Solved

Network intrusion detection and prevention tools

Posted on 2014-11-13
3
197 Views
Last Modified: 2014-12-01
We are going thru an IRS audit and are being asked what network intrusion tools we use.  We currently have a hardware firwall Cisco ASA 5505.  Are there built in tools such as logging that we can use for network intrusion viewing?  Or is there another piece of hardware that we need.  I can poke around the firewall but I am not Cisco certified or CCNA by any means.
0
Comment
Question by:gebigler
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 18

Accepted Solution

by:
Garry Glendown earned 500 total points
ID: 40442026
ASA does not come with a real IDS/IPS as such. In order to get this feature on the 5505 (or any ASA, for that matter), you will need the IDS daughter card that installs into the ASA. Not sure about the prices, though, as we have stopped actively selling ASAs some time ago due to their software falling back behind the competition. Anyway, the IDS card will most likely work (we have one customer with a 5505 cluster and the IDS card, no problems to date, albeit the firewall is already configured rather restrictively, so dangers are already greatly minimized).

Depending on your throughput and feature demands, you could also look into devices from Fortinet. For very competitive prices (typically around 1/2 of what ASA devices with similar performance cost), you get a load of additional features without additional license cost. The base bundle already includes full IDS/IPS, content scan (AV/Malware) as well as webfiltering (with server categorization, etc.), SSL VPN (as well as IPSEC and PPTP), single sign on, web proxy, FW virtualization and much more ... also full HA capability without needing to pay for a license upgrade (as is the case for most smaller ASA models like 5505 or 5510). We've got multiple pairs deployed to protect our customers' webservers from attacks, which has reduced the number of successful attacks from something like 1 a day (don't ask ...) to less than one per quarter ...
0
 
LVL 63

Expert Comment

by:btan
ID: 40442082
Strictly speaking ASA is FW and not prime as intrusion detection. ASA does port and ip filtering as a baseline unless it is talking about ASA module add on such as the AIP-SSM provides intrusion detection system (IDS)/intrusion protection system (IPS) features, the CSC-SSM operates as a content scanning and filtering module or even the CX that is the contextual visbility for the NG-FW. But assuming the minimal base for ASA, it is doing as the traditional stuff FW is supposed to do and of course we are saying it has to be hardened with the baseline from Enterprise. The industry baseline from Cisco itself is reference and supplemented by CIS and NIST is commonly reference. Below

http://www.cisco.com/web/about/security/intelligence/firewall-best-practices.html

Intrusion detection is really not the FW role but if you are looking at ASA mgmt aspect in such attempt the audit trail do are important aspect as already in the hardening practices. Maybe good to know the threat protection for ASA in ver 8 above
Using basic threat detection, the security appliance monitors the rate of dropped packets and security events caused by the following:

Denial by access lists.
Bad packet format, such as invalid-ip-header or invalid-tcp-hdr-length).
Connection limits exceeded, both system-wide resource limits and limits set in the configuration.
DoS attack detected, such as an invalid stateful packet inspection or stateful firewall check failure.
Basic firewall checks failed. This option is a combined rate that includes all firewall-related packet drops in this bulleted list. It does not include non-firewall-related drops such as interface overload, packets failed at application inspection, and scanning attack detected.
Suspicious ICMP packets detected.
Packets failed application inspection.
Interface overload.
Scanning attack detected. This option monitors scanning attacks; for example, the first TCP packet is not a SYN packet or the TCP connection failed the three-way handshake. Full scanning threat detection takes this scanning attack rate information and acts on it by classifying hosts as attackers and automatically shunning them, for example. Refer to Configuring Scanning Threat Detection for more information.
Incomplete session detection, such as TCP SYN attack detected or no-data UDP session attack detected.
0
 

Author Comment

by:gebigler
ID: 40474689
Thanks
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
A hard and fast method for reducing Active Directory Administrators members.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question