42-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting
Understanding IPS Blocking
Signatures policy—You can add the request block actions to individual signatures. This requires
editing each signature to add the action. This can be a time-consuming approach, but it allows you
to configure blocking for just the types of events that concern you most. For more information, see
Configuring Signatures, page 38-4.
Related Topics
Understanding IPS Blocking, page 42-1
Understanding the Master Blocking Sensor, page 42-6
Understanding Interface Modes, page 36-2
Configuring IPS Blocking and Rate Limiting, page 42-7
Blocking Page, page 42-8
Understanding Rate Limiting
Attack Response Controller (ARC) is responsible for rate limiting traffic in protected networks. Rate
limiting lets sensors restrict the rate of specified traffic classes on network devices. Rate limit responses
are supported for the Host Flood and Net Flood engines, and the TCP half-open SYN signature. ARC
can configure rate limits on network devices running Cisco IOS 12.3 or later. Master blocking sensors
can also forward rate limit requests to blocking forwarding sensors.
To add a rate limit to a signature, you must add the Request Rate Limit action. You can then edit the
signature parameters to set the percentage for these signatures in the Event Actions Settings folder.
Tip You can also manually implement rate limits, but you cannot do so using Security Manager; use the IPS
Device Manager instead.
On the blocking device, you must not apply a service policy to an interface/direction that is configured
for rate limiting. If you do so, the rate limit action will fail. Before configuring rate limits, confirm that
there is no service policy on the interface/direction, and remove it if one exists. ARC does not remove
the existing rate limit unless it is one that ARC had previously added.
Rate limits use ACLs, but not in the same way as blocks. Rate limits use ACLs and class-map entries to
identify traffic, and policy-map and service-policy entries to police the traffic.
Understanding Router and Switch Blocking Devices
You can use routers or Catalyst 6500/7600 devices running Cisco IOS Software, or Catalyst 6500/7600
devices running the Catalyst operating system, to implement IPS blocking in your network. When you
use routers or switches, Attack Response Controller (ARC) configures extended ACLs (on IOS devices)
or VLAN ACLs (on Catalyst OS devices) to implement the blocks. These ACLs and VACLs are created
and managed in the same way.
Rate limits also use ACLs, but not in the same way as blocks. Rate limits use ACLs and class-map entries
to identify traffic, and policy-map and service-policy entries to police the traffic.
Tip IPS considers Catalyst 6500/7600 devices that run Cisco IOS Software to be equivalent to routers. When
you add these devices as blocking devices, add them as routers.