Solved: Re: Can IDS do this?

vikrantarora · ‎04-30-2003

I am new to cisco ids. our company already has an IDS blade in the cat 6509 switch.

We also have pix but there I was told that PIX is Vulnerable to the following attacks:

UDP Flood

IP Range Scan

DoS/DDoS

HTTP attacks spanning multiple attacks

1. Can I take care of these with IDS?

2. Can the IDS act like a firewall in case of an attack? or can IDS be used as a firewall in general?

Thanks

vik

dbobeldyk · ‎04-30-2003

If the IDS detects an attack, it can do one of a few things:

-Send a Message to a Log, warning you that there was an attack

-Drop the connection between the two hosts (Therefore denying it)

- Drop the connection and log the attack.

- Email you that there was an attack. (You could have this email sent to your pager as well)

- If you have a PIX firewall the IDS can actually Shun that host from accessing your network - what that means is that the IDS will communicate with the PIX that this particular host is an offender and he/she needs to be blocked for the next X number of minutes (configurable by you).

You can also check out:

http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/prodlit/ids4f_ds.pdf

for some more detailed informaion on the Cisco IDS appliance.

I'd also recommend picking up the IDS book from Cisco Press, should give you some more verbose explanations for what you're looking for.

If you need a consulting company to help you with your decisions, we are a national organization :)

-Denny

View solution in original post

dbobeldyk · ‎04-30-2003

Vik:

The IDS operates in tandem with the Firewall. It will be part of your layered security approach.

The PIX firewall will be configured to permit or deny traffic based on network addresses (IP Address) and port numbers (typically TCP or UDP).

The IDS examines the traffic all the way up to layer 7. The IDS will match traffic to certain attack signatures that it is configured for.

For example, the firewall will permit traffic destined for your web server on port 80, the IDS will then examine that traffic to see if it is 'legimate' traffic, or whether it looks like it's an attack. Is it a true request for a web page? or are they trying to gain command line access to your web server by sending a funky url.

You realy want to use these devices together, and neither one can really replace the other one. I hope that brief explanation will help shed some light on things for you.

-Denny

vikrantarora · ‎04-30-2003

thnx danny,

excellent example! taking it a little further, let's day ids identifies it as an attack then what all can it do, deny the request, send a notification. what else? can it write an access list under any circumstances.

vik

dbobeldyk · ‎04-30-2003

If the IDS detects an attack, it can do one of a few things:

-Send a Message to a Log, warning you that there was an attack

-Drop the connection between the two hosts (Therefore denying it)

- Drop the connection and log the attack.

- Email you that there was an attack. (You could have this email sent to your pager as well)

- If you have a PIX firewall the IDS can actually Shun that host from accessing your network - what that means is that the IDS will communicate with the PIX that this particular host is an offender and he/she needs to be blocked for the next X number of minutes (configurable by you).

You can also check out:

http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/prodlit/ids4f_ds.pdf

for some more detailed informaion on the Cisco IDS appliance.

I'd also recommend picking up the IDS book from Cisco Press, should give you some more verbose explanations for what you're looking for.

If you need a consulting company to help you with your decisions, we are a national organization :)

-Denny