I have applied IDS shunnig on the PIX firewall lately instead of the router , and it works fine . But the problem is that automatic shunnig on pix doesn't shun the whole IP , but instead it shuns the combination of source IP with the source port , so when he changes the source port he can try the attacks again . I want it just to shun the source IP , does anyone know how ?
The whole IP should be shunned even though you see the Source IP, Dest IP, Source Port, and Dest Port in the shun command.
When the IDS executes an automated shun to a Pix Firewall it will execute the Pix's shun command with the Source IP, Dest IP, Source Port, and Dest Port for the connection. This may appear that only that single connection is being shunned, but in fact the Pix is shunning the entire Source IP Address. The additional information is just so the Pix can do a little internal cleanup and remove the specific connection from it's internal connection list.
So once the attack occurs and the shun command gets sent to the Pix, the attacker should not be able to connect again from that same IP address. If you have tested this, and are seeing the attacker being able to make a new connection after the shun (before the shun time expires) then please contact the TAC.
NOTE: When using load balanced Firewalls, the IDS will likely need to be configured to shun on both of the Firewalls to prevent future connections.
I am using IDS versin 3.1(3)S37 . and PIX ver 6.1(4) .
I tested the shun command , and if the shun command contains the src port and destination IP and port , the attacker can pass if the src port is changed . It really needs to shun only the src IP to stop him totally . Any suggestions ?
I tried this using a pix 6.1(4). First I connected through the pix to a device using telnet. I then ping'd through the pix to trigger a shun. I verified the shun was applied. I tried to telnet again and was blocked. I tried a ping and it was blocked. All returned to normal after the shun timed out. So as far as I can tell, the pix is doing an unconditional shun as advertised. The connection data you see in the shun command is only used by the pix for cleanup purposes.