Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

IDS Blocking VS Pix Firewall port blocking

We use Cisco IDS and Pix Firewall. I am trying to find out the best method to block unwanted activities. For instance we have decided to block P2P activities. Currently the IDS is set to block P2P, I was wondering if it would be better to configure the Pix Firewall to block the ports that the P2P software uses and set the IDS to just log the activities. What methods would you use?

Thanks

Adrian

2 REPLIES
Silver

Re: IDS Blocking VS Pix Firewall port blocking

its best to firewall things. blocking things at the network/transport layer is much less cpu intensive than have the blocking things deep in the application layer. whatever you cannot firewall is a good candidate for IDS'ing.

at home, its fun to throw the IDS sensor in front of the firewall to detect more nasty stuff, but it is somewhat academic to inspect things you are blocking anyhow. better to focus on traffic you need to allow in (i.e., looking at http attacks/worms on your web server)

Cisco Employee

Re: IDS Blocking VS Pix Firewall port blocking

The most popular P2P programs can't successfully be blocked with a PIX, as they use random source and destination ports to connect to other hosts to download content. See http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00801e419a.shtml for details.

The good thing about the IDS signatures in the 11000 range (http://www.cisco.com/cgi-bin/front.x/csec/idsAllList.pl) is that they'll detect the activity on whatever port the client is using. If you then set these sigs up for blocking then the IDS sensor will write the correct shun command to the PIX based on the actual source and destination port numbers, something you wouldn't be able to do normally.

In short, definately go with the IDS blocking these. I would suggest only blocking the actual file transfer sigs, I think some of these sigs will fire when someone does a search and this opens up tons of connections, you don't want to block all these as it'll put a large load on both your PIX and your sensor. Let people do searches but block the actual file transfers, as this'll only be 1-2 connections that you're blocking. People will soon learn that file downloading doesn't work and they'll move on.

215
Views
0
Helpful
2
Replies
CreatePlease to create content