Configure Intrusion Prevention on the PIX Security Appliance
Configure intrusion detection

Intrusion prevention, or auditing, is enabled on the PIX Security Appliance with the ip audit commands. Using the ip audit commands, audit policies can be created to specify the traffic that is audited or to designate actions to be taken when a signature is detected. After a policy is created, it can be applied to any PIX interface.

Each interface can have two policies, one for informational signatures and one for attack signatures. If both policies are going to be active simultaneously, they should share the same policy name. When a policy for a given signature class is created and applied to an interface, all supported signatures of that class are monitored unless they are disabled with the ip audit signature disable command.

The PIX Security Appliance supports both inbound and outbound auditing. Auditing is performed by looking at the IP packets as they arrive at an input interface. For example, if an attack policy is applied to the outside interface, attack signatures are triggered when attack traffic arrives at the outside interface in an inward direction, either as inbound traffic or as return traffic from an outbound connection.

In Figure , the PIX Security Appliance has an attack policy, which contains the alarm and drop actions, applied to its outside interface. Therefore, the following series of events takes place:

Step 1 The intruder attempts to transfer a DNS zone from the DNS server on the DMZ.
Step 2 The PIX Security Appliance detects an attack.
Step 3 The PIX Security Appliance drops the connection and sends an IDS Syslog message to the Syslog server at 10.0.0.11.

The ip audit attack command specifies the default actions to be taken for attack signatures . The no ip audit attack command resets the action to be taken for attack signatures to the default action. The show ip audit attack command displays the default attack actions. The ip audit info, no ip audit info, and show ip audit info commands perform the same functions for signatures classified as informational. Specify the ip audit info command without an action option to cancel event reactions.


Interactive Media Activity

Demonstration Activity: Intrusion Detection Process in the PIX Security Appliance

In this activity, students will learn the intrusion detection process in the PIX Security Appliance.