IDS on PIX 506e

Hi

We are running Cisco PIX Version 6.3(1). Can anyone tell me if they have any experience of IDS on this firewall? I am hearing conflicting reports - some saying that IDS is not available, others saying it maybe!

Thanks in advance....

Reply to
dilan.weerasinghe
Loading thread data ...

You should upgrade that. If you are the original owners of the equipment, you are entitled to a free update to 6.3(5)112 because of known security problems in 6.3(1), 6.3(3), and 6.3(4) and (5).

There is IDS, but it has barely changed since the days of PIX 5, and it is not adaptable and is barely configurable.

formatting link

Reply to
Walter Roberson

the original owners of the

since the days of PIX 5,

We have the following lines in our config

logging on logging timestamp logging trap informational logging host inside 192.168.1.7

ip audit info action alarm ip audit attack action alarm

Am I correct thinking that this doesn't do much since there is no interface that the ip audit command is applied to?

Would the following suffice;

ip audit info action alarm ip audit attack action alarm ip audit interface outside ip audit name audit attack action alarm

And then invest in a device that promiscous mode IDS device that monitors what gets through?

Thanks

Reply to
dilan.weerasinghe

the original owners of the

since the days of PIX 5,

We have the following lines in our config

logging on logging timestamp logging trap informational logging host inside 192.168.1.7

ip audit info action alarm ip audit attack action alarm

Am I correct thinking that this doesn't do much since there is no interface that the ip audit command is applied to? The logging to the Kiwi Syslog server on 192.168.1.7 works fine, but I can't see anything relating to IDS.

Would the following suffice?;

ip audit info action alarm ip audit attack action alarm ip audit interface outside ip audit name audit attack action alarm

And then invest in a promiscous mode IDS device that monitors what gets through?

Thanks

Reply to
dilan.weerasinghe

Hmmm, you could be right about that. I had assumed it was on by default, but I had always directly configured it anyhow.

No, you need two ip audit name statements with distinct names, one for attack and one for info, and you need two ip audit interface statements, applying each of the audit policies in turn to the interface.

You probably also want a slew of "no logging message" commands, turning off logging of some of the signatures. You'll drive yourself crazy if you log a message every time you get a ping request (400014) or reply (40010) for example.

If you have the money and the people to configure it and the people to monitor the logs and figure out what the alerts all -mean-.

There's a saying in security, that having a firewall or IDS and not monitoring the logs, is worse than not having a firewall or IDS at all. It's like driving an SUV or big car, thinking that the "lots of metal" around you will protect you from a crash, and then taking less care in your driving because of that. When you drive a small car (or system without firewall or system without IDS) you are more nervous and cautious, because all the time you -know- you are at risk; and yes, small cars really *do* have much lower accident rates.

In my opinion, if you don't already have some good programs for analyzing the PIX logs, then an IDS will make your situation worse instead of better: it'll give you something else to take care of and distract you from understanding the attacks that the PIX is already telling you about.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.