PIX - Intrusion Detection and Shunning
Attack Guards
Mail Guard
Protects SMTP traffic to the inside mail server by only allowing 7 SMTP commands: HELO,MAIL,RCPT,DATA,RSET,NOOP, and QUIT
RFC 821 for more information
Default mail guard port is 25; use fixup to enable on a different port
fixup protocol smtp 2525
Frag Guard and Virtual Reassembly
- Protects against IP fragmentation
- Virtual reassembly reserves buffer space
- reassembles all ICMP error messages, also reassembles IP fragments being routed
- syslog servers are notified of anomalies
- Fragment command needed for NFS
fragment chain 1
fragment size 1
FloodGuard
Relaims AAA resources
- Timewait
- FinWait
- Embyonic
- Idle
floodguard enable
DOS Attacks Protection
TCP Intercept in PIX 5.2+
TCP SYN Cookies in PIX 6.2+
- PIX responds directly to SYN by including a cookie in the TCP header of SYN/ACK
- No state information is stored yet
- Legit client completed handshake by sending ACK back with the cookie
- If vaild cookie, PIX proxies the TCP session
Intrusion Detection Services
Reconnaissance, Access, or Denial of Service attacks
Signatures - rule sets that relate to common, known intrusion activity that upon matching generate responses
ip audit attack action alarm drop reset
ip audit info action alarm drop
ip audit name ATTCKPOL attack action alarm reset
ip audit interface ouside ATTCKPOL
PIX Shunning
- IDS sensing device, together with a PIX, can dynamically block a host
- Stops connection-generating activities
- IDS devices tell PIX to shun malicious traffic sources via the blocking function
- Shun command is not interface-specific
- Traffic from source is dropped regardless, can reside inside or outside
- Must have Cisco IDS 3.0 or higher
shun 172.16.25.45
show shun
shun 172.16.25.45 192.168.0.10 4050 53
