Partners









Cisco PIX PDF Print E-mail
The Cisco PIX firewall does not have a DNS resolver so an external script must be used to work with ThreatSTOP. The script we currently have is written in Perl and requires some modules to be installed. The modules needed are:

Config::General
GetOpt::Long
Net::DNS
Net::SSH::Perl
Net::SSH::Perl::Constants

The script is designed to run in a UNIX environment and will not run in Windows.

Caveats:
  • Every time this script is run, it will clear all entries from the shun table.  If you have an IDS sending blocks based on events, those will be elimiated.
  • Shuns are not replicated to standby PIXs, if your firewall fails over, the benefit of the lists will be lost until the script is run again.

 

When setting up your devices on the ThreatSTOP website, do not use the IP address of the PIX, but the public IP address of the computer that will run the script. The DNS query must come from the computer that is running the script or it will not work. If you do not know the public IP address of that computer, go to http://www.myipaddress.com from the computer that will run the script. It will show you what IP address to use.

 

The way the script works is that it first queries the ThreatSTOP DNS server to get the IP addresses in your lists. Then it makes a SSH connection to the PIX, goes into enable mode, clears all currently shunned addresses, and sends the
command "shun <IP_ADDRESS>" Shunning temporarily blocks all traffic to and from the particular IP address. Shuns are not written to the configuration so nothing is saved if the PIX is rebooted or the configuration is reloaded.

 

When the script runs, it will clear all the shun entries before adding the new IP addresses. If you are using the Cisco IDS software, or another IDS product, it may be populating the shun table with it's own blocks.

 

After downloading the script and extracting the archive, edit the ts-pix.conf file. There are two main sections to the configuration file, "globals" and "device." The globals section is already configured. The device section needs to be modified for your configuration. Change the device IP address, pix_username, pix_password, and pix_enable settings for the device you are setting up.

 

If you have more than one PIX you want to setup, create additional "device" sections with the appropriate information. The script will finish configuring the first device before moving on to the next one.

 

To run the script:
shell# /path/to/the/script/ts-pix_shun.pl -c /path/to/config/file/ts-pix.conf

 

We update the lists every 2 hours. Here is an example cron job that you can use:

# Update the ThreatSTOP lists. Every 2 hours, 15 minutes after the hour (00:15, 02:15, 04:15, etc.)
15  */2  *  *  *  /path/to/the/script/ts-pix_shun.pl -c /path/to/config/file/ts-pix.conf 2>&1