|[ LiB ]|
In some situationswhere you have a multihomed network, for exampleit might be more effective to use a "proxy" blocker, master blocking sensor . The master blocking sensor is the sensor that receives instructions to perform blocking on the managed device, whereas the forwarding blocking sensor is the sensor that sends a blocking request to a master blocking sensor to block the master blocking sensor's managed device.
Figure 11.5 shows a network that has two external connections from different vendor Internet service providers (ISPs).
Each interface to the providers' routers is protected by a PIX Firewall and an IDS Sensor. For Provider A, Sensor A communicates blocking instructions to Router A. At the Provider B interface, Sensor B communicates blocking instructions to Firewall B.
If a host uses Provider A's network to launch an attack on the protected network, Sensor A instructs Router A to block the host or connection. The attacking host, however, can still launch an attack coming through Provider B's network. This is where the benefits of master blocking come into action. With master blocking, Sensor A can instruct (or forward a request to) Sensor B to block Firewall B when Sensor A detects the attack from Provider A's network. Sensor A is acting as the forwarding blocking sensor , and Sensor B is the master blocking sensor .
It's critical that you take the following rules into consideration when designing your master blocking network configurations:
A master blocking sensor can be any sensor that controls blocking on a device on behalf of another sensor.
Any sensor can be a master blocking sensor.
A Sensor can forward blocking requests to up to 10 master blocking sensors.
A master blocking sensor can handle requests from multiple forwarding blocking sensors.
A master blocking sensor can use other master blocking sensors to control blocking on other devices; that is, a master blocking sensor can be a forwarding blocking sensor at the same time.
In the example in Figure 11.5, therefore, Sensor A could be the master blocking sensor for Router A while Sensor B is the master blocking sensor for Firewall B. Both sensors can forward blocking requests to one another as well from other master blocking sensors. Both sensors can also receive forwarding requests from one another as well as from other forwarding blocking sensors.
A master blocking sensor can receive blocking requests from multiple forwarding blocking sensors; a forwarding blocking sensor can forward blocking requests to up to a maximum of 10 master blocking sensors.
Now that we have been through the concepts of master blocking, we will go through the configuration.
On the master blocking sensor, add each forwarding blocking sensor to the Allowed Hosts table.
For each forwarding blocking sensor, complete the following tasks :
Specify the master blocking sensors.
Define the RDEP communications either by autoretrieving them using IDS MC or by manually configuring them with the CLI or IDM. (Recall that IDS version 4 sensors communicate blocking instructions to one another using RDEP, whereas version 3 sensors use the PostOffice Protocol).
Add the master blocking sensors to the Tls Trusted Host Table if Transport Layer Security (TLS) is enabled (TLS is enabled by default), using the tls-trusted host ip-address command.
|[ LiB ]|