Tài Liệu CCNA - Blocking Configuration

• Design a Cisco IDS solution using the blocking feature, including the ACL placement considerations, when deciding where to apply Sensor-generated ACLs... • Device management—The abil

Chapter 15Blocking Configuration

Upon completion of this chapter, you will be able

to complete the following tasks:

• Describe the device management capability of the Sensor

and how it is used to perform blocking with a Cisco

device.

• Design a Cisco IDS solution using the blocking feature,

including the ACL placement considerations, when

deciding where to apply Sensor-generated ACLs.

• Configure a Sensor to perform blocking with a Cisco IDS device.

• Configure a Sensor to perform blocking through a Master

Blocking Sensor.

Introduction

• Blocking—A Cisco IDS Sensor feature.

• Device management—The ability of a Sensor to interact

with a Cisco device and dynamically reconfigure the

Cisco device to stop an attack.

• Managed device—The Cisco IDS device that is to block

the attack This is also referred to as a blocking device.

• Blocking Sensor—The Cisco IDS Sensor configured to

control the managed device.

• Interface/direction—The combination of a device interface

and a direction, in or out.

• Managed interface—The interface on the managed device

where the Cisco IDS Sensor applies the ACL.

• Active ACL—The ACL created and maintained by the

Sensor which is applied to the managed interfaces.

Blocking Devices

Blocking Guidelines

• Implement anti-spoofing mechanisms.

• Identify hosts that are to be excluded from

blocking.

• Identify network entry points that will participate

in blocking.

• Assign the block reaction to signatures that are

deemed as an immediate threat.

• Determine the appropriate blocking duration.

NAC Block Actions

The following actions will initiate a block:

• Response to an alert event generated from a

signature that is configured with a block action.

• Manually initiated from a management interface.

• Configured to initiate a permanent block action.

Blocking Process

The following explains the blocking process:

• An event or action occurs that has a block

action associated with it

• Sensor pushes a new set of configurations or

ACLs, one for each interface direction, to each controlled device

• An alarm is sent to the Event Store at the same

time the Sensor initiates the block

• When the block completes, all configurations or

ACLs are updated to remove the block

Blocking Scenario

Untrusted network

Protected network

Deny 172.26.26.1

1

Write the ACL 3

172.26.26.1 192.168.1.10

Detect the attack 2

ACL Considerations

Outbound ACL

Inbound ACL

Where to Apply ACLs

• When the Sensor has full

control, no manually entered ACLs are allowed.

• Apply an external

interface in an inbound direction.

• Apply an internal interface

in an outbound direction.

Protected network

Applying ACLs on the

External vs Internal Interfaces

• External interface in the

inbound direction

– Denies the host before

it enters the router.

– Provides the best

protection against an attacker.

• Internal interface in the

outbound direction

– Denies the host before

it enters the protected network.

– The block does not apply to the router itself.

Using Existing ACLs

• The Sensor takes full control of the managed interface

• Existing ACL entries can be included before the

dynamically created ACL This is referred to as applying a Pre-block ACL.

• Existing ACL entries can be added after the dynamically

created ACL This is referred to as applying a Post-block ACL.

• The existing ACL must be an extended IP access list,

either named or numbered.

Blocking Sensor Configuration

Configuration Tasks

Complete the following tasks to configure a Sensor for blocking:

• Assign the block reaction to a signature.

• Assign the Sensor’s global blocking properties.

• Define the managed device’s properties.

• Assign the managed interface’s properties for

Assign Block Reaction

Sensor’s Blocking Properties

Choose Configuration>Settings>Blocking>Blocking Properties.

Managed Device—Cisco Router

Choose Configuration>Blocking>Blocking Devices and Select Add.

Managed Device—

Cisco Router (cont.)

Managed Device—PIX Firewall

Choose Configuration>Blocking>Blocking Devices and Select Add.

Managed Device—

Catalyst 6000 VACL

Managed Device—

Catalyst 6000 VACL (cont.)

Never Block Addresses

Choose Configuration>Settings>Blocking>Never Block Addresses and

Click Add.

Master Blocking Sensor

Configuration

Master Blocking Sensors

Protected network

Sensor B blocks

Sensor A commands Sensor B

to block

Router A

PIX Firewall B

Master Blocking Sensor

Characteristics

The following are the characteristics of a Master

Blocking Sensor:

blocking on a device on behalf of another Sensor

Master Blocking Sensors.

multiple Sensors

Sensors to control other devices.

Master Blocking Sensor Configuration

Master Blocking Sensor Configuration:

• Add each FBS to the Allowed Hosts table.

Blocking Forwarding Sensor Configuration:

• Specify the MBS; define RDEP communication parameters

– RDEP parameters of MBS are auto-retrieved using IDS MC.

– Manually configured using IDM/CLI.

• Add MBS to TLS Trusted Host table, if TLS enabled

(default), using the “tls trusted-host ip-address”

command.

Configuring Master Blocking Sensors

Choose Configuration>Settings>Blocking>Master Blocking Sensors and

click Add.

Summary

• Device management is the ability of a Sensor to

dynamically reconfigure a Cisco device to block the

source of an attack in real time.

• Guidelines for designing an IDS solution with blocking

include the following:

– Implement an anti-spoofing mechanism.

– Identify critical hosts and network entry points.

– Select applicable signatures.

– Determine the blocking duration.

• Sensors can serve as master blocking servers.

• The ACLs may be applied on either the external or internal interface of the Cisco device, and may be configured for inbound or outbound traffic on either interface.

Lab Exercise

sensorP

.4 sensorQ

.100

172.30.Q.0 172.30.P.0

Lab Visual Objective

.50

WEB FTP

RBB