Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 515 and IDS

I was told that the PIX 515E Firewall is capable of BLOCKING malicious attack such as Dinal Of Service attack. I was told again by CA engineers that there are NO product out there that's capable of blocking attacks but instead notify the administrator only. I'd like your opinion on whether the PIX firewall can actually BLOCK attackes or not. Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: PIX 515 and IDS

The PIX does have some features to prevent DOS attacks, but it can't block everything. For example, if someone launches a smurf attack or something that uses up all your available bandwidth, then the PIX obviously can't do anything about that since the damage is already done by the time the traffic gets to the PIX.

For something like a TCP SYN attack to a host inside the PIX, then you can set up the static command to only allow a certain total number of connections through, and/or a certain number of half-open connections through to the internal host, effectively protecting the internal server. The PIX will deny any further connection attempts above this limit.

The PIX does also have a limited IDS function built into it. It will detect 59 common packet signatures and can be set up to block these if they're seen. The signatures it looks for are only basic one-packet signatures, nothing extensive like an actual IDS device can search for.

In short, no-one can say "yes, the PIX prevents all DOS attacks", no box can do that, cause it depends on what the DOS attack is. If someone is flooding your available circuit bandwidth, then you really have to get your ISP involved to block that traffic BEFORE it gets to you. For host-based DOS attacks, yes, the PIX should be able to block most of them with standard configuration commands.

3 REPLIES

Re: PIX 515 and IDS

If memory serves the 515 does not block DoS attack per say but is capable of recognizing a DoS attack and will start dropping packets that it indentifies from the attacking computers. Do the experts out there agress

New Member

Re: PIX 515 and IDS

This is exactly the sort of answers I'm looking for. Detecting and dropping packets from the attacking computer in my opinion is the same as blocking don't you think?

Cisco Employee

Re: PIX 515 and IDS

The PIX does have some features to prevent DOS attacks, but it can't block everything. For example, if someone launches a smurf attack or something that uses up all your available bandwidth, then the PIX obviously can't do anything about that since the damage is already done by the time the traffic gets to the PIX.

For something like a TCP SYN attack to a host inside the PIX, then you can set up the static command to only allow a certain total number of connections through, and/or a certain number of half-open connections through to the internal host, effectively protecting the internal server. The PIX will deny any further connection attempts above this limit.

The PIX does also have a limited IDS function built into it. It will detect 59 common packet signatures and can be set up to block these if they're seen. The signatures it looks for are only basic one-packet signatures, nothing extensive like an actual IDS device can search for.

In short, no-one can say "yes, the PIX prevents all DOS attacks", no box can do that, cause it depends on what the DOS attack is. If someone is flooding your available circuit bandwidth, then you really have to get your ISP involved to block that traffic BEFORE it gets to you. For host-based DOS attacks, yes, the PIX should be able to block most of them with standard configuration commands.

147
Views
0
Helpful
3
Replies
CreatePlease to create content