[c-nsp] Automatic responses from events in a PIX

Church, Charles cchurc05 at harris.com
Tue Oct 16 00:23:13 EDT 2007


I don't think a PIX can do it by itself, but if a Cisco IDS detects the
intrusion, the IDS can direct the PIX to drop connections based on
address, and other things.  Haven't done it personally, but I think
that's how it worked.  The newer ASAs with the IPS module built-in can
most likely do the same thing.

Chuck

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Tuesday, October 16, 2007 12:07 AM
To: 'Cisco-nsp'
Subject: [c-nsp] Automatic responses from events in a PIX

I have a user who claims that they've configured their PIX to take an 
action after it sees a certain number of rogue packets (ie, portscan). 
They claim that it's configured to stop all traffic after it sees 70 
rogue packets from any one given IP.

In my years of administrating PIXs I don't recall ever coming across a 
reactionary feature such as this.  I haven't read about it in any of my 
PIX books either, not even a warning on just how extremely risky of a 
feature it is.  Every reactionary software package I've ever used 
(Portsentry, Fail2ban, etc) have always warned about the risk of 
reacting in such a way so as to effectively DoS yourself.  That seems to

be exactly what this feature would allow a user to do; set themselves up

to be easily DoSed.  The user also says they have a Sonicwall in 
production but that this feature is on the PIX and not the Sonicwall.  I

can't confirm this though since I have not knowledge of their design.

Has anyone else come across a feature like this?

Thanks
  Justin

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list