Foundation Summary

Beginning with Cisco IPS version 5.0, you can configure your sensor to perform one or more of the following responses when a specific signature triggers:

  • Deny Attacker Inline

  • Deny Connection Inline

  • Deny Packet Inline

  • Log Attacker Packets

  • Log Pair Packets

  • Log Victim Packets

  • Modify Packet Inline

  • Produce Alert

  • Produce Verbose Alert

  • Request Block Connection

  • Request Block Host

  • Request SNMP Trap

  • Reset TCP Connection

Configuring a signature with the Deny Packet Inline action causes your sensor to drop any packets that match the signature's parameters. The Deny Connection Inline action causes the sensor to drop all traffic for the connection (same source and destination IP address and source and destination ports) of the traffic that triggered the signature. Finally, the Deny Attacker Inline action causes the sensor to drop all packets from the attacker's IP address.

Cisco IPS version 5.0 provides the following logging actions:

  • Log Attacker Packets

  • Log Pair Packets

  • Log Victim Packets

Besides logging traffic when a specific signature triggers, you can also manually log traffic in IDM.

IP blocking enables you to halt future traffic from an attacking host for a specified period of time by using one of the following two actions:

  • Request Block Host

  • Request Block Connection

Table 9-9 lists the terms commonly used in conjunction with IP blocking.

Table 9-9. IP Blocking Common Terms



Active ACL

The dynamically created ACL that the sensor applies to the managed device.

Blocking Sensor

A sensor that you have configured to control one or more managed devices.

Device Management

The ability of a sensor to interact with certain Cisco devices and dynamically reconfigure them to block the source of an attack by using an ACL, VACL, or the shun command on the PIX Firewall.

IP Blocking

A feature of Cisco IPS that enables your sensor to block traffic from an attacking system that has triggered a signature that is configured for blocking.


The combination of the interface and direction on the interface (in or out) determines where a blocking ACL is applied on your managed device. You can configure the NAC to block a total of ten interface/direction combinations (across all devices on the sensor).

Managed Device

The Cisco device that blocks the source of an attack after being reconfigured by the blocking sensor.

Managed Interface

The interface on the managed device on which the sensor applies the dynamically created ACL (also known as the blocking interface).

You can use the following types of devices to serve as managed devices (for IP blocking):

  • Cisco routers

  • Cisco Catalyst 6000 switches

  • Cisco PIX Firewalls or Adaptive Security Appliances (ASAs)

To manipulate the ACLs on a managed device, you must configure the following on your managed devices:

  • Telnet Access (VTY) Enabled

  • Line password Assigned to VTY

  • Telnet or SSH access Allowed from sensor

  • Device's enable password Assigned

IP blocking requires careful planning and analysis. Some of the important items that you need to consider when designing and implementing IP blocking are as follows:

  • Antispoofing mechanisms

  • Critical hosts

  • Network topology

  • Entry points

  • Signature selection

  • Blocking duration

  • Device login information

  • Interface ACL requirements

A block action is initiated when one of the following two events occurs:

  • A signature configured with the block action triggers

  • You manually initiate a block (from a management interface such as the CLI or IDM)

The blocking process involves the following sequence of operations:

  1. An event or action configured for blocking occurs.

  2. The NAC sends a new set of configurations or ACLs (one for each interface/direction) to each controlled device. It applies the block to each interface/direction on all of the devices that the sensor is configured to control.

  3. For alarm events, the alarm is sent to the Event Store at the same time that the block is applied. Each of these events happens independently of the other.

  4. When the configured block duration expires, the NAC updates the configurations or ACLs to remove the block.

When applying ACLs on your network, consider your operational requirements and network topology. You have several options when applying ACLs to one of your network devices. The ACL might be applied on either the external or internal interface of the router. It can also be configured for inbound or outbound traffic on each of these two interfaces (when using ACLs).

To use IP blocking on an interface/direction that has an existing ACL, you need to define the following additional ACLs:

  • Pre-Block ACL

  • Post-Block ACL

If more than one of your sensors is configured for IP blocking, you need these sensors to coordinate their blocking actions with each other so that all entry points into you network are blocked when an attack is noticed by any of your sensors. This coordination is handled by configuring a Master Blocking Sensor.

When configuring IP blocking, you need to perform numerous configuration operations. These operations fall into the following categories:

  • Assigning the block action

  • Setting blocking properties

  • Defining addresses never to block

  • Setting up logical devices

  • Defining blocking devices

  • Defining Master Blocking Sensors

The following blocking parameters apply to all automatic blocks that the NAC initiates:

  • Maximum block entries

  • Allow the sensor IP address to be blocked

  • Block action duration

To prevent your blocking sensor from blocking traffic to critical systems on your network (either accidentally or because of a deliberate attack), you can configure which IP addresses your blocking device should never block.

Using IDM, you can manually initiate block requests. You have the option of initiating manual blocks for a single host or for a specific network.

The TCP reset response action essentially kills the current TCP connection from the attacker by sending a TCP reset packet to both systems involved in the TCP connection.

CCSP IPS Exam Certification Guide
CCSP IPS Exam Certification Guide
ISBN: 1587201461
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Earl Carter © 2008-2017.
If you may any questions please contact us: