We use Cisco IDS and Pix Firewall. I am trying to find out the best method to block unwanted activities. For instance we have decided to block P2P activities. Currently the IDS is set to block P2P, I was wondering if it would be better to configure the Pix Firewall to block the ports that the P2P software uses and set the IDS to just log the activities. What methods would you use?
its best to firewall things. blocking things at the network/transport layer is much less cpu intensive than have the blocking things deep in the application layer. whatever you cannot firewall is a good candidate for IDS'ing.
at home, its fun to throw the IDS sensor in front of the firewall to detect more nasty stuff, but it is somewhat academic to inspect things you are blocking anyhow. better to focus on traffic you need to allow in (i.e., looking at http attacks/worms on your web server)
The good thing about the IDS signatures in the 11000 range (http://www.cisco.com/cgi-bin/front.x/csec/idsAllList.pl) is that they'll detect the activity on whatever port the client is using. If you then set these sigs up for blocking then the IDS sensor will write the correct shun command to the PIX based on the actual source and destination port numbers, something you wouldn't be able to do normally.
In short, definately go with the IDS blocking these. I would suggest only blocking the actual file transfer sigs, I think some of these sigs will fire when someone does a search and this opens up tons of connections, you don't want to block all these as it'll put a large load on both your PIX and your sensor. Let people do searches but block the actual file transfers, as this'll only be 1-2 connections that you're blocking. People will soon learn that file downloading doesn't work and they'll move on.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...