Minimum IDS components for PIX Firewall shunning

rselmi — Fri, 21 Feb 2020 06:41:38 GMT

As they are the minimum components to carry out automatic shunning of an ip address on PIX Firewall during an intrusion attempt attack?

Re: Minimum IDS components for PIX Firewall shunning

stleary — Thu, 17 Apr 2003 08:19:47 GMT

Can you clarify what you mean by minimum components? For example, do

you mean the minimum number of processes running on a sensor, or the

minimum configuration actions, or something else? Are you referring to 3.x

sensors or the new 4.0 sensor?

Here is my best answer, absent other information:

For a 3.x sensor, at the minimum, the PIX needs to have a 3DES license and

configured to allow ssh connections on the outside interface or telnet

connections on the inside interface. The PIX should be running at least

version 6.0. Note: there is an engineering build of the process nr.managed

that can connect to a PIX with a DES license, but it requires a manual

configuration step. This build also fixes a bug that would otherwise

prevent a sensor from connecting via telnet to a 6.2.1 or later PIX. If using

SSH, it necessary to connect to the PIX from the sensor command line

one time before the sensor can connect. Also you will need to configure

the pix interface IP, username, password, and enable password using

the sensor management software. If the PIX RSA key or interface IP

is changed for any reason, then you need to delete the PIX entry from the

SSH known_hosts file and repeat the manual connection.

For a 4.0 sensor, at the minimum, the same PIX requirements apply.

On the sensor, the same requirements apply except that instead of a

manual connection you need to add the PIX interface IP as a trusted

host.

Finally, you must configure one or more signatures to shun the attacker

when they are fired. Of course the signature must be enabled as well.

This is done via the management software.