Solved: Re: PIX 515 and IDS

vincent-n · ‎12-11-2002

I was told that the PIX 515E Firewall is capable of BLOCKING malicious attack such as Dinal Of Service attack. I was told again by CA engineers that there are NO product out there that's capable of blocking attacks but instead notify the administrator only. I'd like your opinion on whether the PIX firewall can actually BLOCK attackes or not. Thanks in advance.

gfullage · ‎12-11-2002

The PIX does have some features to prevent DOS attacks, but it can't block everything. For example, if someone launches a smurf attack or something that uses up all your available bandwidth, then the PIX obviously can't do anything about that since the damage is already done by the time the traffic gets to the PIX.

For something like a TCP SYN attack to a host inside the PIX, then you can set up the static command to only allow a certain total number of connections through, and/or a certain number of half-open connections through to the internal host, effectively protecting the internal server. The PIX will deny any further connection attempts above this limit.

The PIX does also have a limited IDS function built into it. It will detect 59 common packet signatures and can be set up to block these if they're seen. The signatures it looks for are only basic one-packet signatures, nothing extensive like an actual IDS device can search for.

In short, no-one can say "yes, the PIX prevents all DOS attacks", no box can do that, cause it depends on what the DOS attack is. If someone is flooding your available circuit bandwidth, then you really have to get your ISP involved to block that traffic BEFORE it gets to you. For host-based DOS attacks, yes, the PIX should be able to block most of them with standard configuration commands.

View solution in original post

travis-dennis_2 · ‎12-11-2002

If memory serves the 515 does not block DoS attack per say but is capable of recognizing a DoS attack and will start dropping packets that it indentifies from the attacking computers. Do the experts out there agress

vincent-n · ‎12-11-2002

This is exactly the sort of answers I'm looking for. Detecting and dropping packets from the attacking computer in my opinion is the same as blocking don't you think?

gfullage · ‎12-11-2002

The PIX does have some features to prevent DOS attacks, but it can't block everything. For example, if someone launches a smurf attack or something that uses up all your available bandwidth, then the PIX obviously can't do anything about that since the damage is already done by the time the traffic gets to the PIX.

For something like a TCP SYN attack to a host inside the PIX, then you can set up the static command to only allow a certain total number of connections through, and/or a certain number of half-open connections through to the internal host, effectively protecting the internal server. The PIX will deny any further connection attempts above this limit.

The PIX does also have a limited IDS function built into it. It will detect 59 common packet signatures and can be set up to block these if they're seen. The signatures it looks for are only basic one-packet signatures, nothing extensive like an actual IDS device can search for.

In short, no-one can say "yes, the PIX prevents all DOS attacks", no box can do that, cause it depends on what the DOS attack is. If someone is flooding your available circuit bandwidth, then you really have to get your ISP involved to block that traffic BEFORE it gets to you. For host-based DOS attacks, yes, the PIX should be able to block most of them with standard configuration commands.