Re: PIX Question

From: Sam Munzani (sam@munzani.com)
Date: Fri Oct 25 2002 - 11:44:48 GMT-3

• Next message: Armand D: "Adapters for Avaya IP Phones that enable them to use Cisco"
• Previous message: Peter van Oene: "Re: good practices at the lab"
• Maybe in reply to: Sam Munzani: "PIX Question"
• Next in thread: George Matovu: "RE: PIX Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sounds good but the volume will be a killer. Imagine supprting 20000+ users and logging all denied traffic.

I got packet sniffing ideas from somebody but that would be way too much traffic to capture. PIX outside interface is serving 70Mbps traffic right now. I don't think Sniffer can scale well in this environment either.

I think we will end up relying on Web Sense for all denied HTTP URLs and PIX syslog for all Denied traffic.

Thanks,
Sam

> Sam,
>
> What about using a "DENY any any log" at the end?
> Then check the log to see who is denied? BUT do not
> deny everybody...you still allow those already set to
> be allowed.
>
> Loizos
>
> --- Sam Munzani <sam@zealtron.com> wrote:
> > Brian,
> >
> > Your first suggestion can be an option for ongoing
> > investigation but not the second. Whever is using
> > our network to hack somebody else, will not come
> > forward and say, I can't access that web site.
> >
> > I am getting different ideas from everybody. After
> > compiling all different ideas, we may come up with
> > some kind of solution(May not be the best one but
> > better than nothing).
> >
> > Thanks,
> > Sam
> >
> > > If you have a router behind the PIX you can put an
> > access-list in that
> > > will log when someone goes to that particular
> > website.
> > >
> > > access-list 100 permit tcp any host 198.133.219.25
> > eq 80 log
> > > access-list 100 permit ip any any
> > >
> > > int fa0/0
> > > description Interface to PIX
> > > ip access-group 100 out
> > >
> > > Another option would be to just don't allow anyone
> > to get to that
> > > website and see who complains. Let them come to
> > you ;-)
> > >
> > > Brian Dennis, CCIE #2210 (R&S/ISP Dial)
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of
> > > Sam Munzani
> > > Sent: Wednesday, October 23, 2002 12:43 PM
> > > To: ccielab@groupstudy.com
> > > Cc: cciesecurity@yahoogroups.com
> > > Subject: PIX Question
> > >
> > > Group,
> > >
> > > I have PIX setup with PAT. Hiding 15000+ stations
> > behind a few IP. We
> > > are
> > > getting complains from some web sites that
> > somebody from our network
> > > tried to
> > > hack their server. Since it's PAT, all they can
> > give us was Date/Time
> > > when our
> > > IP tried to hack their server.
> > >
> > > Sysloging Informational messages to a syslog
> > server could give me enough
> > > data
> > > to trace this hacker in my internal network.
> > However for 25000+
> > > connections
> > > it's a big overhead on PIX and syslog server.
> > >
> > > Does anybody have a better idea to trace it? Any
> > ideas would be greately
> > > appreciated.
> > >
> > > Thanks,
> > > Sam
>
>
> __________________________________________________
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site
> http://webhosting.yahoo.com/

• Next message: Armand D: "Adapters for Avaya IP Phones that enable them to use Cisco"
• Previous message: Peter van Oene: "Re: good practices at the lab"
• Maybe in reply to: Sam Munzani: "PIX Question"
• Next in thread: George Matovu: "RE: PIX Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:56 GMT-3