Beginning with Cisco IPS version 5.0, you can configure your sensor to perform one or more of the following responses when a specific signature triggers:
Configuring a signature with the Deny Packet Inline action causes your sensor to drop any packets that match the signature's parameters. The Deny Connection Inline action causes the sensor to drop all traffic for the connection (same source and destination IP address and source and destination ports) of the traffic that triggered the signature. Finally, the Deny Attacker Inline action causes the sensor to drop all packets from the attacker's IP address. Cisco IPS version 5.0 provides the following logging actions:
Besides logging traffic when a specific signature triggers, you can also manually log traffic in IDM. IP blocking enables you to halt future traffic from an attacking host for a specified period of time by using one of the following two actions:
Table 9-9 lists the terms commonly used in conjunction with IP blocking.
You can use the following types of devices to serve as managed devices (for IP blocking):
To manipulate the ACLs on a managed device, you must configure the following on your managed devices:
IP blocking requires careful planning and analysis. Some of the important items that you need to consider when designing and implementing IP blocking are as follows:
A block action is initiated when one of the following two events occurs:
The blocking process involves the following sequence of operations:
When applying ACLs on your network, consider your operational requirements and network topology. You have several options when applying ACLs to one of your network devices. The ACL might be applied on either the external or internal interface of the router. It can also be configured for inbound or outbound traffic on each of these two interfaces (when using ACLs). To use IP blocking on an interface/direction that has an existing ACL, you need to define the following additional ACLs:
If more than one of your sensors is configured for IP blocking, you need these sensors to coordinate their blocking actions with each other so that all entry points into you network are blocked when an attack is noticed by any of your sensors. This coordination is handled by configuring a Master Blocking Sensor. When configuring IP blocking, you need to perform numerous configuration operations. These operations fall into the following categories:
The following blocking parameters apply to all automatic blocks that the NAC initiates:
To prevent your blocking sensor from blocking traffic to critical systems on your network (either accidentally or because of a deliberate attack), you can configure which IP addresses your blocking device should never block. Using IDM, you can manually initiate block requests. You have the option of initiating manual blocks for a single host or for a specific network. The TCP reset response action essentially kills the current TCP connection from the attacker by sending a TCP reset packet to both systems involved in the TCP connection. |