«

Hi

We are running Cisco PIX Version 6.3(1).
Can anyone tell me if they have any experience of IDS on this firewall?
I am hearing conflicting reports - some saying that IDS is not
available, others saying it maybe!

Thanks in advance....

In article <. com>,
<> wrote:

>We are running Cisco PIX Version 6.3(1).

You should upgrade that. If you are the original owners of the
equipment, you are entitled to a free update to 6.3(5)112 because
of known security problems in 6.3(1), 6.3(3), and 6.3(4) and (5).

>Can anyone tell me if they have any experience of IDS on this firewall?
>I am hearing conflicting reports - some saying that IDS is not
>available, others saying it maybe!

There is IDS, but it has barely changed since the days of PIX 5,
and it is not adaptable and is barely configurable.

http://www.cisco.com/univercd/cc/td/....htm#wp1101884

On Oct 26, 4:48 pm, rober...@hushmail.com (Walter Roberson) wrote:
> In article <1161875680.100314.73...@k70g2000cwa.googlegroups. com>,
>
> <dilan.weerasin...@gmail.com> wrote:
> >We are running Cisco PIX Version 6.3(1).You should upgrade that. If you are the original owners of the
> equipment, you are entitled to a free update to 6.3(5)112 because
> of known security problems in 6.3(1), 6.3(3), and 6.3(4) and (5).
>
> >Can anyone tell me if they have any experience of IDS on this firewall?
> >I am hearing conflicting reports - some saying that IDS is not
> >available, others saying it maybe!There is IDS, but it has barely changed since the days of PIX 5,
> and it is not adaptable and is barely configurable.
>
> http://www.cisco.com/univercd/cc/td/...ix/pix_sw/v_63...

Thanks Walter.

We have the following lines in our config

logging on
logging timestamp
logging trap informational
logging host inside 192.168.1.7
<snip>
ip audit info action alarm
ip audit attack action alarm

Am I correct thinking that this doesn't do much since there is no
interface that the ip audit command is applied to?

Would the following suffice;

ip audit info action alarm
ip audit attack action alarm
ip audit interface outside
ip audit name audit attack action alarm

And then invest in a device that promiscous mode IDS device that
monitors what gets through?

Thanks

On Oct 26, 4:48 pm, rober...@hushmail.com (Walter Roberson) wrote:
> In article <1161875680.100314.73...@k70g2000cwa.googlegroups. com>,
>
> <dilan.weerasin...@gmail.com> wrote:
> >We are running Cisco PIX Version 6.3(1).You should upgrade that. If you are the original owners of the
> equipment, you are entitled to a free update to 6.3(5)112 because
> of known security problems in 6.3(1), 6.3(3), and 6.3(4) and (5).
>
> >Can anyone tell me if they have any experience of IDS on this firewall?
> >I am hearing conflicting reports - some saying that IDS is not
> >available, others saying it maybe!There is IDS, but it has barely changed since the days of PIX 5,
> and it is not adaptable and is barely configurable.
>
> http://www.cisco.com/univercd/cc/td/...ix/pix_sw/v_63...

Thanks Walter.

We have the following lines in our config

logging on
logging timestamp
logging trap informational
logging host inside 192.168.1.7
<snip>
ip audit info action alarm
ip audit attack action alarm
<end of anything relating to ip audit>

Am I correct thinking that this doesn't do much since there is no
interface that the ip audit command is applied to? The logging to the
Kiwi Syslog server on 192.168.1.7 works fine, but I can't see anything
relating to IDS.

Would the following suffice?;

ip audit info action alarm
ip audit attack action alarm
ip audit interface outside
ip audit name audit attack action alarm

And then invest in a promiscous mode IDS device that
monitors what gets through?

Thanks

In article < .com>,
<> wrote:

>We have the following lines in our config

>logging on
>logging timestamp
>logging trap informational
>logging host inside 192.168.1.7

>ip audit info action alarm
>ip audit attack action alarm

>Am I correct thinking that this doesn't do much since there is no
>interface that the ip audit command is applied to?

Hmmm, you could be right about that. I had assumed it was on by
default, but I had always directly configured it anyhow.


>Would the following suffice;

>ip audit info action alarm
>ip audit attack action alarm
>ip audit interface outside
>ip audit name audit attack action alarm

No, you need two ip audit name statements with distinct names,
one for attack and one for info, and you need two ip audit
interface statements, applying each of the audit policies in turn
to the interface.

You probably also want a slew of "no logging message" commands,
turning off logging of some of the signatures. You'll drive yourself
crazy if you log a message every time you get a ping request
(400014) or reply (40010) for example.

>And then invest in a device that promiscous mode IDS device that
>monitors what gets through?

If you have the money and the people to configure it and the people to
monitor the logs and figure out what the alerts all -mean-.

There's a saying in security, that having a firewall or IDS and not
monitoring the logs, is worse than not having a firewall or IDS at all.
It's like driving an SUV or big car, thinking that the "lots of metal"
around you will protect you from a crash, and then taking less care
in your driving because of that. When you drive a small car (or
system without firewall or system without IDS) you are more nervous
and cautious, because all the time you -know- you are at risk; and yes,
small cars really *do* have much lower accident rates.

In my opinion, if you don't already have some good programs for
analyzing the PIX logs, then an IDS will make your situation worse instead
of better: it'll give you something else to take care of and distract
you from understanding the attacks that the PIX is already telling
you about.