|
Home > Archive > CCNP > July 2002 > Ids + Pix ..
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| Dear All..
I heard someone told me that the firewall (like Netscreen) can work with IDS (ISS or Snort), so the firewall will dynamic deny the source ip to prevent the attack. Does anyone have experience about it? or what the method of them working?
btw, is cisco's IDS + PIX can do it?
thanks.. | |
| MadChef 2002-07-13, 5:41 am |
| quote:
Originally posted by tco
Dear All..
I heard someone told me that the firewall (like Netscreen) can work with IDS (ISS or Snort), so the firewall will dynamic deny the source ip to prevent the attack. Does anyone have experience about it?
btw, is cisco's IDS + PIX can do it?
This is called shunning or blocking. You can do it with snort using the third party tool guardian. ISS can do it with a number of firewalls. Cisco IDS can do it with Pix and IOS, if I remember correctly.
I've met very few people who actually do this in production. It takes very precise tuning and mostly serves as a fun way to DoS your network.
MadChef | |
|
| Mmm.. If we only check the log or reciev the alert msg from IDS which got some attack signatures, the damages may already occur. The only thing I have to do is restore the system or execute disaster recovery plan. I think the IDS is not only detect the bad guys but also block him immediately. That's the value of IDS I think.
quote:
Originally posted by MadChef
This is called shunning or blocking. You can do it with snort using the third party tool guardian. ISS can do it with a number of firewalls. Cisco IDS can do it with Pix and IOS, if I remember correctly.
I've met very few people who actually do this in production. It takes very precise tuning and mostly serves as a fun way to DoS your network.
MadChef
| |
| MadChef 2002-07-24, 5:21 am |
| quote:
Originally posted by tco
That's the value of IDS I think.
If you've got the time to do it right, then go ahead by all means. You have to keep in mind that you have tune your IDS well enough to eliminate false positives. On a network of any size this can take months. That should be done anyways, but I guess most people aren't comfortable with it enough to take the risk of blocking good traffic.
Good luck. I'd be interested to know what IDS you select and how your progress goes.
MadChef |
|
|
|
|