Pix and IDS

5creedus · ‎04-11-2005

anyone know to configure a pix 500 series to do IDS? according to cisco URL http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/ it does a limited (~50 sigid's)

also there is a tac case ID that states it does at URL

http://www.ciscotaccc.com/security/showcase?case=K93520960

however I have not been able to find any documentation on how to configure. I did open a tac case 601113263 and will post the results of that case here once I hear from Cisco

thanks in advance

mostiguy · ‎04-11-2005

Refer to the ip audit command

5creedus · ‎04-11-2005

thanks, not very warm and fuzzy for ids on pix least not in a corporate environment.

Patrick Iseli · ‎04-11-2005

I think the easyest way to configure and to review the list is UNFOTUNENTLY the PDM - PIX DEVICE MANAGER.

I could not find any more the paper with the list of the available 5x signatures.

But do not compare this signature with an IDS system this are mostly Layer 3 signatures eg. LAND attack, icmp packet types, smurf and others. This signature will defently not protect against Application attacks.

sincerely

Patrick

5creedus · ‎04-11-2005

Thanks, we are trying to convience the customer this is not the way to go and that last tidbit will help, I hope.

Patrick Iseli · ‎04-11-2005

I finaly found a list of the signatures of the PIX Firewall in the log messages, See Table 2.4.

System Log Messages:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_system_message_guide_chapter09186a00800eca3d.html#36557

Command Reference ip audit:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1101884

sincerely

Patrick