Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

IDS Attacks response

Posted on 2004-09-01
9
Medium Priority
?
259 Views
Last Modified: 2010-04-09
Hi

I have an IDS configured in the network, im using the IEV monitor and im able to see the attacks by their Ip address,
by i want to know the action that has been taken to prevent this attacks?

Thanks


0
Comment
Question by:ibmas4002
  • 4
  • 3
  • 2
9 Comments
 
LVL 18

Expert Comment

by:liddler
ID: 11953479
IF you have a router with acls (Access Control Lists) or a firewall you can block the specific IP addresses.  You can also use ripe to find out the abuse address for their netblock and report their abuse, and get them dropped by their ISP.
0
 
LVL 2

Author Comment

by:ibmas4002
ID: 11955573
Thanks Liddler

I have event viwer installed, also i configured the blocking device. but the signatures its showing nothing in the actions.

so do i need to configure manually to take the actions??

thanks
0
 
LVL 18

Expert Comment

by:liddler
ID: 11955951
Sorry I don't know IEV, you'll have to look at the cisco? docs
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 11956180
Configure the network IDS with an active port that it can send TCP RST packets to and/or actively modify the upstream router ACL.
Alternatively, buy an inline IPS - Intrusion Prevention System, which will do all this for you...
0
 
LVL 2

Author Comment

by:ibmas4002
ID: 11957489
Hi  tim_holman

can you explain how to configure the IDS for TCP RST flag.

Thanks
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11957658
What's the exact make and model of your NIDS, and what do you use to manage it  ?
0
 
LVL 2

Author Comment

by:ibmas4002
ID: 11960132
i have 4215 and its connected to the external switch.
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 750 total points
ID: 11961693
Does the external switch support ACLs ?
The way you'd normally set these up would be:

Internet
|
Router
|
IDS
|
Internal network

..and if the IDS detects anything odd then configure it to modify the router's ACL.

It cannot directly prevent attacks, although it can send RST packets to the originator to reset the session, but then why bother communicating back to the source - just block it with the ACL.

Instructions using IDSM are here:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_configuration_guide_chapter09186a00801a0c83.html

Look under Configuring Blocking:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_and_configuration_guide_chapter09186a00801a0c83.html#32394
0
 
LVL 2

Author Comment

by:ibmas4002
ID: 11994870
Thanks  tim_holman

its useful
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Integration Management Part 2
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question