42-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter42 Configuring Attack Response Controller for Blocking and Rate Limiting
Understanding IPS Blocking
On Cisco IOS Software devices (routers and Catalyst 6500 series switches), ARC creates blocks by
applying ACLs; on Catalyst 6500/7600 devices that run the Catalyst operating system, ARC creates
blocks by applying VACLs. ACLs and VACLs permit or deny passage of data packets through interface
directions or VLANs. Each ACL or VACL contains permit and deny conditions that apply to IP
addresses. The security appliances use the shun command instead of ACLs.
Tip For a list of the specific devices and operating system versions that you can configure as blocking
devices, see the supported device information in the chapter “Configuring Attack Response Controller
for Blocking and Rate Limiting” in the Installing and Using Cisco Intrusion Prevention System Device
Manager publication for your IPS software version. These publications are available on Cisco.com at
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_installation_and_configuration_g
uides_list.html.
The following topics explain more about IPS blocking:
Strategies for Applying Blocks, page 42-3
Understanding Rate Limiting, page 42-4
Understanding Router and Switch Blocking Devices, page 42-4
Understanding the Master Blocking Sensor, page 42-6
Configuring IPS Blocking and Rate Limiting, page 42-7
Blocking Page, page 42-8
Strategies for Applying Blocks
Blocking is performed only when an event occurs and the event includes the Request Block Connection
or Request Block Host event actions. These event actions are not typically needed when you operate the
IPS in inline mode, where you use Deny actions to drop undesired traffic.
The following are situations in which you might want to implement blocking actions:
Promiscuous mode—When running in promiscuous mode, the IPS cannot implement Deny actions.
Thus, if you want to prevent traffic from a host, you must implement blocking.
Inline mode—In inline mode, you can implement Deny actions to immediately drop undesired
traffic. However, you might want to add blocking actions to protect other segments of your network.
For example, suppose that your network consists of five subnets, A, B, C, D, and E, and that each
of these segments has an inline IPS device monitoring it. If the IPS for subnet A identifies an attack,
the IPS can use Deny actions to protect subnet A, but also use Request Block actions to configure
the firewalls that protect B, C, D, and E to shun the attacker before the attack can target those other
subnets. In this example, you would want to designate a single IPS as the master blocking sensor
and have the other four IPS sensors perform blocking through the master blocking sensor.
Use the following techniques to add the request block actions to an event:
Event Action Override policy—Configure an event action override rule to add the action to all events
based on the event’s risk rating. This is a simple approach. You could add the request block action
for the same risk ratings used for adding Deny actions. For more information, see Configuring Event
Action Overrides, page 39-13.