IDS on PIX 506e

Discussion in 'Cisco' started by dilan.weerasinghe@gmail.com, Oct 26, 2006.

  1. Guest

    Hi

    We are running Cisco PIX Version 6.3(1).
    Can anyone tell me if they have any experience of IDS on this firewall?
    I am hearing conflicting reports - some saying that IDS is not
    available, others saying it maybe!

    Thanks in advance....
     
    , Oct 26, 2006
    #1
    1. Advertising

  2. In article <>,
    <> wrote:

    >We are running Cisco PIX Version 6.3(1).


    You should upgrade that. If you are the original owners of the
    equipment, you are entitled to a free update to 6.3(5)112 because
    of known security problems in 6.3(1), 6.3(3), and 6.3(4) and (5).

    >Can anyone tell me if they have any experience of IDS on this firewall?
    >I am hearing conflicting reports - some saying that IDS is not
    >available, others saying it maybe!


    There is IDS, but it has barely changed since the days of PIX 5,
    and it is not adaptable and is barely configurable.

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1101884
     
    Walter Roberson, Oct 26, 2006
    #2
    1. Advertising

  3. Guest

    On Oct 26, 4:48 pm, (Walter Roberson) wrote:
    > In article <>,
    >
    > <> wrote:
    > >We are running Cisco PIX Version 6.3(1).You should upgrade that. If you are the original owners of the

    > equipment, you are entitled to a free update to 6.3(5)112 because
    > of known security problems in 6.3(1), 6.3(3), and 6.3(4) and (5).
    >
    > >Can anyone tell me if they have any experience of IDS on this firewall?
    > >I am hearing conflicting reports - some saying that IDS is not
    > >available, others saying it maybe!There is IDS, but it has barely changed since the days of PIX 5,

    > and it is not adaptable and is barely configurable.
    >
    > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63...


    Thanks Walter.

    We have the following lines in our config

    logging on
    logging timestamp
    logging trap informational
    logging host inside 192.168.1.7
    <snip>
    ip audit info action alarm
    ip audit attack action alarm

    Am I correct thinking that this doesn't do much since there is no
    interface that the ip audit command is applied to?

    Would the following suffice;

    ip audit info action alarm
    ip audit attack action alarm
    ip audit interface outside
    ip audit name audit attack action alarm

    And then invest in a device that promiscous mode IDS device that
    monitors what gets through?

    Thanks
     
    , Oct 26, 2006
    #3
  4. Guest

    On Oct 26, 4:48 pm, (Walter Roberson) wrote:
    > In article <>,
    >
    > <> wrote:
    > >We are running Cisco PIX Version 6.3(1).You should upgrade that. If you are the original owners of the

    > equipment, you are entitled to a free update to 6.3(5)112 because
    > of known security problems in 6.3(1), 6.3(3), and 6.3(4) and (5).
    >
    > >Can anyone tell me if they have any experience of IDS on this firewall?
    > >I am hearing conflicting reports - some saying that IDS is not
    > >available, others saying it maybe!There is IDS, but it has barely changed since the days of PIX 5,

    > and it is not adaptable and is barely configurable.
    >
    > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63...


    Thanks Walter.

    We have the following lines in our config

    logging on
    logging timestamp
    logging trap informational
    logging host inside 192.168.1.7
    <snip>
    ip audit info action alarm
    ip audit attack action alarm
    <end of anything relating to ip audit>

    Am I correct thinking that this doesn't do much since there is no
    interface that the ip audit command is applied to? The logging to the
    Kiwi Syslog server on 192.168.1.7 works fine, but I can't see anything
    relating to IDS.

    Would the following suffice?;

    ip audit info action alarm
    ip audit attack action alarm
    ip audit interface outside
    ip audit name audit attack action alarm

    And then invest in a promiscous mode IDS device that
    monitors what gets through?

    Thanks
     
    , Oct 26, 2006
    #4
  5. In article <>,
    <> wrote:

    >We have the following lines in our config


    >logging on
    >logging timestamp
    >logging trap informational
    >logging host inside 192.168.1.7


    >ip audit info action alarm
    >ip audit attack action alarm


    >Am I correct thinking that this doesn't do much since there is no
    >interface that the ip audit command is applied to?


    Hmmm, you could be right about that. I had assumed it was on by
    default, but I had always directly configured it anyhow.


    >Would the following suffice;


    >ip audit info action alarm
    >ip audit attack action alarm
    >ip audit interface outside
    >ip audit name audit attack action alarm


    No, you need two ip audit name statements with distinct names,
    one for attack and one for info, and you need two ip audit
    interface statements, applying each of the audit policies in turn
    to the interface.

    You probably also want a slew of "no logging message" commands,
    turning off logging of some of the signatures. You'll drive yourself
    crazy if you log a message every time you get a ping request
    (400014) or reply (40010) for example.

    >And then invest in a device that promiscous mode IDS device that
    >monitors what gets through?


    If you have the money and the people to configure it and the people to
    monitor the logs and figure out what the alerts all -mean-.

    There's a saying in security, that having a firewall or IDS and not
    monitoring the logs, is worse than not having a firewall or IDS at all.
    It's like driving an SUV or big car, thinking that the "lots of metal"
    around you will protect you from a crash, and then taking less care
    in your driving because of that. When you drive a small car (or
    system without firewall or system without IDS) you are more nervous
    and cautious, because all the time you -know- you are at risk; and yes,
    small cars really *do* have much lower accident rates.

    In my opinion, if you don't already have some good programs for
    analyzing the PIX logs, then an IDS will make your situation worse instead
    of better: it'll give you something else to take care of and distract
    you from understanding the attacks that the PIX is already telling
    you about.
     
    Walter Roberson, Oct 26, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michiel
    Replies:
    4
    Views:
    4,688
    Michiel
    Aug 22, 2006
  2. Michiel
    Replies:
    2
    Views:
    895
    Michiel
    Aug 22, 2006
  3. Michiel
    Replies:
    19
    Views:
    1,183
    Michiel
    Aug 24, 2006
  4. Michiel
    Replies:
    0
    Views:
    2,324
    Michiel
    Aug 25, 2006
  5. Mike

    pix 501 vs pix 506e?

    Mike, Mar 29, 2007, in forum: Cisco
    Replies:
    4
    Views:
    1,155
Loading...

Share This Page