RE: PIX Question

From: Andrew Bratchell (a.bratchell@caeuk.com)
Date: Thu Oct 24 2002 - 13:55:37 GMT-3

• Next message: Horne, Bob: "RE: BGP route selection question"
• Previous message: Ebru Toker: "RE: FRTS"
• Maybe in reply to: Sam Munzani: "PIX Question"
• Next in thread: Sam Munzani: "Re: PIX Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sam,

If I was in your shoes I would setup an IDS device just behind the firewall (you would need to setup port mirroring to capture all the appropriate traffic, i.e. everything that comes in and out of the switch port that connects the inside interface of your firewall. That way to can see what hacks if any are being run internally and also if any hacks are getting through your firewall into your Internal LAN.

I would use Snort to do the job (www.snort.org)which is based around a UNIX platform.
SNort has also been ported to Windows, you can download code and install instructions from www.Silicondefense.com You can get it up and running in minutes.

A third alternative would be to install an IDS as an inline scrubber, either directly infront or behind the firewall. Either way all traffic passes through the scrubber becasue you directly connect it to the firewall via an xover cable.
This method means that you don't need to worry about port mirroring.
But the scrubber must have enough horsepower to cope with all the traffic that directly passes through it.
A variant of Snort called Hogwash works in this manner, but as far as I'm aware is UNIX only.
I don't know if you have played with IDS technology, but it is powerful stuff.
If someone is hacking from inside your network, unless they are an experienced hacker and know and fully understand anti-IDS evasion techniques, this product should catch them.

If you are using PAT, it would make sense to install the IDS behind the firewall.

Thanks
Andy
 

-----Original Message-----
From: Brian Dennis [mailto:brian@5g.net]
Sent: 24 October 2002 17:25
To: 'Sam Munzani'; ccielab@groupstudy.com
Cc: cciesecurity@yahoogroups.com
Subject: RE: PIX Question

Sam,
There was a smiley face after that suggestion for a reason but never
under estimate the stupidity of an end user. ;-)

On a serious note if they are a hacker they won't admit it of course but
if they are a legitimate user and they aren't really hacking the
website, they probably will come forward saying they can't get to that
website. It's possible that the admin for that website may be getting
false positives.

Lastly if you have a lot of users going to that website just logging who
is going may generate a lot of false leads. What you could try is ask
the admin of that website to give you more information about the attack
(URL, HTTP GET string, etc) and you could use NBAR to find out who is
trying to hack that website.

Brian Dennis, CCIE #2210 (R&S/ISP Dial)

-----Original Message-----
From: Sam Munzani [mailto:sam@zealtron.com]
Sent: Thursday, October 24, 2002 8:55 AM
To: Brian Dennis; ccielab@groupstudy.com
Cc: cciesecurity@yahoogroups.com
Subject: Re: PIX Question

Brian,

Your first suggestion can be an option for ongoing investigation but not
the second. Whever is using our network to hack somebody else, will not
come forward and say, I can't access that web site.

I am getting different ideas from everybody. After compiling all
different ideas, we may come up with some kind of solution(May not be
the best one but better than nothing).

Thanks,
Sam

> If you have a router behind the PIX you can put an access-list in that
> will log when someone goes to that particular website.
>
> access-list 100 permit tcp any host 198.133.219.25 eq 80 log
> access-list 100 permit ip any any
>
> int fa0/0
> description Interface to PIX
> ip access-group 100 out
>
> Another option would be to just don't allow anyone to get to that
> website and see who complains. Let them come to you ;-)
>
> Brian Dennis, CCIE #2210 (R&S/ISP Dial)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Sam Munzani
> Sent: Wednesday, October 23, 2002 12:43 PM
> To: ccielab@groupstudy.com
> Cc: cciesecurity@yahoogroups.com
> Subject: PIX Question
>
> Group,
>
> I have PIX setup with PAT. Hiding 15000+ stations behind a few IP. We
> are
> getting complains from some web sites that somebody from our network
> tried to
> hack their server. Since it's PAT, all they can give us was Date/Time
> when our
> IP tried to hack their server.
>
> Sysloging Informational messages to a syslog server could give me
enough
> data
> to trace this hacker in my internal network. However for 25000+
> connections
> it's a big overhead on PIX and syslog server.
>
> Does anybody have a better idea to trace it? Any ideas would be
greately
> appreciated.
>
> Thanks,
> Sam

**********************************************************************
Disclaimer
This email is confidential and intended solely for the use of
the individual to whom it is addressed. Any views or opinions
presented are solely those of the author and do not necessarily
represent those of CAE Office Systems. If you are not the
intended recipient, be advised that you have received this
email in error, and that any use, dissemination, forwarding,
printing or copying of this email is strictly prohibited. If you
received this email in error, please contact Lee Gatland on
+44 (0) 1923 477600
**********************************************************************

• Next message: Horne, Bob: "RE: BGP route selection question"
• Previous message: Ebru Toker: "RE: FRTS"
• Maybe in reply to: Sam Munzani: "PIX Question"
• Next in thread: Sam Munzani: "Re: PIX Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:56 GMT-3