[ LiB ] |
Now that we've gone through the fundamental concepts of blocking, we can go through the configuration tasks step-by-step.
The steps to configure blocking are as follows :
We now go through an example for each of the following device types: Cisco IOS Router, Cisco PIX Firewall, and Catalyst 6000 VACL. Because Steps 1 and 2 are the same for all devices, we focus on Steps 3 and 4 for each example.
The Cisco IOS device type can be any of the following:
Cisco IOS Router
Catalyst 5000 Series switch with an RSM or RSFC
Catalyst 6000 Series switch running native IOS with an MSFC
To configure blocking for this managed device, follow these steps:
Setting | Description |
---|---|
Device type | Drop-down menu where you can select the device type, such as IOS Router or PIX Firewall, for example. |
IP address | IP address of the blocking device, in this case, the Cisco IOS Router. |
NAT address | NAT IP address of the blocking device, in this case, a Cisco IOS Router. |
Comment | Optional. |
Username | Username that has permissions to log in and perform administration, configuration, or management functions (if the router is configured for user authentication). |
Password | Console level password. |
Enable password | Password that allows the user to perform administration, configuration, and management functions. |
Secure communications | Drop-down menu where you can choose the method of communication between the Sensor and the Cisco IOS Router. The default value is None, which means that Telnet will be used. SSH or 3DES SSH are the other options. |
If you choose to use SSH or 3DES SSH communications between the blocking device and the Cisco IOS Router, the router uses SSH password authentication rather than public key authentication. Recall also that your IOS device needs a license that supports either DES or 3DES for SSH communications to the blocking sensor. |
! username kristina password 0 secret # Sensor username account for SSH login ! aaa new-model aaa authentication login ssh local enable # Define aaa profile "ssh" for local user database authentication; enable password as backup ! ip domain- name kristina.net # Establish identity ip ssh time-out 90 # Optional (Default = 80) ip ssh authentication-retries 2 # Optional (Default = 3) ! line vty 0 4 login authentication ssh # Authenticate vty lines using aaa profile "ssh" transport input ssh # Enable the ssh transport on the vty line !
Setting | Description |
---|---|
Blocking interface name | Allows you to name the blocking managed interface |
Blocking direction | Drop-down menu allowing you to specify whether the ACL is inbound or outbound |
Pre-block ACL name | Name of the ACL that has the entries to include above the blocking ACEs |
Post-block ACL name | Name of the ACL that has the entries to include below the blocking ACEs |
For PIX Firewalls running version 6.0 and later, you perform blocking using the shun command rather than ACLs or interfaces. Blocking with the shun command is limited to hosts and connections rather than subnets or entire networks.
To add a PIX Firewall as a managed device, complete the following steps:
Setting | Description |
---|---|
Device type | Drop-down menu where you can select from the device type, such as IOS Router or PIX Firewall, for example. |
IP address | IP address of the blocking device, in this case, the PIX Firewall. |
NAT address | NAT IP address of the blocking device, in this case, a PIX Firewall. |
Comment | Optional. |
Username | Username that has permissions to log in and perform administration, configuration, or management functions (if the PIX Firewall is configured for user authentication). |
Password | Console level password. |
Enable password | Password that allows the user to perform administration, configuration, and management functions. |
Secure communications | Drop-down menu where you can choose the method of communication between the Sensor and the PIX Firewall. The default value is None, which means that Telnet will be used. SSH or 3DES SSH are the other options. |
If you choose to use SSH or 3DES SSH communications between the blocking device and the Cisco PIX Firewall, the firewall uses SSH password authentication rather than public key authentication. Recall again that your PIX device needs a license that supports either DES or 3DES for SSH communications to the blocking sensor. |
passwd d4n1e1 # Define the SSH local password hostname kmmpix # Establish identity for key generation domain-name kristina.net # Establish identity for key generation ssh 172.16.1.25 255.255.255.255 inside # Allow SSH communication only from the host 172.16.1.25 on the inside interface ssh timeout 60 # Optional
On the PIX Firewall, if you use local authentication rather than AAA authentication, the username is always pix . |
For a Catalyst 6000 running the Catalyst OS, you use VACLs rather than ACLs to configure blocking. Also, Catalyst 6000 VACLs do not support direction-based ACLs, so you don't need to specify a direction for the interface.
To add a Catalyst 6000 as a managed device, complete the following steps:
Setting | Description |
---|---|
Device type | Drop-down menu where you can select from the device type, such as PIX Firewall or Catalyst 6000, for example. |
IP address | IP address of the blocking device, in this case, the Catalyst 6000. |
NAT address | NAT IP address of the blocking device, in this case, a Catalyst 6000. |
Comment | Optional. |
Username | Username that has permissions to log in and perform administration, configuration, or management functions (if the router is configured for user authentication). |
Password | Console level password. |
Enable password | Password that allows the user to perform administration, configuration, and management functions. |
Secure communications | Drop-down menu where you can choose the method of communication between the Sensor and the Catalyst 6000. The default value is None, which means that Telnet will be used. SSH or 3DES SSH are the other options. |
Recall that if the blocking device is a Catalyst 5000 RSM or RSFC, or a Catalyst 6000 with an MSFC running native IOS, then you configure blocking using the Cisco IOS Router configuration steps, as covered in the earlier section. |
Setting | Description |
---|---|
VLAN number | Number of the VLAN that will be used to initiate blocking |
Pre-block ACL name | Name of the ACL that has the entries to include above the blocking ACEs |
Post-block ACL name | Name of the ACL that has the entries to include below the blocking ACEs |
A never-block ACL contains the ACEs for the hosts or subnets that should never be blocked. It consists of a permit statement for each host or subnet at the beginning of the active ACL. The address entries in a never-block ACL can include hosts and servers that provide critical network services which, if blocked, would have a severe impact on business operations. They can also include devices whose normal behavior emulates that of an attack and would otherwise cause a large number of false positives. If you choose to specify never-block addresses, make sure that you take additional measures to ensure that these addresses cannot be compromised to launch further attacks.
As you saw with the Sensor, if you configure them to never block, these addresses are added as permit statements in the active ACL.
To add never-block addresses, complete the following steps:
[ LiB ] |