{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreibvr2h6x3ut5ir5hch2l63l5cqlit5nj5ppgejezvt5c5zlqzaxfi",
    "uri": "at://did:plc:wnit4jb553jiwptxnj5srnmr/app.bsky.feed.post/3medyosf45q32"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreihuqqudh4fz4xr3gfhua5xuxfoasdzk6smucosxoycxjlscruq7ty"
    },
    "mimeType": "image/jpeg",
    "size": 25492
  },
  "description": "Intrusion Detection features on PIX Firewall",
  "path": "/pix-intrusion-detection-and-shunning/",
  "publishedAt": "2026-02-08T12:30:10.000Z",
  "site": "https://cg1network.com",
  "textContent": "## Attack Guards\n\n### Mail Guard\n\nProtects SMTP traffic to the inside mail server by only allowing 7 SMTP commands: HELO,MAIL,RCPT,DATA,RSET,NOOP, and QUIT\n\nRFC 821 for more information\n\nDefault mail guard port is 25; use fixup to enable on a different port\n\n\n    fixup protocol smtp 2525\n\n\n### Frag Guard and Virtual Reassembly\n\n  * Protects against IP fragmentation\n  * Virtual reassembly reserves buffer space\n  * reassembles all ICMP error messages, also reassembles IP fragments being routed\n  * syslog servers are notified of anomalies\n  * Fragment command needed for NFS\n\n\n\n\n    fragment chain 1\n    fragment size 1\n\n\n### FloodGuard\n\nRelaims AAA resources\n\n  1. Timewait\n  2. FinWait\n  3. Embyonic\n  4. Idle\n\n\n\n\n    floodguard enable\n\n\n### DOS Attacks Protection\n\nTCP Intercept in PIX 5.2+\n\nTCP SYN Cookies in PIX 6.2+\n\n  1. PIX responds directly to SYN by including a cookie in the TCP header of SYN/ACK\n  2. No state information is stored yet\n  3. Legit client completed handshake by sending ACK back with the cookie\n  4. If vaild cookie, PIX proxies the TCP session\n\n\n\n## Intrusion Detection Services\n\nReconnaissance, Access, or Denial of Service attacks\n\nSignatures - rule sets that relate to common, known intrusion activity that upon matching generate responses\n\nPIX Common IDS Signatures\n\n\n    ip audit attack action alarm drop reset\n    ip audit info action alarm drop\n\n    ip audit name ATTCKPOL attack action alarm reset\n    ip audit interface ouside ATTCKPOL\n\n\n## PIX Shunning\n\n  * IDS sensing device, together with a PIX, can dynamically block a host\n  * Stops connection-generating activities\n  * IDS devices tell PIX to shun malicious traffic sources via the blocking function\n  * Shun command is not interface-specific\n  * Traffic from source is dropped regardless, can reside inside or outside\n  * Must have Cisco IDS 3.0 or higher\n\n\n\n\n    shun 172.16.25.45\n    show shun\n\n    shun 172.16.25.45 192.168.0.10 4050 53\n",
  "title": "PIX - Intrusion Detection and Shunning",
  "updatedAt": "2026-02-08T12:30:10.000Z"
}