded to prevent unauthorized, negligent, or inadvertent use or disclosure. This message is proprietary to Windward Consulting Group, Inc. and may not be disclosed, forwarded, distributed, or reproduced, without the express permission of Windward. If this message is received in error, the sender should be notified and the message and any attachments deleted. Email transmission cannot be guaranteed to be secure or error free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. (c)2002 Windward Consulting Group, Inc     _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls