Chapter 15
Blocking Configuration

© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-1


Objectives
Upon completion of this chapter, you will be able
to complete the following tasks:
• Describe the device management capability of the Sensor
and how it is used to perform blocking with a Cisco
device.
• Design a Cisco IDS solution using the blocking feature,
including the ACL placement considerations, when
deciding where to apply Sensor-generated ACLs.
• Configure a Sensor to perform blocking with a Cisco IDS
device.
• Configure a Sensor to perform blocking through a Master
Blocking Sensor.
© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-2


Introduction

© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-3

Definitions
• Blocking—A Cisco IDS Sensor feature.
• Device management—The ability of a Sensor to interact
with a Cisco device and dynamically reconfigure the
Cisco device to stop an attack.
• Managed device—The Cisco IDS device that is to block
the attack. This is also referred to as a blocking device.
• Blocking Sensor—The Cisco IDS Sensor configured to
control the managed device.
• Interface/direction—The combination of a device interface
and a direction, in or out.
• Managed interface—The interface on the managed device
where the Cisco IDS Sensor applies the ACL.
• Active ACL—The ACL created and maintained by the
Sensor which is applied to the managed interfaces.
© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-4


Blocking Devices

• Cisco IOS routers (ACLs)
• Catalyst 5000 RSM/RSFC (ACLs)
• Catalyst 6000 running IOS (ACLs)
• Catalyst 6000 running Catalyst OS (VACLs)
• PIX Firewall (shun)


© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-5


Blocking Guidelines
• Implement anti-spoofing mechanisms.
• Identify hosts that are to be excluded from
blocking.
• Identify network entry points that will participate
in blocking.
• Assign the block reaction to signatures that are
deemed as an immediate threat.
• Determine the appropriate blocking duration.

© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-6


NAC Block Actions

The following actions will initiate a block:

• Response to an alert event generated from a
signature that is configured with a block action.
• Manually initiated from a management interface.
• Configured to initiate a permanent block action.

© 2003, Cisco Systems, Inc. All rights reserved.


CSIDS 4.0—15-7


Blocking Process
The following explains the blocking process:

• An event or action occurs that has a block
action associated with it.
• Sensor pushes a new set of configurations or
ACLs, one for each interface direction, to each
controlled device.
• An alarm is sent to the Event Store at the same
time the Sensor initiates the block.
• When the block completes, all configurations or
ACLs are updated to remove the block.
© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-8


Blocking Scenario
172.26.26.1

192.168.1.10

1

Deny
172.26.26.1


Protected
network

3

© 2003, Cisco Systems, Inc. All rights reserved.

Write the ACL

Untrusted
network

2

Detect the attack

CSIDS 4.0—15-9


ACL Considerations

© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-10


Where to Apply ACLs

Untrusted

network

• When the Sensor has full
control, no manually
entered ACLs are allowed.

External
interfaces

Inbound
ACL

Internal
interfaces

Outbound
ACL

• Apply an external
interface in an inbound
direction.
• Apply an internal interface
in an outbound direction.

Protected
network
© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-11



Applying ACLs on the
External vs. Internal Interfaces

• External interface in the
inbound direction
– Denies the host before
it enters the router.
– Provides the best
protection against an
attacker.

© 2003, Cisco Systems, Inc. All rights reserved.

• Internal interface in the
outbound direction
– Denies the host before
it enters the protected
network.
– The block does not
apply to the router
itself.

CSIDS 4.0—15-12


Using Existing ACLs

• The Sensor takes full control of the managed interface.
• Existing ACL entries can be included before the

dynamically created ACL. This is referred to as applying a
Pre-block ACL.
• Existing ACL entries can be added after the dynamically
created ACL. This is referred to as applying a Post-block
ACL.
• The existing ACL must be an extended IP access list,
either named or numbered.

© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-13


Blocking Sensor Configuration

© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-14


Configuration Tasks
Complete the following tasks to configure a Sensor for
blocking:

•
•
•
•

Assign the block reaction to a signature.

Assign the Sensor’s global blocking properties.
Define the managed device’s properties.
Assign the managed interface’s properties for
IOS devices.
• (Optional.) Assign the list of devices that are
never blocked.
• (Optional.) Define a Master Blocking Sensor.
© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-15


Assign Block Reaction

© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-16


Sensor’s Blocking Properties
Choose Configuration>Settings>Blocking>Blocking Properties.

© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-17


Managed Device—Cisco Router
Choose Configuration>Blocking>Blocking Devices and Select Add.


© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-18


Managed Device—
Cisco Router (cont.)

© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-19


Managed Device—PIX Firewall
Choose Configuration>Blocking>Blocking Devices and Select Add.

© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-20


Managed Device—
Catalyst 6000 VACL

© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-21


Managed Device—

Catalyst 6000 VACL (cont.)

© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-22


Never Block Addresses
Choose Configuration>Settings>Blocking>Never Block Addresses and
Click Add.

© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-23


Master Blocking Sensor
Configuration

© 2003, Cisco Systems, Inc. All rights reserved.

CSIDS 4.0—15-24


Master Blocking Sensors

Attacker

Provider
Y


Provider
X
Sensor A
blocks

Router A

Sensor A

PIX Firewall B

...
Target
© 2003, Cisco Systems, Inc. All rights reserved.

Sensor B
blocks

Protected
network

Sensor B

Sensor A
commands
Sensor B
to block
CSIDS 4.0—15-25