Configuring the Sensor to Block

Configuring the Sensor to Block

In this section, let's delve into how to actually configure IP blocking step by step. As we mentioned earlier in the chapter, there are many different possibilities for network set-ups. Thus, different options may work poorly for one configuration, and well for another configuration. Since we have already decided on which signatures we will want to incorporate in our configuration, and we have specified our blocking devices and reviewed the option of utilizing master blocking on our network, our next steps will be configuring our sensors and routers. This will include configuring the blocking device, or router, for Telnet communications as well as preparing the sensor for which interface will need to be monitored.

Configuring a Router for a Sensor Telnet Session

First, we will configure the router for Telnet access and assign a login password. The login password is essential for allowing us to Telnet to a router and should be something complex and easy for us to remember. Password security is very important and we will need to use this password when configuring our sensors. 

Router>enable
Router#configure terminal 
Router#line vty 0 4 
Router#login password syngress 
Router#exit 
!

Now we will set an enable password for the security of remote configuration changes:

Router#enable password Syngress 
Router#^Z    #This is actually ctrl+z
Router#write memory 
Building Configuration…
[OK]
Router#

At this point, we can exit out of the router or type show running-config and view our configuration. Our interest in a show run would be an enable password at the start of the configuration and a vty login at the bottom. It should look somewhat similar to this:

Router# show running-config
Building configuration…

Current configuration : 2350 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable password 7 00071A150754
#
# Router specific data…
#
line vty 0 4
password syngress
login
!
end

Configuring the Sensor

Now we need to set up the sensor for the blocking devices it will monitor by using the Cisco Secure Policy Manager (CSPM). These settings indicate to the sensor which routers, by Telnet IP address, will be governed and updated as well as indicate the correct settings for dynamic Telnet sessions, including login password and possible usernames to use.

First, we will need to start our Cisco Secure Policy Manager. Once the CSPM is open, we will select our target sensor from the Network Topology Tree in the left pane, as shown in Figure 8.5.

Click To expand
Figure 8.5: The Network Topology Tree

Second, we will select the Blocking tab from the sensor view panel on the right side of the CSPM and then select the Blocking Devices tab. This will give us a list of the configured network devices currently monitored by the sensor, if any. This can be seen in Figure 8.6.

Click To expand
Figure 8.6: The Blocking Devices Tab

At this point, we can add the blocking device we want to configure to this sensor. By selecting Add, we will be given the options we need to configure the sensor to both recognize and manage this blocking device. This can be seen in Figure 8.7.

Click To expand
Figure 8.7: The Blocking Device Properties Dialog

The following fields appear in the Blocking Device Properties dialog:

  • Telnet IP Address This is needed by the sensor to establish a connection to the blocking device if any changes are to be made to the interface's ACL usage.

  • Telnet Username This is not always necessary. If usernames are used on the network, then this option will need to be filled in to provide the sensor with the ability to log in. If it is not used, then it is fine to leave this option blank.

  • Telnet Password This is the login password configured on the blocking device to allow Telnet connections from the sensor.

  • Enable Password This is necessary for the implementation of any new ACLs. If this is not configured, any sensor-configured ACL updates will not be accepted by the blocking device.

  • Blocking Interfaces This area specifies the interface and traffic direction of the blocking device the sensor will be managing. To configure this, we will select Add and configure the following:

    • Interface Name The interface on the blocking device we want to be monitored. This would include the name of the interface and it's respective number. Examples would include, Serial0, FastEthernet2/8. Notice there is no space between the name and the number. This lack of a space is imperative for the sensor to distinguish the interface.

    • Interface Direction This is where we configure which direction of traffic we want the sensor to monitor. Here we can choose from either Inbound or Outbound. The implications of the direction were covered earlier in the chapter.

To configure more than one interface on a router, select Add and configure the appropriate settings for each one individually.

Once we have finished entering our configuration settings, select OK twice to accept our changes and then click the Save button to save the new configuration in the CSPM database.

To complete the blocking device configuration, we will now need to push the configuration to the blocking device's respective sensor. After we have saved our new configuration, select the Update button in the toolbar to generate the new configuration files used by the sensor. Select the sensor we wish to push the files to; it should already be selected since we chose this for our initial configuration changes in the first step. We then select the Command tab. If the preceding configurations have been saved and updated, the Approve Now button on the Command tab will be enabled. Click the Approve Now button and the configuration files will be transferred. When the Refresh button becomes enabled, select it to view the configuration update status.

The Never Block IP Addresses Setup

The Never Block Addresses tab is an answer to the critical host issue mentioned earlier in this chapter. As we mentioned, some systems on our networks should never be blocked like a DNS server or a Cisco Secure IDS Director and sensors. This option allows us a safe network-monitoring tool and allows these systems to function normally. The following lists how we can configure these systems as Never Block Addresses.

From the Network Topology Tree in the left pane of the CSPM, select the sensor that is monitoring the network that a particular critical host resides upon. Now select the Blocking tab as in the previous exercise. We should now be looking at the Never Block Addresses tab. If not, select the appropriate tab. This tab can be seen in Figure 8.8.

Click To expand
Figure 8.8: The Never Block Addresses Tab

Click the Add button to add the critical host(s), or critical subnets of what we will never want to be blocked. These hosts, or networks, will be identified by IP address and subnet mask. We will need to select, add, and configure each host, or network, individually. Once this list is complete, we can choose OK and then save our settings. We then need to update our sensors as mentioned in the last exercise. This is done by using the Update and Approve Now buttons under the Command tab of our sensors. This process will need to be repeated for each sensor on the network utilizing IP blocking.

Using the Master Blocking Sensor

We previously discussed master blocking and its methods for securing various entrances to our networks. If we have a large network with master blocking in place, our sensors will dynamically update each other to protect all entries before an attack can reroute and attempt to regain access. Lets take a look at how this option can be configured.

Select a sensor that will use master blocking from the Network Topology Tree in the left pane of the Cisco Secure Policy Manager. Select the Blocking tab and the Master Blocking Sensor subtab. The Master Blocking Sensor subtab can be seen in Figure 8.9. In this area, we can see the sensors, if any, that are currently serving as this sensors master blocking sensors.

Click To expand
Figure 8.9: The Master Blocking Sensor

Select the Add button which will open the Blocking Sensor Selection window, this can be seen in figure 8.10. From this window, select the name of the sensor that has been chosen to be a master blocking sensor and select OK. In this example, we see that Sensor3 is our only option.

Click To expand
Figure 8.10: The Blocking Sensor Selection Window

Now select OK and click Save to save the new settings. From here, we need to update and distribute, or push, our new configuration files as mentioned earlier. Again, this is performed by using the Update and Approve Now buttons under the Command tab of our sensors.

Manually Blocking and Removing a Block

Another option given to use with Cisco Secure IDS is to manually block, or remove a block from, an IP address. Some administrators may like this option, as it will give much more freedom to choose when and where IP Blocking takes place. This may also be an option for a Cisco Secure IDS implementation that was done quickly and has not yet been fully configured. Another reason could be Mr. Smith in payroll forgot to add your bonus to your last paycheck, (of course we don't condone this type of behavior). Whatever the reason, this process is a simple and effective method for IP Blocking.

Let's first look at manually blocking a specific IP address of a host or a network. Using the Cisco Secure Policy Manager, we need to perform the following steps:

  1. Select Tools | View Sensor Events | Database to open the Event Viewer – Database Events.

  2. Choose View | Connection Status Pane for an easier window format to view.

  3. Pick an alarm with the source IP address of the target to be blocked.

  4. From the menu bar, select Actions | Block | [Host… or Network…].

Shortly, a Shunning Hosts window will appear with the current status of this operation and if the block was successfully executed, a "Success" message will appear. This manually configured IP Block will have a default Blocking Duration of 1440 minutes, or 24 hours.

Now that we have covered how to invoke blocking manually on a host or network, let's take a look at how to remove a block from a host or network. This may be a desirable option if a critical host was not identified during the planning process of implementation, a false positive wasn't really an attack, or if a vulnerability was mitigated and the block is not needed anymore.

To remove a block, open the CSPM Event Viewer—do this the same way as when adding a block. Select the sensor which will allow us to view the block. Choose the block with the source IP address of the system or network we want to free up and select Actions | Block | [Host… or Network…]. As when implementing a manual block, a window will pop up with the current status information and a "Success" message will appear if the operation succeeded