- Preface
-
- Getting Started with Security Manager
- Preparing Devices for Management
- Managing the Device Inventory
- Managing Activities
- Managing Policies
- Managing Policy Objects
- Managing FlexConfigs
- Managing Deployment
- Troubleshooting Device Communication and Deployment
- Managing the Security Manager Server
- Configuring Security Manager Administrative Settings
-
- Introduction to Firewall Services
- Managing Identity-Aware Firewall Policies
- Managing TrustSec Firewall Policies
- Managing Firewall AAA Rules
- Managing Firewall Access Rules
- Managing Firewall Inspection Rules
- Managing Firewall Web Filter Rules
- Managing Firewall Botnet Traffic Filter Rules
- Working with ScanSafe Web Security
- Managing Zone-based Firewall Rules
- Managing Transparent Firewall Rules
- Configuring Network Address Translation
-
- Managing Site-to-Site VPNs: The Basics
- Configuring IKE and IPsec Policies
- GRE and DM VPNs
- Easy VPN
- Group Encrypted Transport (GET) VPNs
- Managing Remote Access VPNs: The Basics
- Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
- Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
- Managing Remote Access VPNs on IOS and PIX 6.3 Devices
- Configuring Policy Objects for Remote Access VPNs
- Using Map View
-
- Getting Started with IPS Configuration
- Managing IPS Device Interfaces
- Configuring Virtual Sensors
- Defining IPS Signatures
- Configuring Event Action Rules
- Managing IPS Anomaly Detection
- Configuring Global Correlation
- Configuring Attack Response Controller for Blocking and Rate Limiting
- Managing IPS Sensors
- Configuring IOS IPS Routers
-
- Managing Firewall Devices
- Configuring Bridging Policies on Firewall Devices
- Configuring Device Administration Policies on Firewall Devices
- Configuring Device Access Settings on Firewall Devices
- Configuring Failover
- Configuring Hostname, Resources, User Accounts, and SLAs
- Configuring Server Access Settings on Firewall Devices
- Configuring Logging Policies on Firewall Devices
- Configuring Multicast Policies on Firewall Devices
- Configuring Routing Policies on Firewall Devices
- Configuring Security Policies on Firewall Devices
- Configuring Service Policy Rules on Firewall Devices
- Configuring Security Contexts on Firewall Devices
- Index
Configuring Attack Response Controller for Blocking and Rate Limiting
You can configure an IPS device to implement blocks or rate limits to control attacks. Blocking and rate limiting are primarily of use when operating in promiscuous mode. When operating in inline mode, it is much more efficient to have the IPS drop traffic itself. Blocking and rate limiting are actions that other devices implement at the request of the IPS; thus, configuring blocking and rate limiting is a more complex configuration than simple inline denies.
To configure blocking or rate limiting, you must identify the network device that performs the blocking. A network device that performs blocking is called a blocking device. Many network devices can be used to support blocking: Cisco IOS routers and Catalyst 6500 switches, Cisco security appliances (ASA, PIX, and FWSM), and Catalyst 6500/7600 devices running the Catalyst operating system. You can also configure another IPS device to act as a master blocking sensor.
Note IPS blocking and rate limiting works only for IPS appliances and service modules. You cannot configure it for Cisco IOS IPS.
Understanding IPS Blocking
The Attack Response Controller (ARC) component of the IPS is responsible for managing network devices in response to suspicious events by blocking access from attacking hosts and networks. ARC blocks the IP address on the devices it is managing. It sends the same block to all the devices it is managing, including any other master blocking sensors. ARC monitors the time for the block and removes the block after the time has expired.
Note ARC is formerly known as Network Access Controller. Although the name has been changed, the IPS documentation and configuration interfaces contain references to Network Access Controller, nac, and network-access.
ARC completes the action response for a new block in no more than 7 seconds. In most cases, it completes the action response in less time. To meet this performance goal, you should not configure the sensor to perform blocks at too high a rate or to manage too many blocking devices and interfaces. We recommend that the maximum number of blocks not exceed 250 and the maximum number of blocking items not exceed 10. To calculate the maximum number of blocking items, a security appliance counts as one blocking item per blocking context. A router counts as one blocking item per blocking interface/direction. A switch running Catalyst software counts as one blocking item per blocking VLAN. If the recommended limits are exceeded, ARC might not apply blocks in a timely manner or might not be able to apply blocks at all.
For security appliances configured in multiple-context mode, Cisco IPS does not include VLAN information in the block request. Therefore you must make sure the IP addresses being blocked are correct for each security appliance. For example, the sensor is monitoring packets on a security appliance customer context that is configured for VLAN A, but is blocking on a different security appliance customer context that is configured for VLAN B. Addresses that trigger blocks on VLAN A might refer to a different host on VLAN B.
Note Blocking is not supported on the FWSM on the admin context in multiple-context mode.
There are three types of blocks:
To configure the IPS to initiate automatic host blocks when a signature is triggered, add the Request Block Host event action to a signature, or add it to events based on risk rating using the event action override policy. See Configuring Event Action Overrides and Configuring Signatures.
- Connection block—Blocks traffic from a given source IP address to a given destination IP address and destination port. Multiple connection blocks from the same source IP address to either a different destination IP address or destination port automatically switch the block from a connection block to a host block.
To configure the IPS to initiate automatic connection blocks when a signature is triggered, add the Request Block Connection event action to a signature, or add it to events based on risk rating using the event action override policy.
You can initiate host and connection blocks manually or automatically when a signature is triggered. You can only initiate network blocks manually. You cannot initiate network blocks from within Security Manager; use the IPS Device Manager instead.
Tip Connection blocks and network blocks are not supported on security appliances (firewalls). Security appliances only support host blocks with additional connection information.
Note Do not confuse blocking with the ability of the sensor to drop packets. The sensor can drop packets when the following actions are configured for a sensor in inline mode: deny packet inline, deny connection inline, and deny attacker inline.
On Cisco IOS Software devices (routers and Catalyst 6500 series switches), ARC creates blocks by applying ACLs; on Catalyst 6500/7600 devices that run the Catalyst operating system, ARC creates blocks by applying VACLs. ACLs and VACLs permit or deny passage of data packets through interface directions or VLANs. Each ACL or VACL contains permit and deny conditions that apply to IP addresses. The security appliances use the shun command instead of ACLs.
Tip For a list of the specific devices and operating system versions that you can configure as blocking devices, see the supported device information in the chapter “Configuring Attack Response Controller for Blocking and Rate Limiting” in the Installing and Using Cisco Intrusion Prevention System Device Manager publication for your IPS software version. These publications are available on Cisco.com at http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_installation_and_configuration_guides_list.html.
The following topics explain more about IPS blocking:
- Strategies for Applying Blocks
- Understanding Rate Limiting
- Understanding Router and Switch Blocking Devices
- Understanding the Master Blocking Sensor
- Configuring IPS Blocking and Rate Limiting
- Blocking Page
Strategies for Applying Blocks
Blocking is performed only when an event occurs and the event includes the Request Block Connection or Request Block Host event actions. These event actions are not typically needed when you operate the IPS in inline mode, where you use Deny actions to drop undesired traffic.
The following are situations in which you might want to implement blocking actions:
- Promiscuous mode—When running in promiscuous mode, the IPS cannot implement Deny actions. Thus, if you want to prevent traffic from a host, you must implement blocking.
- Inline mode—In inline mode, you can implement Deny actions to immediately drop undesired traffic. However, you might want to add blocking actions to protect other segments of your network.
For example, suppose that your network consists of five subnets, A, B, C, D, and E, and that each of these segments has an inline IPS device monitoring it. If the IPS for subnet A identifies an attack, the IPS can use Deny actions to protect subnet A, but also use Request Block actions to configure the firewalls that protect B, C, D, and E to shun the attacker before the attack can target those other subnets. In this example, you would want to designate a single IPS as the master blocking sensor and have the other four IPS sensors perform blocking through the master blocking sensor.
Use the following techniques to add the request block actions to an event:
- Event Action Override policy—Configure an event action override rule to add the action to all events based on the event’s risk rating. This is a simple approach. You could add the request block action for the same risk ratings used for adding Deny actions. For more information, see Configuring Event Action Overrides.
- Signatures policy—You can add the request block actions to individual signatures. This requires editing each signature to add the action. This can be a time-consuming approach, but it allows you to configure blocking for just the types of events that concern you most. For more information, see Configuring Signatures.
Understanding Rate Limiting
Attack Response Controller (ARC) is responsible for rate limiting traffic in protected networks. Rate limiting lets sensors restrict the rate of specified traffic classes on network devices. Rate limit responses are supported for the Host Flood and Net Flood engines, and the TCP half-open SYN signature. ARC can configure rate limits on network devices running Cisco IOS 12.3 or later. Master blocking sensors can also forward rate limit requests to blocking forwarding sensors.
To add a rate limit to a signature, you must add the Request Rate Limit action. You can then edit the signature parameters to set the percentage for these signatures in the Event Actions Settings folder.
Tip You can also manually implement rate limits, but you cannot do so using Security Manager; use the IPS Device Manager instead.
On the blocking device, you must not apply a service policy to an interface/direction that is configured for rate limiting. If you do so, the rate limit action will fail. Before configuring rate limits, confirm that there is no service policy on the interface/direction, and remove it if one exists. ARC does not remove the existing rate limit unless it is one that ARC had previously added.
Rate limits use ACLs, but not in the same way as blocks. Rate limits use ACLs and class-map entries to identify traffic, and policy-map and service-policy entries to police the traffic.
Understanding Router and Switch Blocking Devices
You can use routers or Catalyst 6500/7600 devices running Cisco IOS Software, or Catalyst 6500/7600 devices running the Catalyst operating system, to implement IPS blocking in your network. When you use routers or switches, Attack Response Controller (ARC) configures extended ACLs (on IOS devices) or VLAN ACLs (on Catalyst OS devices) to implement the blocks. These ACLs and VACLs are created and managed in the same way.
Rate limits also use ACLs, but not in the same way as blocks. Rate limits use ACLs and class-map entries to identify traffic, and policy-map and service-policy entries to police the traffic.
Tip IPS considers Catalyst 6500/7600 devices that run Cisco IOS Software to be equivalent to routers. When you add these devices as blocking devices, add them as routers.
When you configure a router interface or switch VLAN as a blocking interface, you can optionally specify the names of pre- and post-ACLs or VACLs. Although specifying ACL or VACL names is optional, if you have configured ACLs or VACLs on the interface or VLAN, you must identify them to the IPS or ARC will remove them from your device configuration.
The pre- and post-ACL/VACL have the following uses:
- The Pre-Block ACL/VACL is mainly used for permitting what you do not want the sensor to ever block. When a packet is checked against the ACL/VACL, the first line that gets matched determines the action. If the first line matched is a permit line from the Pre-Block ACL/VACL, the packet is permitted even though there may be a deny line (from an automatic block) listed later in the ACL/VACL. The Pre-Block ACL/VACL can override the deny lines resulting from the blocks.
- The Post-Block ACL/VACL is best used for additional blocking or permitting that you want to occur on the same interface or direction. If you have an existing ACL on the interface or direction that the sensor will manage, that existing ACL can be used as a Post-Block ACL/VACL. If you do not have a Post-Block ACL/VACL, the sensor inserts permit ip any any at the end of the new ACL/VACL.
If you are managing the IOS Software blocking device in Security Manager, you can identify the ACL name by selecting the blocking device, then selecting Tools > Preview Config . Look for the ip access-group command in the interface configuration, and check the direction. For example, the following lines show that there is an ACL named CSM_FW_ACL_GigabitEthernet0/1 in the In direction attached to the GigabitEthernet0/1 interface.
In this example, if you configure GigabitEthernet0/1 in the In direction as a blocking interface, ensure that you specify CSM_FW_ACL_GigabitEthernet0/1 as a pre- or post-ACL. In most cases, you should specify the ACL as the post-ACL, so that the relatively short IPS blocking ACL first filters out undesirable traffic before the blocking device implements your other access rules.
Because Security Manager does not manage Catalyst OS devices, you must examine a Catalyst OS device configuration outside of Security Manager to determine VACL names. Keep in mind that a Catalyst 6500/7600 device that runs IOS Software can also have VACLs, but the IPS does not do VLAN blocking on Catalyst 6500/7600 VLANs when the device is running IOS Software.
When the sensor starts up, it reads the contents of the two ACL/VACLs. It creates a third ACL/VACL with the following entries in this order, and this combined ACL/VACL is applied to the interface or VLAN:
1. A permit line with the sensor IP address or, if specified, the NAT address of the sensor.
If you select the Allow Sensor IP address to be Blocked option on the General tab of the Blocking policy, this permit entry is not added. For more information, see General Tab, IPS Blocking Policy.
2. Pre-Block ACL/VACL, if specified.
3. Any active blocks generated by the IPS (deny statements).
4. The Post-Block ACL/VACL, if specified.
If you do not specify a Post-Block ACL/VACL, a permit ip any any entry is added to allow all unfiltered traffic. Note that this negates the normal implicit deny any that ends interface ACLs.
When using Catalyst OS, IDSM-2 inserts permit ip any any capture at the end of the new VACL.
If ARC is managing a device and you need to configure the ACL/VACLs on that device, you should disable blocking first. You want to avoid a situation in which both you and ARC could be making a change at the same time on the same device. This could cause the device or ARC to fail. If you need to modify the Pre-Block or Post-Block ACL/VACL, do the following:
1. Disable blocking on the sensor.
Because you are making a temporary change, you can disable and then reenable blocking by using the IPS Device Manager (IDM) on the device. Alternatively, you can deselect the Enable Blocking option on the General tab of the Blocking policy in Security Manager, then deploy the configuration to the IPS sensor. To reenable blocking, select the Enable Blocking option again and deploy the configuration to the IPS sensor.
2. Make the changes to the configuration of the device. For example, if you manage the blocking device in Security Manager, deploy the updated configuration and wait for the device to reload.
Understanding the Master Blocking Sensor
Multiple sensors (blocking forwarding sensors) can forward blocking requests to a specified master blocking sensor, which controls one or more devices. The master blocking sensor is the ARC running on a sensor that controls blocking on one or more devices on behalf of one or more other sensors. When a signature fires that has blocking or rate limit requests configured as event actions, the sensor forwards the block or rate limit request to the master blocking sensor, which then performs the block or rate limit.
When you add a master blocking sensor, you reduce the number of blocking devices per sensor. For example, if you want to block on 10 firewalls and 10 routers with one blocking interface/direction each, you can assign 10 to the sensor and assign the other 10 to a master blocking sensor.
You configure master blocking sensors on the Master Blocking Sensors tab of the Blocking policy, as described in Blocking Page.
When configuring master blocking sensors, keep the following tips in mind:
- Two sensors cannot control blocking or rate limiting on the same device. If this situation is needed, configure one sensor as the master blocking sensor to manage the devices and the other sensors can forward their requests to the master blocking sensor.
- On the blocking forwarding sensor, identify which remote host serves as the master blocking sensor; on the master blocking sensor you must add the blocking forwarding sensors to its access list using the Allowed Hosts policy. See Identifying Allowed Hosts.
- If the master blocking sensor requires TLS for web connections, you must configure the ARC of the blocking forwarding sensor to accept the X.509 certificate of the master blocking sensor remote host. Sensors by default have TLS enabled, but you can change this option. For more information, see Master Blocking Sensor Dialog Box.
- Typically the master blocking sensor is configured to manage the network devices. Blocking forwarding sensors are not normally configured to manage other network devices, although doing so is permissible.
- Only one sensor should control all blocking interfaces on a device.
Configuring IPS Blocking and Rate Limiting
If you use the Request Block Host, Request Block Connection, or Request Rate Limit actions on any signatures, or add them to events using the event action override policy, you must configure blocking devices. If you do not use these actions, there is no need to configure blocking devices.
Before you configure blocking, read the following topics:
- Understanding IPS Blocking
- Strategies for Applying Blocks
- Understanding Rate Limiting
- Understanding Router and Switch Blocking Devices
- Understanding the Master Blocking Sensor
Step 1 Do one of the following:
- (Device view) Select Platform > Security > Blocking from the Policy selector.
- (Policy view) Select IPS > Platform > Security > Blocking , then select an existing policy or create a new one.
For an overview of the blocking policy, see Blocking Page.
Step 2 On the General tab, change any settings where you want non-default values. However, the default values are appropriate for most networks. For detailed information about the settings, see General Tab, IPS Blocking Policy.
Step 3 Click the User Profiles tab and create the user profiles that are required to log into the blocking devices.
- To add a profile, click the Add Row button and fill in the Add User Profile dialog box (see User Profile Dialog Box).
- To edit a profile, select it and click the Edit Row button.
- To delete a profile, select it and click the Delete Row button. Before you delete a profile, ensure that it is not currently being used by a blocking device.
Step 4 If you need to use a master blocking sensor, as described in Understanding the Master Blocking Sensor, click the Master Blocking Sensors tab and do the following:
- To add a master blocking sensor, click the Add Row button and fill in the Add Master Blocking Sensor dialog box (see Master Blocking Sensor Dialog Box).
- To edit a master blocking sensor, select it and click the Edit Row button.
- To delete a master blocking sensor, select it and click the Delete Row button.
Step 5 Identify the blocking devices (unless you will use master blocking sensors only). You must add the devices to the correct tab:
- Routers tab—For all Cisco IOS Software devices, including Catalyst 6500 switches that are running IOS Software.
- Firewalls tab—For ASA, PIX, and FWSM.
- Catalyst 6K tab—For Catalyst 6500/7600 devices that are running the Catalyst operating system.
On each tab, the configuration steps are the same:
- To add a device, click the Add Row button and fill in the Add Router, Firewall, or Cat6K Device dialog box (see Router, Firewall, Cat6K Device Dialog Box).
- To edit a device, select it and click the Edit Row button.
- To delete a device, select it and click the Delete Row button.
Step 6 Click the Never Block Hosts and Networks tab and identify the hosts and networks that should never be blocked. These lists affect blocking actions, but they do not affect limiting actions. Identify your trusted networks and hosts:
- To add a host or network, click the Add Row button beneath the appropriate table and fill in the Add Never Block Host or Network dialog box (see Never Block Host or Network Dialog Boxes).
- To edit a host or network, select it and click the Edit Row button.
- To delete a host or network, select it and click the Delete Row button.
Blocking Page
Use the Blocking page to configure IPS sensor blocking properties. Configure the blocking policy only if you use the Request Block Connection, Request Block Host, or Request Rate Limit event actions in your signatures or event actions policies. Blocking hosts are used only for events to which these actions are assigned.
Tip The list of hosts and networks to never block applies only to the Request Block Connection and Request Block Host event actions. The list does not affect rate limiting, nor does it affect any of the Deny actions such as Deny Packet Inline. To exempt hosts and networks from Deny or rate limiting actions, use event action filter rules, specify the hosts and networks as Attackers, and remove the actions from events. For more information, see Configuring Event Action Filters.
- (Device view) Select Platform > Security > Blocking from the Policy selector.
- (Policy view) Select IPS > Platform > Security > Blocking , then select an existing policy or create a new one.
- Configuring IPS Blocking and Rate Limiting
- Understanding IPS Blocking
- Strategies for Applying Blocks
- Understanding Rate Limiting
- Understanding Router and Switch Blocking Devices
- Understanding the Master Blocking Sensor
- Understanding IPS Event Actions
The basic settings required to enable blocking and rate limiting. For information about the options on the General tab, see General Tab, IPS Blocking Policy. |
|
The connection credential information profiles for logging into the blocking devices. Before you define a blocking device, create the user profile required to log into the device. The table shows the profile name, username, and the passwords, which are masked with a fixed number of asterisks.
|
|
The master blocking IPS sensors (see Understanding the Master Blocking Sensor). A master blocking sensor manages blocks for other IPS devices. The table shows the IP address (or network/host object) of the master blocking sensor, the username and password for logging into it, the port used for connections, and whether TLS is used for login.
|
|
The IOS routers and Catalyst 6500/7600 devices (that are running IOS Software) to be used as blocking or rate limiting devices. The table shows the IP address (or network/host object) of the device, the communication method used to log into it, the NAT address of the sensor (0.0.0.0 if NAT is not used), the name of the profile that is used for logging into the device, and the device’s response capabilities (blocking, rate limiting, or both).
|
|
The ASA, PIX, and FWSM devices to be used as blocking devices. The table shows the IP address (or network/host object) of the device, the communication method used to log into it, the NAT address of the sensor (0.0.0.0 if NAT is not used), and the name of the profile that is used for logging into the device.
|
|
The Catalyst 6500/7600 devices that are using Catalyst software to be used as blocking devices. The table shows the IP address (or network/host object) of the device, the communication method used to log into it, the NAT address of the sensor (0.0.0.0 if NAT is not used), and the name of the profile that is used for logging into the device. Tip Do not use this tab for Catalyst 6500/7600 devices that run Cisco IOS Software. Instead, use the Router tab.
|
|
The hosts and networks that should never be blocked. Hosts and networks are shown in separate tables. The tables show the IP address or network/host object for the host or network. These lists do not affect rate limiting actions, nor do they apply to Deny actions.
|
General Tab, IPS Blocking Policy
Use the General tab of the Blocking policy to configure the basic settings required to enable blocking and rate limiting.
- (Device view) Select Platform > Security > Blocking from the Policy selector. If necessary, select the General tab.
- (Policy view) Select IPS > Platform > Security > Blocking , then select an existing policy or create a new one. If necessary, select the General tab.
User Profile Dialog Box
Use the Add or Modify User Profile dialog box to add or modify a user profile for an IPS blocking device. The profile defines a username and passwords that the IPS device can use to log into and configure the router, switch, or firewall that will implement IPS blocking.
Although you can save a profile that has a profile name only, the requirements for username, password, and enable password are determined by the device. You must specify the items required by the device to enter configuration mode, or the IPS cannot configure blocking on the device.
From the IPS Blocking policy, select the User Profiles tab and click the Add Row button or select an existing sensor and click the Edit Row button. For information on opening the Blocking policy, see Blocking Page.
Master Blocking Sensor Dialog Box
Use the Add or Modify Master Blocking Sensor dialog box to configure a master blocking sensor. For more information about master blocking sensors, see Understanding the Master Blocking Sensor.
From the IPS Blocking policy, select the Master Blocking Sensors tab and click the Add Row button or select an existing sensor and click the Edit Row button. For information on opening the Blocking policy, see Blocking Page.
Router, Firewall, Cat6K Device Dialog Box
Use the Add or Modify Router, Firewall, or Cat6K Device dialog box to configure a device as a blocking device for an IPS sensor. The name of the dialog box indicates the type of device you are adding:
- Router—IOS Software routers and Catalyst 6500/7600 devices. These devices can do rate limiting as well as blocking. See Understanding Router and Switch Blocking Devices.
- Firewall—ASA and PIX appliances.
- Cat6K—Catalyst 6500/7600 devices that are running Catalyst OS software.
Tip If the Catalyst 6500/7600 runs Cisco IOS Software, add the device as a router on the Router tab. Do not add the device to the Cat6K tab.
From the IPS Blocking policy, select the Router, Firewall, or Catalyst 6K tab and click the Add Row button or select an existing row and click the Edit Row button. For information on opening the Blocking policy, see Blocking Page.
The IP address of the device. Enter the IP address or the name of a network/host policy object that contains a single host address, or click Select to select an object from a list or to create a new one. |
|
The communication mechanism used to log in to the blocking device (SSH 3DES, SSH DES, Telnet). The default is SSH 3DES. If you choose SSH 3DES or SSH DES, you must add the device to the known hosts list. The easiest way to add the device to the known hosts list is to use the IPS Device Manager (IDM) to log into the sensor, choose Configuration > Sensor Management > SSH > Known Host Keys > Add Known Host Key , and add the device address. Alternatively, you can log into the sensor CLI, enter configuration mode, and use the ssh host-key command. |
|
The NAT address of the sensor, if any is used between the sensor and the blocking device. Enter the NAT address or the name of a network/host policy object that contains a single host address, or click Select to select an object from a list or to create a new one. Leave the default 0.0.0.0 if NAT is not used. |
|
The login profile used to log in to the blocking device. You must create this profile on the User Profiles tab of the blocking policy or the IPS cannot successfully use this blocking device. |
|
Interfaces and directions where blocks will be applied (table) |
The interfaces on the device that should be used for blocking or rate limiting. The table shows the interface name, direction, and the names of existing ACLs that the IPS device should incorporate into the blocking ACL. If the interface already has an ACL configured for the specified direction, you must specify that ACL name as a pre- or post-ACL or the IPS removes the ACL. These ACLs are used for blocking only, not for rate limiting.
|
The actions that this router can implement. Use Ctrl+click to select multiple actions (highlighted actions are selected). Options are: |
|
VLANs where blocks will be applied (table) (Catalyst 6500/7600 devices running the Catalyst operating system only.) |
The VLANs on the device that should be used for blocking. The table shows the VLAN name and the names of existing VLAN ACLs (VACL) that the IPS device should incorporate into the blocking VACL. If the VLAN already has a VACL configured, you must specify that VACL name as a pre- or post-VACL or the IPS removes the VACL.
|
Router Block Interface Dialog Box
Use the Add or Modify Router Block Interface dialog box to configure a blocking interface on a router or IOS Software Catalyst 6500/7600 device that is configured as an IPS blocking device. The IPS sensor uses the interface for blocking actions.
From the Add or Modify Router Device dialog box, click the Add Row button beneath the interfaces table, or select a row in the table and click the Edit Row button. For information on opening the Router Device dialog box, see Router, Firewall, Cat6K Device Dialog Box.
The name of the interface on the router that the IPS should use for blocking. Enter the name exactly as it is configured on the router (for example, GigabitEthernet0/1). |
|
The ACLs to combine with the blocking entries that the IPS creates to implement blocking actions. The Pre ACL is added before the blocking ACL, and the Post ACL is added after the blocking ACL. For more information, see Understanding Router and Switch Blocking Devices. Tip If you have configured an ACL on the interface in the specified direction, you must specify the name of the ACL in the Pre or Post ACL Name field or the ACL will be removed from the interface. When you identify an interface and direction as a blocking interface, the IPS takes control of the ACL on that interface/direction.
If you are managing the blocking device in Security Manager, you can identify the ACL name by selecting the blocking device, then selecting Tools > Preview Config . Look for the ip access-group command in the interface configuration, and check the direction. For example, the following lines show that there is an ACL named CSM_FW_ACL_GigabitEthernet0/1 in the In direction attached to the GigabitEthernet0/1 interface. In this example, if you configure GigabitEthernet0/1 in the In direction as a blocking interface, ensure that you specify CSM_FW_ACL_GigabitEthernet0/1 as a pre- or post-ACL. In most cases, you should specify the ACL as the post-ACL, so that the relatively short IPS blocking ACL first filters out undesirable traffic before the blocking device implements your other access rules. |
Cat6k Block VLAN Dialog Box
Use the Add or Modify Cat6k Block VLAN dialog box to configure a blocking VLAN on a Catalyst 6500/7600 device that runs the Catalyst operating system and that is configured as an IPS blocking device. The IPS sensor uses the VLAN for blocking actions.
Tip If the Catalyst 6500/7600 runs Cisco IOS Software, add the device as a router, not a Cat6K.
From the Add or Modify Cat6K Device dialog box, click the Add Row button beneath the VLANs table, or select a row in the table and click the Edit Row button. For information on opening the Cat6K Device dialog box, see Router, Firewall, Cat6K Device Dialog Box.
The number of the VLAN on the Catalyst 6500/7600 device that the IPS should use for blocking. The number can be 1 to 4094 and must be defined on the device. |
|
The VLAN ACLs to combine with the blocking entries that the IPS creates to implement blocking actions. The Pre VACL is added before the blocking VACL, and the Post VACL is added after the blocking VACL. For more information, see Understanding Router and Switch Blocking Devices. Tip If you have configured a VACL on the VLAN, you must specify the name of the VACL in the Pre or Post VACL Name field or the VACL will be removed from the VLAN. When you identify a VLAN as a blocking interface, the IPS takes control of the VACL on that VLAN. Typically, you would specify the VACL name as the post-VACL.
|
Never Block Host or Network Dialog Boxes
Use the Add or Modify Never Block Host or Network dialog boxes to specify a host or network that should never be subject to blocking. The name of the dialog box indicates whether you are adding a host or network address.
Enter the IP address or the name of a network/host policy object that specifies the address. You can also click Select to select an object from a list or to create a new object. When selecting objects, the object can contain a single entry of the appropriate type. Host addresses do not have subnet masks (for example, 10.100.10.1), whereas network addresses have masks (for example, 10.100.10.0/24).
From the IPS Blocking policy, select the Never Block Hosts or Networks tab and click the Add Row button or select an existing row and click the Edit Row button. Hosts and networks are listed in separate tables, so ensure that you click the buttons associated with the desired table. For information on opening the Blocking policy, see Blocking Page.