PIX - Intrusion Detection and Shunning
Attack Guards
Mail Guard
Protects SMTP traffic to the inside mail server by only allowing 7 SMTP commands: HELO,MAIL,RCPT,DATA,RSET,NOOP, and QUIT
RFC 821 for more information
Default mail guard port is 25; use fixup to enable on a different port
fixup protocol smtp 2525
Frag Guard and Virtual Reassembly
Protects against IP fragmentation
Virtual reassembly reserves buffer space
reassembles all ICMP error messages, also reassembles IP fragments being routed
syslog servers are notified of anomalies
Fragment command needed for NFS
fragment chain 1 fragment size 1
FloodGuard
Relaims AAA resources
- Timewait
- FinWait
- Embyonic
- Idle
floodguard enable
DOS Attacks Protection
TCP Intercept in PIX 5.2+
TCP SYN Cookies in PIX 6.2+
- PIX responds directly to SYN by including a cookie in the TCP header of SYN/ACK
- No state information is stored yet
- Legit client completed handshake by sending ACK back with the cookie
- If vaild cookie, PIX proxies the TCP session
Intrusion Detection Services
Reconnaissance, Access, or Denial of Service attacks
Signatures - rule sets that relate to common, known intrusion activity that upon matching generate responses
PIX Common IDS Signatures
ip audit attack action alarm drop reset
ip audit info action alarm drop
ip audit name ATTCKPOL attack action alarm reset
ip audit interface ouside ATTCKPOL
PIX Shunning
IDS sensing device, together with a PIX, can dynamically block a host
Stops connection-generating activities
IDS devices tell PIX to shun malicious traffic sources via the blocking function
Shun command is not interface-specific
Traffic from source is dropped regardless, can reside inside or outside
Must have Cisco IDS 3.0 or higher
shun 172.16.25.45 show shun
shun 172.16.25.45 192.168.0.10 4050 53
Discussion in the ATmosphere