Filter
Top Products
14-3
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting
Understanding Blocking
is configured for VLAN A, but is blocking on a different security appliance customer context that is
configured for VLAN B. Addresses that trigger blocks on VLAN A may refer to a different host on
VLAN B.
There are three types of blocks:
• Host block—Blocks all traffic from a given IP address.
• Connection block—Blocks traffic from a given source IP address to a given destination IP address
and destination port. Multiple connection blocks from the same source IP address to either a
different destination IP address or destination port automatically switch the block from a connection
block to a host block.
• Network block—Blocks all traffic from a given network. You can initiate host and connection blocks
manually or automatically when a signature is triggered. You can only initiate network blocks
manually.
Note Connection blocks and network blocks are not supported on adaptive security appliances. Adaptive
security appliances only support host blocks with additional connection information.
Caution Do not confuse blocking with the ability of the sensor to drop packets. The sensor can drop packets when
the following actions are configured for a sensor in inline mode: deny packet inline, deny connection
inline, and deny attacker inline.
For automatic blocks, you must configure request-block-host or request-block-connection as the event
action for particular signatures, and add them to any event action overrides you have configured, so that
the SensorApp sends a block request to the ARC when the signature is triggered. When the ARC receives
the block request from the SensorApp, it updates the device configurations to block the host or
connection.
On Cisco routers and Catalyst 6500 series switches, ARC creates blocks by applying ACLs or VACLs.
ACLs and VACLs permit or deny passage of data packets through interface directions or VLANs. Each
ACL or VACL contains permit and deny conditions that apply to IP addresses. The security appliances
do not use ACLs or VACLs. The built-in shun and no shun command is used.
Caution The ACLs that ARC makes should never be modified by you or any other system. These ACLs are
temporary and new ACLs are constantly being created by the sensor. The only modifications that you
can make are to the Pre- and Post-Block ACLs.
You need the following information for the ARC to manage a device:
• Login user ID (if the device is configured with AAA).
• Login password.
• Enable password (not needed if the user has enable privileges).
• Interfaces to be managed (for example, ethernet0, vlan100).
• Any existing ACL or VACL information you want applied at the beginning (Pre-Block ACL or
VACL) or end (Post-Block ACL or VACL) of the ACL or VACL that will be created. This does not
apply to the security appliances because they do not use ACLs to block.
• Whether you are using Telnet or SSH to communicate with the device.
• IP addresses (host or range of hosts) you never want blocked.