Avatar of gebigler
gebigler
Flag for United States of America asked on

Network intrusion detection and prevention tools

We are going thru an IRS audit and are being asked what network intrusion tools we use.  We currently have a hardware firwall Cisco ASA 5505.  Are there built in tools such as logging that we can use for network intrusion viewing?  Or is there another piece of hardware that we need.  I can poke around the firewall but I am not Cisco certified or CCNA by any means.
Security

Avatar of undefined
Last Comment
gebigler

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Garry Glendown

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
btan

Strictly speaking ASA is FW and not prime as intrusion detection. ASA does port and ip filtering as a baseline unless it is talking about ASA module add on such as the AIP-SSM provides intrusion detection system (IDS)/intrusion protection system (IPS) features, the CSC-SSM operates as a content scanning and filtering module or even the CX that is the contextual visbility for the NG-FW. But assuming the minimal base for ASA, it is doing as the traditional stuff FW is supposed to do and of course we are saying it has to be hardened with the baseline from Enterprise. The industry baseline from Cisco itself is reference and supplemented by CIS and NIST is commonly reference. Below

http://www.cisco.com/web/about/security/intelligence/firewall-best-practices.html

Intrusion detection is really not the FW role but if you are looking at ASA mgmt aspect in such attempt the audit trail do are important aspect as already in the hardening practices. Maybe good to know the threat protection for ASA in ver 8 above
Using basic threat detection, the security appliance monitors the rate of dropped packets and security events caused by the following:

Denial by access lists.
Bad packet format, such as invalid-ip-header or invalid-tcp-hdr-length).
Connection limits exceeded, both system-wide resource limits and limits set in the configuration.
DoS attack detected, such as an invalid stateful packet inspection or stateful firewall check failure.
Basic firewall checks failed. This option is a combined rate that includes all firewall-related packet drops in this bulleted list. It does not include non-firewall-related drops such as interface overload, packets failed at application inspection, and scanning attack detected.
Suspicious ICMP packets detected.
Packets failed application inspection.
Interface overload.
Scanning attack detected. This option monitors scanning attacks; for example, the first TCP packet is not a SYN packet or the TCP connection failed the three-way handshake. Full scanning threat detection takes this scanning attack rate information and acts on it by classifying hosts as attackers and automatically shunning them, for example. Refer to Configuring Scanning Threat Detection for more information.
Incomplete session detection, such as TCP SYN attack detected or no-data UDP session attack detected.
gebigler

ASKER
Thanks
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck