Configuring Cisco IDS Blocking

Configuring Cisco IDS Blocking

Introduction

Blocking… This is a word that just sounds like security, doesn't it? We will block you from our network. In the world of Cisco, blocking is another name for "shunning," which is the art of actively interacting with a device such as a router and reconfiguring the Cisco device to stop or "block" the attack. The managed device could be a router or a firewall. The IDS sensor uses the control port to establish the connection with the device and applies an ACL to the managed interface. We can have the Cisco IDS sensor talk with the Cisco PIX firewall and dynamically change the configuration to shun an attack. The Cisco IDS sensor can also manage other Cisco IOS devices such as the following:

  • 1600

  • 2500

  • 2600

  • 3600

  • 4500

  • 4700

  • 7200

  • 7500

  • PIX firewalls such as the 501, 506E, 515E, 525, and 535

IP blocking eliminates the need for the engineer to log in to the device and make the blocking changes manually. However, you need to be careful with blocking so as not to inadvertently block someone or something that is not attacking your network, such as a particular server or an extranet connection.


Note

The PIX firewall uses the shun command to block. Unlike the routers, the PIX ACLs are not modified.

Other devices that can be managed are the Cisco Catalyst 6000 series switches with CatOS, 6000 switches with MSFC (Multilayer Switching Feature Card) and the Catalyst 5000 switch with an RSM (Route Switch Module). In order for the blocking to work, the IDS sensor must be able to communicate with the Cisco device and must have VTY (Telnet) access enabled, a line password, and the privileges to make configuration changes. The Cisco PIX can use either VTY (Telnet) or SSH. A subtle but critical item to remember is that the IDS sensor either needs to be on the same subnet or routed to the subnet of the managed device. You might laugh at this basic concept, but people forget it all the time.


 Note

SSH is optional, but if SSH is configured, then the IDS sensor and the PIX must exchange keys manually.

Cisco blocking is a very powerful and dangerous feature that should only be used after detailed planning. For example, there are always critical resources such as certain hosts that should never be blocked. These need to be identified and prevented from ever being blocked. You need to make sure you have some type of antispoofing in place to ensure a spoofed address will not enable blocking on a legitimate address by mistake. By default, the blocking process will last 30 minutes. Is this too long for your network? This needs to be thought about before a block takes place and you are scrambling around trying to fix it in real time. We will cover all this information in more detail throughout this chapter.

The importance of network entry points, or ingress points, will be discussed as well. If the attacker is blocked off on one entry point to our network, can he find another way in? We will investigate Master blocking, a feature that can help us manage this type of situation. Let's now delve into the basics of IP blocking and it's processes.