Is there an 'easy' way to block IP addresses from accessing anything behind the PIX? Some of my web sites are getting numerous hack attempts and I would like to block those right from the firewall rather than the webserver whenever the IDS sends an alert.
In article , J1C wrote: :Is there an 'easy' way to block IP addresses from accessing anything :behind the PIX? Some of my web sites are getting numerous hack attempts :and I would like to block those right from the firewall rather than the :webserver whenever the IDS sends an alert.
If you want it automated in connection with an IDS, you may wish to configure your IDS to use the PIX 'shun' command.
If you have PIX 6.2 or later, then you can edit access lists in place. Supposing your outside ACL is out2in and the attacking IP is X.Y.Z.W then you can
access-list out2in line 1 deny ip host X.Y.Z.W any
and that will insert the ban at the top of the access list without you having to know anything about what else is in the ACL.
Note: 'shun' commands are NOT saved when you save the configuration. ACL changes -are- saved when you save the configuration.
Great - thanks!
I'll have to check out that SHUN command a little more ... that would be ideal to tie the PIX into the IDS
About the shun command.
If it is configured for an offending host, will the Pix block all the traffic to the offended host when the IDS (of the PIX)detect some extrange behaivor or will always filter the traffic especified in the shun command no matter if the IDS detect something?
-as
In article , arturo.servin wrote: :About the shun command.
:If it is configured for an offending host, will the Pix block all the :traffic to the offended host when the IDS (of the PIX)detect some :extrange behaivor or will always filter the traffic especified in the :shun command no matter if the IDS detect something?
shun is unconditional: all traffic to and from the designated host is -immediately- stopped (whereas an access-list change would only deal with -new- attempts.)
The idea is that when the IDS detects monkey business, it tells the PIX to shun the host, and it leaves it shunned until the IDS policies deem it safe to open up again (e.g. if the policy is a 10 minute block, then 10 minutes later the IDS would tell the PIX to stop shunning the host.)
If you do use shun, here's something to watch out for: each time the shunned system attempts to communicate, a log message is generated. If you log level and configuration so permit, that log message will be sent to your syslog server. The load generated by the log message may be more than the load generated by the attacking host itself :( Thus, depending on your needs, you might wish to specifically disable the shun log message.
What IDS' can create a SHUN entry on a PIX?
In article , J1C wrote: :What IDS' can create a SHUN entry on a PIX?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.