1 / 32

Chapter 15

Chapter 15. Blocking Configuration. Objectives. Upon completion of this chapter, you will be able to complete the following tasks: Describe the device management capability of the Sensor and how it is used to perform blocking with a Cisco device.

lluvia
Télécharger la présentation

Chapter 15

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 15 Blocking Configuration

  2. Objectives • Upon completion of this chapter, you will be able to complete the following tasks: • Describe the device management capability of the Sensor and how it is used to perform blocking with a Cisco device. • Design a Cisco IDS solution using the blocking feature, including the ACL placement considerations, when deciding where to apply Sensor-generated ACLs. • Configure a Sensor to perform blocking with a Cisco IDS device. • Configure a Sensor to perform blocking through a Master Blocking Sensor.

  3. Introduction

  4. Definitions • Blocking—A Cisco IDS Sensor feature. • Device management—The ability of a Sensor to interact with a Cisco device and dynamically reconfigure the Cisco device to stop an attack. • Managed device—The Cisco IDS device that is to block the attack. This is also referred to as a blocking device. • Blocking Sensor—The Cisco IDS Sensor configured to control the managed device. • Interface/direction—The combination of a device interface and a direction, in or out. • Managed interface—The interface on the managed device where the Cisco IDS Sensor applies the ACL. • Active ACL—The ACL created and maintained by the Sensor which is applied to the managed interfaces.

  5. Blocking Devices • Cisco IOS routers (ACLs) • Catalyst 5000 RSM/RSFC (ACLs) • Catalyst 6000 running IOS (ACLs) • Catalyst 6000 running Catalyst OS (VACLs) • PIX Firewall (shun)

  6. Blocking Guidelines • Implement anti-spoofing mechanisms. • Identify hosts that are to be excluded from blocking. • Identify network entry points that will participate in blocking. • Assign the block reaction to signatures that are deemed as an immediate threat. • Determine the appropriate blocking duration.

  7. NAC Block Actions • The following actions will initiate a block: • Response to an alert event generated from a signature that is configured with a block action. • Manually initiated from a management interface. • Configured to initiate a permanent block action.

  8. Blocking Process • The following explains the blocking process: • An event or action occurs that has a block action associated with it. • Sensor pushes a new set of configurations or ACLs, one for each interface direction, to each controlled device. • An alarm is sent to the Event Store at the same time the Sensor initiates the block. • When the block completes, all configurations or ACLs are updated to remove the block.

  9. Blocking Scenario 172.26.26.1 192.168.1.10 1 Deny 172.26.26.1 Protected network Untrustednetwork 3 Write the ACL 2 Detect the attack

  10. ACL Considerations

  11. Where to Apply ACLs • When the Sensor has full control, no manually entered ACLs are allowed. • Apply an external interface in an inbound direction. • Apply an internal interface in an outbound direction. Untrustednetwork External interfaces Inbound ACL Internal interfaces Outbound ACL Protectednetwork

  12. External interface in the inbound direction Denies the host before it enters the router. Provides the best protection against an attacker. Internal interface in the outbound direction Denies the host before it enters the protected network. The block does not apply to the router itself. Applying ACLs on the External vs. Internal Interfaces

  13. Using Existing ACLs • The Sensor takes full control of the managed interface. • Existing ACL entries can be included before the dynamically created ACL. This is referred to as applying a Pre-block ACL. • Existing ACL entries can be added after the dynamically created ACL. This is referred to as applying a Post-block ACL. • The existing ACL must be an extended IP access list, either named or numbered.

  14. Blocking Sensor Configuration

  15. Configuration Tasks • Complete the following tasks to configure a Sensor for blocking: • Assign the block reaction to a signature. • Assign the Sensor’s global blocking properties. • Define the managed device’s properties. • Assign the managed interface’s properties for IOS devices. • (Optional.) Assign the list of devices that are never blocked. • (Optional.) Define a Master Blocking Sensor.

  16. Assign Block Reaction

  17. Sensor’s Blocking Properties Choose Configuration>Settings>Blocking>Blocking Properties.

  18. Managed Device—Cisco Router Choose Configuration>Blocking>Blocking Devices and Select Add.

  19. Managed Device—Cisco Router (cont.)

  20. Managed Device—PIX Firewall Choose Configuration>Blocking>Blocking Devices and Select Add.

  21. Managed Device—Catalyst 6000 VACL

  22. Managed Device—Catalyst 6000 VACL (cont.)

  23. Never Block Addresses Choose Configuration>Settings>Blocking>Never Block Addresses and Click Add.

  24. Master Blocking Sensor Configuration

  25. Master Blocking Sensors Provider Y Provider X Sensor B blocks Attacker Sensor A blocks Router A Sensor B Sensor A PIX Firewall B Sensor A commands Sensor B to block Protectednetwork . . . Target

  26. Master Blocking Sensor Characteristics • The following are the characteristics of a Master Blocking Sensor: • A Master Blocking Sensor can be any Sensor that controls blocking on a device on behalf of another Sensor. • Any Sensor can act as a Master Blocking Sensor. • A Sensor can forward block requests to a maximum of 10 Master Blocking Sensors. • A Master Blocking Sensor can handle block requests from multiple Sensors. • A Master Blocking Sensor can use other Master Blocking Sensors to control other devices.

  27. Master Blocking Sensor Configuration • Master Blocking Sensor Configuration: • Add each FBS to the Allowed Hosts table. Blocking Forwarding Sensor Configuration: • Specify the MBS; define RDEP communication parameters • RDEP parameters of MBS are auto-retrieved using IDS MC. • Manually configured using IDM/CLI. • Add MBS to TLS Trusted Host table, if TLS enabled (default), using the “tls trusted-host ip-address” command.

  28. Configuring Master Blocking Sensors Choose Configuration>Settings>Blocking>Master Blocking Sensors and click Add.

  29. Summary

  30. Summary • Device management is the ability of a Sensor to dynamically reconfigure a Cisco device to block the source of an attack in real time. • Guidelines for designing an IDS solution with blocking include the following: • Implement an anti-spoofing mechanism. • Identify critical hosts and network entry points. • Select applicable signatures. • Determine the blocking duration. • Sensors can serve as master blocking servers. • The ACLs may be applied on either the external or internal interface of the Cisco device, and may be configured for inbound or outbound traffic on either interface.

  31. Lab Exercise

  32. Lab Visual Objective WEBFTP .50 172.26.26.0 .150 Pods 1–5 Pods 6–10 .1 .1 RBB 172.30.P.0 172.30.Q.0 sensorP sensorQ .2 .2 ROUTER ROUTER .2 .4 .2 .4 10.0.Q.0 10.0.P.0 .100 .100 RTS RTS STUDENT PC STUDENT PC 10.0.P.12 10.0.Q.12

More Related