Foundation Summary

Beginning with Cisco IPS version 5.0, you can configure your sensor to perform one or more of the following responses when a specific signature triggers:

Deny Attacker Inline
Deny Connection Inline
Deny Packet Inline
Log Attacker Packets
Log Pair Packets
Log Victim Packets
Modify Packet Inline
Produce Alert
Produce Verbose Alert
Request Block Connection
Request Block Host
Request SNMP Trap
Reset TCP Connection

Configuring a signature with the Deny Packet Inline action causes your sensor to drop any packets that match the signature's parameters. The Deny Connection Inline action causes the sensor to drop all traffic for the connection (same source and destination IP address and source and destination ports) of the traffic that triggered the signature. Finally, the Deny Attacker Inline action causes the sensor to drop all packets from the attacker's IP address.

Cisco IPS version 5.0 provides the following logging actions:

Log Attacker Packets
Log Pair Packets
Log Victim Packets

Besides logging traffic when a specific signature triggers, you can also manually log traffic in IDM.

IP blocking enables you to halt future traffic from an attacking host for a specified period of time by using one of the following two actions:

Request Block Host
Request Block Connection

Table 9-9 lists the terms commonly used in conjunction with IP blocking.

Table 9-9. IP Blocking Common Terms
Term	Definition
Active ACL	The dynamically created ACL that the sensor applies to the managed device.
Blocking Sensor	A sensor that you have configured to control one or more managed devices.
Device Management	The ability of a sensor to interact with certain Cisco devices and dynamically reconfigure them to block the source of an attack by using an ACL, VACL, or the shun command on the PIX Firewall.
IP Blocking	A feature of Cisco IPS that enables your sensor to block traffic from an attacking system that has triggered a signature that is configured for blocking.
Interface/Direction	The combination of the interface and direction on the interface (in or out) determines where a blocking ACL is applied on your managed device. You can configure the NAC to block a total of ten interface/direction combinations (across all devices on the sensor).
Managed Device	The Cisco device that blocks the source of an attack after being reconfigured by the blocking sensor.
Managed Interface	The interface on the managed device on which the sensor applies the dynamically created ACL (also known as the blocking interface).

You can use the following types of devices to serve as managed devices (for IP blocking):

Cisco routers
Cisco Catalyst 6000 switches
Cisco PIX Firewalls or Adaptive Security Appliances (ASAs)

To manipulate the ACLs on a managed device, you must configure the following on your managed devices:

Telnet Access (VTY) Enabled
Line password Assigned to VTY
Telnet or SSH access Allowed from sensor
Device's enable password Assigned

IP blocking requires careful planning and analysis. Some of the important items that you need to consider when designing and implementing IP blocking are as follows:

Antispoofing mechanisms
Critical hosts
Network topology
Entry points
Signature selection
Blocking duration
Device login information
Interface ACL requirements

A block action is initiated when one of the following two events occurs:

A signature configured with the block action triggers
You manually initiate a block (from a management interface such as the CLI or IDM)

The blocking process involves the following sequence of operations:

An event or action configured for blocking occurs.
The NAC sends a new set of configurations or ACLs (one for each interface/direction) to each controlled device. It applies the block to each interface/direction on all of the devices that the sensor is configured to control.
For alarm events, the alarm is sent to the Event Store at the same time that the block is applied. Each of these events happens independently of the other.
When the configured block duration expires, the NAC updates the configurations or ACLs to remove the block.

When applying ACLs on your network, consider your operational requirements and network topology. You have several options when applying ACLs to one of your network devices. The ACL might be applied on either the external or internal interface of the router. It can also be configured for inbound or outbound traffic on each of these two interfaces (when using ACLs).

To use IP blocking on an interface/direction that has an existing ACL, you need to define the following additional ACLs:

Pre-Block ACL
Post-Block ACL

If more than one of your sensors is configured for IP blocking, you need these sensors to coordinate their blocking actions with each other so that all entry points into you network are blocked when an attack is noticed by any of your sensors. This coordination is handled by configuring a Master Blocking Sensor.

When configuring IP blocking, you need to perform numerous configuration operations. These operations fall into the following categories:

Assigning the block action
Setting blocking properties
Defining addresses never to block
Setting up logical devices
Defining blocking devices
Defining Master Blocking Sensors

The following blocking parameters apply to all automatic blocks that the NAC initiates:

Maximum block entries
Allow the sensor IP address to be blocked
Block action duration

To prevent your blocking sensor from blocking traffic to critical systems on your network (either accidentally or because of a deliberate attack), you can configure which IP addresses your blocking device should never block.

Using IDM, you can manually initiate block requests. You have the option of initiating manual blocks for a single host or for a specific network.

The TCP reset response action essentially kills the current TCP connection from the attacker by sending a TCP reset packet to both systems involved in the TCP connection.

Table 9-9. IP Blocking Common Terms