Cisco pix IDS feature question

- J
- juanbabi
  
  Contact options for registered users
posted
16 years ago

Tue, Oct 23, 2007 8:55 PM

HI,

We have cisco pix 515E now we want to turn on the IDS feature to block some attacks. but something fundamental I don't understand..... the IDS has about 60 signatures for example detecting Fyn scans. or signature 8000 FTP retrieve password file.. now.... what did the pix when those attacks passed before enabling the IDS? did he watched for those attacks ? in the first step we will configure the ids to just report to a syslog but in the second stage it will configure to drop those attcaks. but didn't the pix already dropped those attacks before the IDS was torned on? also, if its dropped packets and the traffic sure passed throw the pix, why isn't it called IPS?

thank you all !!

Juan

Loading thread data ...

- L
- Lutz Donnerhacke
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Tue, Oct 23, 2007 9:30 PM

Don't do this. It's too easy to mount an DOS for you, i.e. by sending "attack packets" from the spoofed address of your external mail server.

They are passed through the servers if you permit the abused protoll.

Don't do this. There is no benefit in dropping. All those signatures are very old, it's somewhat hard to find a server which is still vulnerable to those attacks. If you really run such an old, unpatched server, you will be attacked by methods unknown to the pix.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.