© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-1 Chapter 15 Blocking...

© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-1

Chapter 15

Blocking Configuration


Objectives

Upon completion of this chapter, you will be able to complete the following tasks:• Describe the device management capability of the Sensor

and how it is used to perform blocking with a Cisco device.

• Design a Cisco IDS solution using the blocking feature, including the ACL placement considerations, when deciding where to apply Sensor-generated ACLs.

• Configure a Sensor to perform blocking with a Cisco IDS device.

• Configure a Sensor to perform blocking through a Master Blocking Sensor.


Introduction


Definitions

• Blocking—A Cisco IDS Sensor feature.

• Device management—The ability of a Sensor to interact with a Cisco device and dynamically reconfigure the Cisco device to stop an attack.

• Managed device—The Cisco IDS device that is to block the attack. This is also referred to as a blocking device.

• Blocking Sensor—The Cisco IDS Sensor configured to control the managed device.

• Interface/direction—The combination of a device interface and a direction, in or out.

• Managed interface—The interface on the managed device where the Cisco IDS Sensor applies the ACL.

• Active ACL—The ACL created and maintained by the Sensor which is applied to the managed interfaces.


Blocking Devices

• Cisco IOS routers (ACLs)

• Catalyst 5000 RSM/RSFC (ACLs)

• Catalyst 6000 running IOS (ACLs)

• Catalyst 6000 running Catalyst OS (VACLs)

• PIX Firewall (shun)


Blocking Guidelines

• Implement anti-spoofing mechanisms.

• Identify hosts that are to be excluded from blocking.

• Identify network entry points that will participate in blocking.

• Assign the block reaction to signatures that are deemed as an immediate threat.

• Determine the appropriate blocking duration.


NAC Block Actions

The following actions will initiate a block:• Response to an alert event generated from a

signature that is configured with a block action.

• Manually initiated from a management interface.

• Configured to initiate a permanent block action.


Blocking Process

The following explains the blocking process:• An event or action occurs that has a block

action associated with it.

• Sensor pushes a new set of configurations or ACLs, one for each interface direction, to each controlled device.

• An alarm is sent to the Event Store at the same time the Sensor initiates the block.

• When the block completes, all configurations or ACLs are updated to remove the block.


Blocking Scenario

Untrustednetwork

Protected network

Deny172.26.26.1

1

Write the ACL3

172.26.26.1192.168.1.10

Detect the attack2


ACL Considerations


External interfaces

Internal interfaces

Untrustednetwork

Outbound ACL

Inbound ACL

Where to Apply ACLs

• When the Sensor has full control, no manually entered ACLs are allowed.

• Apply an external interface in an inbound direction.

• Apply an internal interface in an outbound direction.

Protectednetwork


Applying ACLs on the External vs. Internal Interfaces

• External interface in the inbound direction

– Denies the host before it enters the router.

– Provides the best protection against an attacker.

• Internal interface in the outbound direction

– Denies the host before it enters the protected network.

– The block does not apply to the router itself.


Using Existing ACLs

• The Sensor takes full control of the managed interface.

• Existing ACL entries can be included before the dynamically created ACL. This is referred to as applying a Pre-block ACL.

• Existing ACL entries can be added after the dynamically created ACL. This is referred to as applying a Post-block ACL.

• The existing ACL must be an extended IP access list, either named or numbered.


Blocking Sensor Configuration


Configuration Tasks

Complete the following tasks to configure a Sensor for blocking:• Assign the block reaction to a signature.

• Assign the Sensor’s global blocking properties.

• Define the managed device’s properties.

• Assign the managed interface’s properties for IOS devices.

• (Optional.) Assign the list of devices that are never blocked.

• (Optional.) Define a Master Blocking Sensor.


Assign Block Reaction


Sensor’s Blocking Properties

Choose Configuration>Settings>Blocking>Blocking Properties.


Managed Device—Cisco Router

Choose Configuration>Blocking>Blocking Devices and Select Add.


Managed Device—Cisco Router (cont.)


Managed Device—PIX Firewall

Choose Configuration>Blocking>Blocking Devices and Select Add.


Managed Device—Catalyst 6000 VACL


Managed Device—Catalyst 6000 VACL (cont.)


Never Block Addresses

Choose Configuration>Settings>Blocking>Never Block Addresses and Click Add.


Master Blocking Sensor Configuration


Master Blocking Sensors

Protectednetwork

. . .

ProviderX

Attacker

ProviderY

Sensor A blocks

Sensor A Sensor B

Target

Sensor B blocks

Sensor A commands Sensor B to block

Router A

PIX Firewall B


Master Blocking Sensor Characteristics

The following are the characteristics of a Master Blocking Sensor:• A Master Blocking Sensor can be any Sensor that controls

blocking on a device on behalf of another Sensor.

• Any Sensor can act as a Master Blocking Sensor.

• A Sensor can forward block requests to a maximum of 10 Master Blocking Sensors.

• A Master Blocking Sensor can handle block requests from multiple Sensors.

• A Master Blocking Sensor can use other Master Blocking Sensors to control other devices.


Master Blocking Sensor Configuration

Master Blocking Sensor Configuration:• Add each FBS to the Allowed Hosts table.Blocking Forwarding Sensor Configuration:• Specify the MBS; define RDEP communication

parameters– RDEP parameters of MBS are auto-retrieved using IDS

MC.– Manually configured using IDM/CLI.

• Add MBS to TLS Trusted Host table, if TLS enabled (default), using the “tls trusted-host ip-address” command.


Configuring Master Blocking Sensors

Choose Configuration>Settings>Blocking>Master Blocking Sensors and click Add.


Summary


Summary

• Device management is the ability of a Sensor to dynamically reconfigure a Cisco device to block the source of an attack in real time.

• Guidelines for designing an IDS solution with blocking include the following:

– Implement an anti-spoofing mechanism.

– Identify critical hosts and network entry points.

– Select applicable signatures.

– Determine the blocking duration.

• Sensors can serve as master blocking servers.

• The ACLs may be applied on either the external or internal interface of the Cisco device, and may be configured for inbound or outbound traffic on either interface.


Lab Exercise


.4

sensorP

.4

sensorQ

.100

172.30.Q.0172.30.P.0

Lab Visual Objective

STUDENT PC

.2

.2

STUDENT PC

ROUTER

.1

.2

.2

ROUTER

.1

10.0.P.12 10.0.Q.12

10.0.P.0 10.0.Q.0

RTS RTS.100

Pods 1–5 Pods 6–10172.26.26.0

.150

.50

WEBFTP

RBB

© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-1 Chapter 15 Blocking...

Documents

Transcript of © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-1 Chapter 15 Blocking...