Cisco Systems CL-28826-01 Strategies for Applying Blocks

42-3

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter42 Configuring Attack Response Controller for Blocking and Rate Limiting

Understanding IPS Blocking

On Cisco IOS Software devices (routers and Catalyst 6500 series switches), ARC creates blocks by

applying ACLs; on Catalyst 6500/7600 devices that run the Catalyst operating system, ARC creates

blocks by applying VACLs. ACLs and VACLs permit or deny passage of data packets through interface

directions or VLANs. Each ACL or VACL contains permit and deny conditions that apply to IP

addresses. The security appliances use the shun command instead of ACLs.

Tip For a list of the specific devices and operating system versions that you can configure as blocking

devices, see the supported device information in the chapter “Configuring Attack Response Controller

for Blocking and Rate Limiting” in the Installing and Using Cisco Intrusion Prevention System Device

Manager publication for your IPS software version. These publications are available on Cisco.com at

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_installation_and_configuration_g

uides_list.html.

The following topics explain more about IPS blocking:

•Strategies for Applying Blocks, page 42-3

•Understanding Rate Limiting, page 42-4

•Understanding Router and Switch Blocking Devices, page 42-4

•Understanding the Master Blocking Sensor, page 42-6

•Configuring IPS Blocking and Rate Limiting, page 42-7

•Blocking Page, page 42-8

Strategies for Applying Blocks

Blocking is performed only when an event occurs and the event includes the Request Block Connection

or Request Block Host event actions. These event actions are not typically needed when you operate the

IPS in inline mode, where you use Deny actions to drop undesired traffic.

The following are situations in which you might want to implement blocking actions:

•Promiscuous mode—When running in promiscuous mode, the IPS cannot implement Deny actions.

Thus, if you want to prevent traffic from a host, you must implement blocking.

•Inline mode—In inline mode, you can implement Deny actions to immediately drop undesired

traffic. However, you might want to add blocking actions to protect other segments of your network.

For example, suppose that your network consists of five subnets, A, B, C, D, and E, and that each

of these segments has an inline IPS device monitoring it. If the IPS for subnet A identifies an attack,

the IPS can use Deny actions to protect subnet A, but also use Request Block actions to configure

the firewalls that protect B, C, D, and E to shun the attacker before the attack can target those other

subnets. In this example, you would want to designate a single IPS as the master blocking sensor

and have the other four IPS sensors perform blocking through the master blocking sensor.

Use the following techniques to add the request block actions to an event:

•Event Action Override policy—Configure an event action override rule to add the action to all events

based on the event’s risk rating. This is a simple approach. You could add the request block action

for the same risk ratings used for adding Deny actions. For more information, see Configuring Event

Action Overrides, page 39-13.