Is there an 'easy' way to block IP addresses from accessing anything
behind the PIX? Some of my web sites are getting numerous hack attempts
and I would like to block those right from the firewall rather than the
webserver whenever the IDS sends an alert.

In article <1117046674.604980.101570@g44g2000cwa.googlegroups .com>,
J1C <just1coder@yahoo.ca> wrote:
:Is there an 'easy' way to block IP addresses from accessing anything
:behind the PIX? Some of my web sites are getting numerous hack attempts
:and I would like to block those right from the firewall rather than the
:webserver whenever the IDS sends an alert.

If you want it automated in connection with an IDS, you may wish
to configure your IDS to use the PIX 'shun' command.

If you have PIX 6.2 or later, then you can edit access lists in
place. Supposing your outside ACL is out2in and the attacking
IP is X.Y.Z.W then you can

access-list out2in line 1 deny ip host X.Y.Z.W any

and that will insert the ban at the top of the access list
without you having to know anything about what else is in the ACL.


Note: 'shun' commands are NOT saved when you save the configuration.
ACL changes -are- saved when you save the configuration.
--
Oh, to be a Blobel!

Great - thanks!

I'll have to check out that SHUN command a little more ... that would
be ideal to tie the PIX into the IDS

About the shun command.

If it is configured for an offending host, will the Pix block all the
traffic to the offended host when the IDS (of the PIX)detect some
extrange behaivor or will always filter the traffic especified in the
shun command no matter if the IDS detect something?

-as

In article <1117142458.407877.302060@f14g2000cwb.googlegroups .com>,
arturo.servin <arturo.servin@gmail.com> wrote:
:About the shun command.

:If it is configured for an offending host, will the Pix block all the
:traffic to the offended host when the IDS (of the PIX)detect some
:extrange behaivor or will always filter the traffic especified in the
:shun command no matter if the IDS detect something?

shun is unconditional: all traffic to and from the designated
host is -immediately- stopped (whereas an access-list change would
only deal with -new- attempts.)

The idea is that when the IDS detects monkey business, it tells
the PIX to shun the host, and it leaves it shunned until the IDS
policies deem it safe to open up again (e.g. if the policy is
a 10 minute block, then 10 minutes later the IDS would tell the PIX
to stop shunning the host.)


If you do use shun, here's something to watch out for: each
time the shunned system attempts to communicate, a log message
is generated. If you log level and configuration so permit, that
log message will be sent to your syslog server. The load
generated by the log message may be more than the load generated
by the attacking host itself Thus, depending on your needs,
you might wish to specifically disable the shun log message.
--
"This was a Golden Age, a time of high adventure, rich living and
hard dying... but nobody thought so." -- Alfred Bester, TSMD

What IDS' can create a SHUN entry on a PIX?

In article <1118843316.093979.123330@z14g2000cwz.googlegroups .com>,
J1C <just1coder@yahoo.ca> wrote:
:What IDS' can create a SHUN entry on a PIX?


http://www.cisco.com/en/US/products/...8025c533.shtml

http://www.cisco.com/en/US/products/...0800b4744.html

http://www.cisco.com/en/US/products/...145270.sht ml
--
"Who Leads?" / "The men who must... driven men, compelled men."
"Freak men."
"You're all freaks, sir. But you always have been freaks.
Life is a freak. That's its hope and glory." -- Alfred Bester, TSMD

thanks!