We have ids4210's (version 4) and a PIX firewall. We are monitoring the IDS with IDS Event Viewer. We would like to find a how-to article that would show how to set up the IDS and the PIX so that when the IDS sees an attack it will have the PIX block it. The only articles I've been able to find cover Unix Director or IDS version 3 sensors.
Solved! Go to Solution.
Using IDM, you need to configure blocking. Here is the link for your reference.
I already have this document. It does not go into how to set up a PIX as a blocking device, nor does it provide any details or examples. I am looking for some examples so that I can see what the IDS and PIX are capable of doing.
No links but hos about this? From IDM go Configuration, Blocking, Blocking Properties, Check Enable Blocking. Go to Logical Devices, click add, put in the setting for your PIX, clik apply to sensor, go to blocking devices, click add, enter the IP address of the PIX, The logiccal device name you assigned to it, drop down to PIX for device type and choose your method of communication. CLick apply to sensor. Go to PIX and issue who command to see if IDS is logged in. If not check your IP addreses and passwords.
If you span the traffic that you want to monitor over to the same port on the switch that the monitor port of the IDS is in the IDS will inspect that traffic and upon seeing suspicious activty will do whatever you have configured it to do. log it, or issues a shun or reset command to the PIX. The PIX then blocks the traffic. Properly tuned theis makes the stance that Gartner tool recently on the IDS being dead not a true statement at all! Good luck..and we'll leave a light on for ya.
OK, so I've gotten as far as "Configuring Router Blocking Device Interfaces" and when I go to that page to set up the PIX, I have to enter an IP address. However, it is not a text box where I can type in the address, but rather it is a drop down box almost as if it should be defined elsewhere. Any ideas?
The Pix address is entered in the "Blocking Devices" configuration screen where you enter the information for the Pix as a blocking device.
Since you are using a Pix you do NOT need to enter anything in the "Router Blocking Device Interfaces" or "Cat 6K Blocking Device Interfaces".
When using a Router or Cat 6K for blocking you have to designature which router interface for which switch vlan that you want the sensor to use for creating ACLs.
BUT when using a Pix for blocking the sensor will connect to the Pix and use the Pix's own "shun" command to do the blocking instead of ACLs. The "shun" command is no specific to an interface or vlan, but instead applies to all interfaces of the Pix so you do not have to specify an interface or vlan on the Pix.
Now you can try a manual block:
Pick any made up ip address and add it as a manual block.
Now you can connect to the Pix and execute "show shun" directly on the Pix CLI to see if the sensor is executing the "shun" on the Pix.
If in the future you want to manually block or unblock any addresses simply use this window in IDM.
Note: Though the window says "Manual" it can also be used to unblock "Auto" shuns as well.
To configure automatic shunning you just need to decide which signatures you want to shun and set the action for that signature to shun host.
NOTE: There is another action called shun connection that is aslo available, but this action does not work with the Pix. On a router or Cat 6K the shun connection will block connections between 2 IPs for the specific service where the attack was detected. A shun host will block all packets from the source ip address of the attack. In the case of the Pix a shun connection will actually be treated as a shun host and block the entire source ip address because of how the shun command works.
NOTE: When you exeute the "show shun" on the Pix you may see additional information like the destination ip address, source port, and destination port. This may look like a connection shun, but is in fact still a shun host of the entire source IP address. The additional information is there just to help the Pix clean up it's connection tables.
Is there an advantage to using one device over another for blocking? I currently have my router and my PIX as blocking devices, but I think the router pretty much takes care of the job.
From a security standpoint both devices are perfectly acceptable for the static IP blocking.
If you want to do connection blocking then use the router because the Pix doesn't support it.
If you are currently blocking on both, then you in effect have redundant blocking which for some users may even be preferrable.
If you want to only use one device then consider the load on the current devices. I would suggest doing the blocking on the device which is epxeriencing the least load.
In other words if your Pix is already running at 90% cpu then consider using your router instead of the Pix for blocking. Or vice versa if your router cpu utilization is high.
You may also choose to block on the device closest to your internet connection so as to block the IP as soon as possible before it enters your network.
Ok, I've set up the shunning. We are trying small tests to see if it works. My next question, is there a way for the IDS to notify us, preferably by email, that it has initiated a shun?
If memeory serves this is one of the limitations of using IDM only. For "advanced" functionality like e-mail notification you need to go to another product like VMS. It would be nice if Cisco through that one last piece into IDM but then it would let too many poeple off the hook for the need to buy VMS
Yes, this is called the Product Enhancement Request. Please talk to your local Cisco sales rep and they can assists you in placing one. It has to be done through them. It has been my experience that if enough people clamor for it Cisco has a good traack record for adding features, as long as it does not hurt the bottom line all that much :)