Intrusion Detection
The Cisco Secure PIX Firewall, like the Cisco Secure IOS
Firewall covered in Chapter 7, added intrusion-detection technology to extend the
Cisco Secure IDS technology. IDS sensor incorporation into the firewall is ideal
for locations requiring additional security between network segments. It can
also provide enhanced visibility at intranet, extranet, and branch-office
Internet perimeters.
PIX Firewall IDS v6.2 audits (monitors) 53 attack signatures,
representing a broad cross section of severe security breaches and the most
common information-gathering scans. The PIX Firewall IDS technology auditing is
performed by looking at the IP packets as they arrive at an input interface. If
a packet matches an active signature, the IDS can perform any or all of the
following actions based on the predefined router configuration:
Any packet that triggers a signature for
which the configured action doesn’t drop the packet, can then trigger additional
signatures.
PIX Firewall IDS supports both inbound and outbound auditing, as
well as interface specific auditing.
Define Default
Audit Actions
Use the global configuration mode ip audit command to specify the default audit action(s). Use the
no form of this command to set the default action for info signatures. The
syntax is the following:
Pix(config)# ip audit {info | attack} {action [alarm] [drop]
[reset]}
Pix(config)# no ip audit {info |
attack}
In the following example, the default action for info and attack
signatures is set:
Pix(config)# ip audit info action alarm
Pix(config)# ip audit attack action reset
Disabling
Individual Signatures
Use the global configuration mode ip audit signature command to attach a policy to a signature and
disable the signature. Use the no form of this command to remove the policy and
reenable the signature. The syntax is as follows:
Pix(config)# ip audit signature signature-id disable Pix(config)# no ip audit signature signature-id
In this example, the two signatures are disabled. The show ip audit signature command is used to display the disabled
signatures, and then one is reenabled.
Pix(config)# ip audit signature 1001 disable
Pix(config)# ip audit signature 1004 disable
Pix(config)# show ip audit signature
ip audit signature 1001 disable
ip audit signature 1004 disable
Pix(config)# no ip audit signature 1001 disable
The show ip audit count command lists the active
signatures:
Pix(config)# show ip audit count
Signature Global
1000 I Bad IP Options List 0
1001 I Record Packet Route 0
1002 I Timestamp 0
1003 I Provide s,c,h,tcc 0
1005 I SATNET ID 0
1006 I Strict Source Route 0
Create Named
Audit Rules
An audit rule (audit policy) defines
the actions for all active signatures that can be applied to an interface. Each
audit rule/policy is identified by a unique user-defined case-sensitive name.
Each interface can have two policies: one each for informational and attack
signatures. If a policy is defined without actions, then the defined default
actions are used. Each policy requires a different name.
Use the global configuration mode command ip audit name to create audit rules for info and attack
signature types. Any signatures disabled with the ip audit
signature command don’t become part of the audit rule created with the ip audit name command. Use the no form of this command to delete
an audit rule. The syntax is
Pix(config)ip audit name audit-name
{info | attack} [action [alarm] [drop] [reset]]
Pix(config)no ip audit name audit-name {info | attack}
The following example shows creating an audit policy—Audit.99—and
then using the show ip audit name command to display the named
policies.
Pix(config)# ip audit name Audit.99 info action alarm drop reset
Pix(config)# show ip audit name
ip audit name Audit.99 info action alarm drop reset
Pix(config)#
Apply the Audit
Rule to the Interface(s)
The audit rule is applied to an interface on the PIX
Firewall using the ip audit interface command. The no form of
the command removes a policy from the interface. The syntax is
Pix(config)# ip audit interface int_name
audit-name
Pix(config)# no ip audit interface int_name
The following example shows an attempt to assign the policy to the
outside interface with a case error on the name. This is followed by a correct
entry, and then the show ip audit interface command verifying
the interface assignments.
Pix(config)# ip audit interface outside audit.99
Could not locate an IDS policy with name audit.99
Pix(config)# ip audit interface outside Audit.99
Pix(config)# show ip audit interface
ip audit interface outside Audit.99
Pix(config)#
PIX Firewall
IDS Syslog Messages
PIX Firewall IDS Syslog messages all start with
%PIX-4-4000nn IDS:signature_id . . . . The PIX-4 indicates
trapping level 4 at least would be needed to capture these messages. The
following sample messages include an info (2003) and attack (4051) message:
%PIX-4-400013 IDS:2003 ICMP redirect from 192.168.2.1 to 192.168.1.1 on interface dmz
%PIX-4-400032 IDS:4051 UDP Snork attack from 10.1.4.1 to 192.168.1.10 on interface outside
Sections
Comments (0 posted)
Syndication
