RE: PIX Question

From: Brian Dennis (brian@5g.net)
Date: Thu Oct 24 2002 - 13:24:58 GMT-3

• Next message: Javier: "Re: [cciesecurity] PIX Question"
• Previous message: Volkov, Dmitry (Toronto - BCE): "RE: access-list switching"
• Maybe in reply to: Sam Munzani: "PIX Question"
• Next in thread: Albert Lu: "RE: PIX Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sam,
There was a smiley face after that suggestion for a reason but never
under estimate the stupidity of an end user. ;-)

On a serious note if they are a hacker they won't admit it of course but
if they are a legitimate user and they aren't really hacking the
website, they probably will come forward saying they can't get to that
website. It's possible that the admin for that website may be getting
false positives.

Lastly if you have a lot of users going to that website just logging who
is going may generate a lot of false leads. What you could try is ask
the admin of that website to give you more information about the attack
(URL, HTTP GET string, etc) and you could use NBAR to find out who is
trying to hack that website.

Brian Dennis, CCIE #2210 (R&S/ISP Dial)

-----Original Message-----
From: Sam Munzani [mailto:sam@zealtron.com]
Sent: Thursday, October 24, 2002 8:55 AM
To: Brian Dennis; ccielab@groupstudy.com
Cc: cciesecurity@yahoogroups.com
Subject: Re: PIX Question

Brian,

Your first suggestion can be an option for ongoing investigation but not
the second. Whever is using our network to hack somebody else, will not
come forward and say, I can't access that web site.

I am getting different ideas from everybody. After compiling all
different ideas, we may come up with some kind of solution(May not be
the best one but better than nothing).

Thanks,
Sam

> If you have a router behind the PIX you can put an access-list in that
> will log when someone goes to that particular website.
>
> access-list 100 permit tcp any host 198.133.219.25 eq 80 log
> access-list 100 permit ip any any
>
> int fa0/0
> description Interface to PIX
> ip access-group 100 out
>
> Another option would be to just don't allow anyone to get to that
> website and see who complains. Let them come to you ;-)
>
> Brian Dennis, CCIE #2210 (R&S/ISP Dial)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Sam Munzani
> Sent: Wednesday, October 23, 2002 12:43 PM
> To: ccielab@groupstudy.com
> Cc: cciesecurity@yahoogroups.com
> Subject: PIX Question
>
> Group,
>
> I have PIX setup with PAT. Hiding 15000+ stations behind a few IP. We
> are
> getting complains from some web sites that somebody from our network
> tried to
> hack their server. Since it's PAT, all they can give us was Date/Time
> when our
> IP tried to hack their server.
>
> Sysloging Informational messages to a syslog server could give me
enough
> data
> to trace this hacker in my internal network. However for 25000+
> connections
> it's a big overhead on PIX and syslog server.
>
> Does anybody have a better idea to trace it? Any ideas would be
greately
> appreciated.
>
> Thanks,
> Sam

• Next message: Javier: "Re: [cciesecurity] PIX Question"
• Previous message: Volkov, Dmitry (Toronto - BCE): "RE: access-list switching"
• Maybe in reply to: Sam Munzani: "PIX Question"
• Next in thread: Albert Lu: "RE: PIX Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:56 GMT-3