Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDS integration with the PIX Firewall

I am reading the Release Notes for Cisco Intrusion Detection System Sensor Version 3.0(1)S4, and I have stumbled on the new features of this version that it claims Integration with the PIX Firewall

How do you implement this? What kind of integration does it offer?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IDS integration with the PIX Firewall

Instructions for sensor and PIX basic configuration can be found here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13870_01.htm#xtocid23

Instructions for sensor and PIX SSH configuration can be found here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13870_01.htm#xtocid16

You can configure the sensor to connect to the PIX via telnet when

using the PIX inside interface, otherwise you must use SSH.

SSH with 3des encryption is supported in version 3.0 or later

sensors for PIX connections.

Caveat: If you want to use telnet with a version 6.2.1 or later PIX, or if

you want to use SSH with des encryption on any PIX, then you will

need a patch for your sensor. If so, open a TAC case and request

the latest engineering build of nr.managed. Reference

stleary@cisco.com for any questions.

3 REPLIES
Cisco Employee

Re: IDS integration with the PIX Firewall

The IDS Sensor has a feature called shun/blocking (originally known as shun, but over time has become known as blocking).

When the IDS detects an attack it can be configured to connect to another Cisco device (through telnet or ssh with username/passwords), and then reconfigure the device to shun/block the ipaddress of the attacker.

When using IDS blocking feature with a Cisco router the sensor will telnet to the router and create an ACL which will deny the ip address of the attacker.

When using IDS blocking feature with a Pix the sensor will telnet/ssh to the pix and execute a special "shun " command on the pix. The Pix then blocks packets to or from that ip address on all of it's interfaces.

New Member

Re: IDS integration with the PIX Firewall

Thanks for the reply, Any template or configuration that I could follow?

I am using an IDS 4210 software version 3.01(S4).

and CSPM 2.3.1i.

Cisco Employee

Re: IDS integration with the PIX Firewall

Instructions for sensor and PIX basic configuration can be found here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13870_01.htm#xtocid23

Instructions for sensor and PIX SSH configuration can be found here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13870_01.htm#xtocid16

You can configure the sensor to connect to the PIX via telnet when

using the PIX inside interface, otherwise you must use SSH.

SSH with 3des encryption is supported in version 3.0 or later

sensors for PIX connections.

Caveat: If you want to use telnet with a version 6.2.1 or later PIX, or if

you want to use SSH with des encryption on any PIX, then you will

need a patch for your sensor. If so, open a TAC case and request

the latest engineering build of nr.managed. Reference

stleary@cisco.com for any questions.

78
Views
4
Helpful
3
Replies
CreatePlease login to create content