[ LiB ] |
Before applying ACLs in a Cisco IDS environment, you must consider several factors, such as how (or if) to apply manually configured ACLs, whether the ACLs have incompatibility issues, where to place ACLs to best protect your network, and how to make best use of existing ACLs. The following sections discuss each of these considerations in more detail.
You cannot use manually configured ACLs on any interface/direction that will be used for blocking. The Sensor takes full control over managed interfaces; therefore, if you need to configure manual ACLs, either apply them to another interface/direction or incorporate them into the pre-block or post-block ACLs.
Because the sensor takes full control over managed interfaces, you cannot use manually configured ACLs on any interface or direction that will be used for blocking. If manually configured ACLs are required, apply them to an alternative interface and direction, or incorporate all entries into the post-block ACL. |
Note that Sensor blocking ACLs are incompatible with context-based access control (CBAC), a feature of the IOS firewall set.
Sensor blocking ACLs are incompatible with the CBAC feature of the IOS firewall; they cannot be applied to an interface that has the IP inspect rule applied to it. |
Generally, when protecting your network from intrusions, you should block attacks in the direction of the protected network by placing your inbound ACLs on the external interface or outbound ACLs on the internal interface. Figure 11.3 shows how external/inbound and internal/outbound ACLs protect against potentially malicious network traffic.
Each placement has its advantages and disadvantages that you should consider, as summarized in Table 11.2.
Internal Interface Outbound Direction | External Interface Inbound Direction |
---|---|
Denies the host before entering the protected network. | Denies the host before entering the router. |
The block does not apply to the router itself; packets are processed by the router. | Protects the router from potential attacks; packets are never processed by the router. |
You saw earlier that you can use pre-block and post-block ACLs when you need ACEs before and after the blocking ACE for an ACL applied to a given interface/direction. The easiest way to use existing ACEs on a managed interface is to specify the user -defined ACL on the interface as the post-block ACL. Alternatively, you can migrate the existing ACL to an interface that is not a managed interface which provides an access point before the Sensor-managed interface. You configure pre-block and post-block ACLs using an extended IP ACL, either named or unnumbered.
The Sensor also includes an option to never block its IP address as a result of blocking rules. If you select this option, a permit ACE is created at the beginning of the dynamically created ACL so that the Sensor's IP address is never blocked.
[ LiB ] |