Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can IDS do this?

I am new to cisco ids. our company already has an IDS blade in the cat 6509 switch.

We also have pix but there I was told that PIX is Vulnerable to the following attacks:

UDP Flood

IP Range Scan

DoS/DDoS

HTTP attacks spanning multiple attacks

1. Can I take care of these with IDS?

2. Can the IDS act like a firewall in case of an attack? or can IDS be used as a firewall in general?

Thanks

vik

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Can IDS do this?

If the IDS detects an attack, it can do one of a few things:

-Send a Message to a Log, warning you that there was an attack

-Drop the connection between the two hosts (Therefore denying it)

- Drop the connection and log the attack.

- Email you that there was an attack. (You could have this email sent to your pager as well)

- If you have a PIX firewall the IDS can actually Shun that host from accessing your network - what that means is that the IDS will communicate with the PIX that this particular host is an offender and he/she needs to be blocked for the next X number of minutes (configurable by you).

You can also check out:

http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/prodlit/ids4f_ds.pdf

for some more detailed informaion on the Cisco IDS appliance.

I'd also recommend picking up the IDS book from Cisco Press, should give you some more verbose explanations for what you're looking for.

If you need a consulting company to help you with your decisions, we are a national organization :)

-Denny

3 REPLIES
New Member

Re: Can IDS do this?

Vik:

The IDS operates in tandem with the Firewall. It will be part of your layered security approach.

The PIX firewall will be configured to permit or deny traffic based on network addresses (IP Address) and port numbers (typically TCP or UDP).

The IDS examines the traffic all the way up to layer 7. The IDS will match traffic to certain attack signatures that it is configured for.

For example, the firewall will permit traffic destined for your web server on port 80, the IDS will then examine that traffic to see if it is 'legimate' traffic, or whether it looks like it's an attack. Is it a true request for a web page? or are they trying to gain command line access to your web server by sending a funky url.

You realy want to use these devices together, and neither one can really replace the other one. I hope that brief explanation will help shed some light on things for you.

-Denny

New Member

Re: Can IDS do this?

thnx danny,

excellent example! taking it a little further, let's day ids identifies it as an attack then what all can it do, deny the request, send a notification. what else? can it write an access list under any circumstances.

vik

New Member

Re: Can IDS do this?

If the IDS detects an attack, it can do one of a few things:

-Send a Message to a Log, warning you that there was an attack

-Drop the connection between the two hosts (Therefore denying it)

- Drop the connection and log the attack.

- Email you that there was an attack. (You could have this email sent to your pager as well)

- If you have a PIX firewall the IDS can actually Shun that host from accessing your network - what that means is that the IDS will communicate with the PIX that this particular host is an offender and he/she needs to be blocked for the next X number of minutes (configurable by you).

You can also check out:

http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/prodlit/ids4f_ds.pdf

for some more detailed informaion on the Cisco IDS appliance.

I'd also recommend picking up the IDS book from Cisco Press, should give you some more verbose explanations for what you're looking for.

If you need a consulting company to help you with your decisions, we are a national organization :)

-Denny

90
Views
3
Helpful
3
Replies
CreatePlease login to create content