Chapter 15
Blocking Configuration
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-1
Objectives
Upon completion of this chapter, you will be able
to complete the following tasks:
• Describe the device management capability of the Sensor
and how it is used to perform blocking with a Cisco
device.
• Design a Cisco IDS solution using the blocking feature,
including the ACL placement considerations, when
deciding where to apply Sensor-generated ACLs.
• Configure a Sensor to perform blocking with a Cisco IDS
device.
• Configure a Sensor to perform blocking through a Master
Blocking Sensor.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-2
Introduction
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-3
Definitions
• Blocking—A Cisco IDS Sensor feature.
• Device management—The ability of a Sensor to interact
with a Cisco device and dynamically reconfigure the
Cisco device to stop an attack.
• Managed device—The Cisco IDS device that is to block
the attack. This is also referred to as a blocking device.
• Blocking Sensor—The Cisco IDS Sensor configured to
control the managed device.
• Interface/direction—The combination of a device interface
and a direction, in or out.
• Managed interface—The interface on the managed device
where the Cisco IDS Sensor applies the ACL.
• Active ACL—The ACL created and maintained by the
Sensor which is applied to the managed interfaces.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-4
Blocking Devices
• Cisco IOS routers (ACLs)
• Catalyst 5000 RSM/RSFC (ACLs)
• Catalyst 6000 running IOS (ACLs)
• Catalyst 6000 running Catalyst OS (VACLs)
• PIX Firewall (shun)
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-5
Blocking Guidelines
• Implement anti-spoofing mechanisms.
• Identify hosts that are to be excluded from
blocking.
• Identify network entry points that will participate
in blocking.
• Assign the block reaction to signatures that are
deemed as an immediate threat.
• Determine the appropriate blocking duration.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-6
NAC Block Actions
The following actions will initiate a block:
• Response to an alert event generated from a
signature that is configured with a block action.
• Manually initiated from a management interface.
• Configured to initiate a permanent block action.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-7
Blocking Process
The following explains the blocking process:
• An event or action occurs that has a block
action associated with it.
• Sensor pushes a new set of configurations or
ACLs, one for each interface direction, to each
controlled device.
• An alarm is sent to the Event Store at the same
time the Sensor initiates the block.
• When the block completes, all configurations or
ACLs are updated to remove the block.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-8
Blocking Scenario
172.26.26.1
192.168.1.10
1
Deny
172.26.26.1
Protected
network
3
© 2003, Cisco Systems, Inc. All rights reserved.
Write the ACL
Untrusted
network
2
Detect the attack
CSIDS 4.0—15-9
ACL Considerations
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-10
Where to Apply ACLs
Untrusted
network
• When the Sensor has full
control, no manually
entered ACLs are allowed.
External
interfaces
Inbound
ACL
Internal
interfaces
Outbound
ACL
• Apply an external
interface in an inbound
direction.
• Apply an internal interface
in an outbound direction.
Protected
network
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-11
Applying ACLs on the
External vs. Internal Interfaces
• External interface in the
inbound direction
– Denies the host before
it enters the router.
– Provides the best
protection against an
attacker.
© 2003, Cisco Systems, Inc. All rights reserved.
• Internal interface in the
outbound direction
– Denies the host before
it enters the protected
network.
– The block does not
apply to the router
itself.
CSIDS 4.0—15-12
Using Existing ACLs
• The Sensor takes full control of the managed interface.
• Existing ACL entries can be included before the
dynamically created ACL. This is referred to as applying a
Pre-block ACL.
• Existing ACL entries can be added after the dynamically
created ACL. This is referred to as applying a Post-block
ACL.
• The existing ACL must be an extended IP access list,
either named or numbered.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-13
Blocking Sensor Configuration
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-14
Configuration Tasks
Complete the following tasks to configure a Sensor for
blocking:
•
•
•
•
Assign the block reaction to a signature.
Assign the Sensor’s global blocking properties.
Define the managed device’s properties.
Assign the managed interface’s properties for
IOS devices.
• (Optional.) Assign the list of devices that are
never blocked.
• (Optional.) Define a Master Blocking Sensor.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-15
Assign Block Reaction
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-16
Sensor’s Blocking Properties
Choose Configuration>Settings>Blocking>Blocking Properties.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-17
Managed Device—Cisco Router
Choose Configuration>Blocking>Blocking Devices and Select Add.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-18
Managed Device—
Cisco Router (cont.)
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-19
Managed Device—PIX Firewall
Choose Configuration>Blocking>Blocking Devices and Select Add.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-20
Managed Device—
Catalyst 6000 VACL
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-21
Managed Device—
Catalyst 6000 VACL (cont.)
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-22
Never Block Addresses
Choose Configuration>Settings>Blocking>Never Block Addresses and
Click Add.
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-23
Master Blocking Sensor
Configuration
© 2003, Cisco Systems, Inc. All rights reserved.
CSIDS 4.0—15-24
Master Blocking Sensors
Attacker
Provider
Y
Provider
X
Sensor A
blocks
Router A
Sensor A
PIX Firewall B
...
Target
© 2003, Cisco Systems, Inc. All rights reserved.
Sensor B
blocks
Protected
network
Sensor B
Sensor A
commands
Sensor B
to block
CSIDS 4.0—15-25