Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
392
Views
0
Helpful
2
Replies

IDS Blocking VS Pix Firewall port blocking

adrian.gutierrez
Level 1
Level 1

‎03-04-2004 03:15 PM - edited ‎02-20-2020 11:16 PM

We use Cisco IDS and Pix Firewall. I am trying to find out the best method to block unwanted activities. For instance we have decided to block P2P activities. Currently the IDS is set to block P2P, I was wondering if it would be better to configure the Pix Firewall to block the ports that the P2P software uses and set the IDS to just log the activities. What methods would you use?

Thanks

Adrian

0 Helpful
2 Replies 2

mostiguy
Level 6
Level 6

‎03-04-2004 07:21 PM

its best to firewall things. blocking things at the network/transport layer is much less cpu intensive than have the blocking things deep in the application layer. whatever you cannot firewall is a good candidate for IDS'ing.

at home, its fun to throw the IDS sensor in front of the firewall to detect more nasty stuff, but it is somewhat academic to inspect things you are blocking anyhow. better to focus on traffic you need to allow in (i.e., looking at http attacks/worms on your web server)

0 Helpful

gfullage
Cisco Employee
Cisco Employee

‎03-04-2004 07:45 PM

The most popular P2P programs can't successfully be blocked with a PIX, as they use random source and destination ports to connect to other hosts to download content. See http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00801e419a.shtml for details.

The good thing about the IDS signatures in the 11000 range (http://www.cisco.com/cgi-bin/front.x/csec/idsAllList.pl) is that they'll detect the activity on whatever port the client is using. If you then set these sigs up for blocking then the IDS sensor will write the correct shun command to the PIX based on the actual source and destination port numbers, something you wouldn't be able to do normally.

In short, definately go with the IDS blocking these. I would suggest only blocking the actual file transfer sigs, I think some of these sigs will fire when someone does a search and this opens up tons of connections, you don't want to block all these as it'll put a large load on both your PIX and your sensor. Let people do searches but block the actual file transfers, as this'll only be 1-2 connections that you're blocking. People will soon learn that file downloading doesn't work and they'll move on.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card