Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : Intrusion Detection

Intrusion Detection

Feb 08,2010 by alperen

small font medium font large font
image

Intrusion Detection

The Cisco Secure PIX Firewall, like the Cisco Secure IOS Firewall covered in Chapter 7, added intrusion-detection technology to extend the Cisco Secure IDS technology. IDS sensor incorporation into the firewall is ideal for locations requiring additional security between network segments. It can also provide enhanced visibility at intranet, extranet, and branch-office Internet perimeters.

PIX Firewall IDS v6.2 audits (monitors) 53 attack signatures, representing a broad cross section of severe security breaches and the most common information-gathering scans. The PIX Firewall IDS technology auditing is performed by looking at the IP packets as they arrive at an input interface. If a packet matches an active signature, the IDS can perform any or all of the following actions based on the predefined router configuration:

  • Alarm Sends an alarm to a Syslog server and/or a Cisco Secure IDS Director

  • Drop Discards the packet

  • Reset Resets the questionable TCP connection

Any packet that triggers a signature for which the configured action doesn’t drop the packet, can then trigger additional signatures.

PIX Firewall IDS supports both inbound and outbound auditing, as well as interface specific auditing.

Define Default Audit Actions

Use the global configuration mode ip audit command to specify the default audit action(s). Use the no form of this command to set the default action for info signatures. The syntax is the following:

Pix(config)# ip audit {info | attack} {action [alarm] [drop] [reset]}
Pix(config)# no ip audit {info | attack}

info

For info-type signatures (reconnaissance attacks).

attack

For attack-type signatures.

action

Sets an action for the info signature to take when a match occurs.

alarm

Sends an alarm to all configured Syslog servers. The default option.

drop

Drops the packet.

reset

Drops the packet and closes any related TCP session.0.+.

In the following example, the default action for info and attack signatures is set:

Pix(config)# ip audit info action alarm
Pix(config)# ip audit attack action reset

Disabling Individual Signatures

Use the global configuration mode ip audit signature command to attach a policy to a signature and disable the signature. Use the no form of this command to remove the policy and reenable the signature. The syntax is as follows:

Pix(config)# ip audit signature signature-id disable Pix(config)# no ip audit signature signature-id

signature-id

Unique integer specifying a signature in the Director Network Security Database.

In this example, the two signatures are disabled. The show ip audit signature command is used to display the disabled signatures, and then one is reenabled.

Pix(config)# ip audit signature 1001 disable
Pix(config)# ip audit signature 1004 disable
Pix(config)# show ip audit signature
ip audit signature 1001 disable
ip audit signature 1004 disable 
Pix(config)# no ip audit signature 1001 disable

The show ip audit count command lists the active signatures:

Pix(config)# show ip audit count
Signature                               Global
1000 I Bad IP Options List              0
1001 I Record Packet Route              0
1002 I Timestamp                        0
1003 I Provide s,c,h,tcc                0
1005 I SATNET ID                        0
1006 I Strict Source Route              0

Create Named Audit Rules

An audit rule (audit policy) defines the actions for all active signatures that can be applied to an interface. Each audit rule/policy is identified by a unique user-defined case-sensitive name. Each interface can have two policies: one each for informational and attack signatures. If a policy is defined without actions, then the defined default actions are used. Each policy requires a different name.

Use the global configuration mode command ip audit name to create audit rules for info and attack signature types. Any signatures disabled with the ip audit signature command don’t become part of the audit rule created with the ip audit name command. Use the no form of this command to delete an audit rule. The syntax is

Pix(config)ip audit name audit-name {info | attack} [action [alarm] [drop] [reset]]
Pix(config)no ip audit name audit-name {info | attack}

The following example shows creating an audit policy—Audit.99—and then using the show ip audit name command to display the named policies.

Pix(config)# ip audit name Audit.99 info action alarm drop reset
Pix(config)# show ip audit name
ip audit name Audit.99 info action alarm drop reset
Pix(config)#

Apply the Audit Rule to the Interface(s)

The audit rule is applied to an interface on the PIX Firewall using the ip audit interface command. The no form of the command removes a policy from the interface. The syntax is

Pix(config)# ip audit interface int_name audit-name
Pix(config)# no ip audit interface int_name

The following example shows an attempt to assign the policy to the outside interface with a case error on the name. This is followed by a correct entry, and then the show ip audit interface command verifying the interface assignments.

Pix(config)# ip audit interface outside audit.99
Could not locate an IDS policy with name audit.99
Pix(config)# ip audit interface outside Audit.99
Pix(config)# show ip audit interface
ip audit interface outside Audit.99
Pix(config)#

PIX Firewall IDS Syslog Messages

PIX Firewall IDS Syslog messages all start with %PIX-4-4000nn IDS:signature_id . . . . The PIX-4 indicates trapping level 4 at least would be needed to capture these messages. The following sample messages include an info (2003) and attack (4051) message: 

%PIX-4-400013 IDS:2003 ICMP redirect from 192.168.2.1 to 192.168.1.1 on interface dmz
%PIX-4-400032 IDS:4051 UDP Snork attack from 10.1.4.1 to 192.168.1.10 on interface outside

314 times read

Related news
» The show ip audit all Command
by alperen posted on Sep 16,2009
» Create Named Audit Rules
by alperen posted on Sep 15,2009
» Creating an Audit Rule
by alperen posted on Sep 15,2009
» The show ip audit configuration Command
by alperen posted on Sep 16,2009
» The show ip audit interface Command
by alperen posted on Sep 16,2009
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

admin

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.