Re: IDS and Firewall ?

vikrantarora · ‎04-30-2003

I am new to cisco ids. our company already has an IDS blade in the cat 6509 switch.

We also have pix but there I was told that PIX is Vulnerable to the following attacks:

UDP Flood

IP Range Scan

DoS/DDoS

HTTP attacks spanning multiple attacks

1. Can I take care of these with IDS?

2. Can the IDS act like a firewall in case of an attack? or can IDS be used as a firewall in general?

Thanks

vik

sghosh · ‎05-01-2003

Hi,

IDS can help you in detecting these type of attacks and not act like a firewall.

It can do a TCP reset on the session or do Shunning (applying a ACL) on the perimeter router to stop certain ip addresses for some types of attacks.

Thanks

Sujit

a.avinash · ‎05-31-2003

Hi,

Whats the effectiveness of TCP reset action in the IDS 4210 sensor. I tried configuring many TCP signatures with action = reset. I am getting the alarms in the event viewer but the session never gets terminated. Can anybody give me an example on simulating any signature with TCP reset action. I donot want to configure shunning or blocking on PIX/Routers.

Thanks

Avi

colin.barber · ‎07-09-2003

How is your sensors sniffing interface connected to the network?

If you are connected to a switch and using SPAN to see the traffic you need to enable inpkts so that the switch will accept the TCP reset packets from the sensor.

If you show port mac for the port the sniffing interface is connected to you should see the number of packets received going up by 200 every time the sensor sends reset packets.