×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IPS communication with the PIX

Unanswered Question

We will be using our IPS 4255 as an IDS (promiscuous mode, NOT in-line). We will be utilizing a network tap to capture the traffic.


1. Does the IPS 4255 has the ability to work with the PIX firewall to block traffic?


2. If we are using a network tap in a non-inline mode, how does the IPS communicate with the PIX firewall? I believe packets can only be received by the IPS via the network tap, and the IPS cannot send data out to the network tap. Given this, does the IPS relay the information to the PIX via the management console (a server connected to the control interface of both the IPS and the PIX.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marcabal Mon, 01/30/2006 - 19:35
User Badges:
  • Cisco Employee,

Answer 1: Yes, the IPS-4255 can execute the "shun" command on the Pix firewall to block traffic.


Answer 2: The sniffing interfaces are used for monitoring and would be attached to your network tap. No packets can be sent through the tap.

BUT that is not how blocking works anyway.

Blocking on the Pix is actually done through the command and control interface and not through the sniffing interfaces.

Blocking is done through a telnet or ssh connection to the Pix. The sensor's command and control interface is given a real IP and placed on one of your internal networks. (It must have an IP route to your Pix.)

You then just configure the sensor to telnet or ssh (through the sensor's command and control interface) to one of the Pix's address (usually the Inside address or a management-only address of the Pix), and supply a username and password for access to the Pix.

The sensor then just simulates a user and telnets or sshs to the Pix and will then execute the Pix CLI's "shun" command to do the blocking.



Thanks Marcabal,


Answer 2: In order for the IPS (none-inline mode) to direct blocking commands to the PIX , are you saying BOTH the IPX & IPS' command & control sensors needs to be on its own internal network? Currently, I have a desktop management console connected between both the PIX and IPS command & control sensors' interfaces. Are you saying I would need an internal switch/hub to connect the desktop management console interface, the PIX command/control interface, and the IPS command/control interface? That way, the IPS can SSH/telnet into the PIX.

cstokes Mon, 02/13/2006 - 09:18
User Badges:
  • Cisco Employee,

1) Yes. All Cisco IDS/IPS devices can block(shun) using Pix firewalls, IOS devices and some switches.


2) External blocking is done by ssh (or telnet) from the sensor to the external device and issuing commands (block host on Pix) or making changes (adding ACL's) in IOS. The information is sent directly from IPS/IDS to external device. In fact, when external blocking is configured, one way to confirm success is to see the ssh session established to the device. The sensor maintains an active connection to the device to enable it to block attackers quickly.

Actions

This Discussion