Cisco Systems IPS4510K9 Understanding Blocking

14-2

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter14 Co nfiguring Attack Response Controller for Blocking and Rate Limiting

Understanding Blocking

•

Do not confuse blocking with the ability of the sensor to drop packets. The sensor can dr op packets

when the following actions are configured for a sensor in inline mode: deny packet inline, deny

connection inline, and deny attacker inline.

•

The ACLs that ARC makes should never be modified by you or any other system. These ACLs are

temporary and new ACLs are constantly being created by the sensor. The only modifications that

you can make are to the Pre- and Post-Block ACLs.

•

Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a

block or rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action

is not carried out.

•

Two sensors cannot control blocking or rate limiting on the same device. If this situation is needed,

configure one sensor as the master blocking sensor to manage the devices and the o ther sensors can

forward their requests to the master blocking sensor.

•

Pre-Block and Post-Block ACLS do not apply to rate limiting.

•

When you add a master blocking sensor, you reduce the number of blocking devices per sensor. For

example, if you want to block on 10 security appliances an d 10 routers with one blocking

interface/direction each, you can assign 10 to the sensor and assign the other 10 to a master blocking

sensor.

•

While blocking is disabled, the ARC continues to receive blocks and track the time on active blocks,

but will not apply new blocks or remove blocks from the managed devices. After blocking is

reenabled, the blocks on the devices are updated.

•

We recommend that you do not permit the sensor to block itself, because it may stop communicating

with the blocking device. You can configure this option if you can ensure that if the sensor creates

a rule to block its own IP address, it will not prevent the sensor from accessing the blocking device.

•

You MUST create a user profile before configuring the blocking device.

Understanding Blocking

The ARC is responsible for managing network devices in response to suspicious events by blocking

access from attacking hosts and networks. The ARC blocks the IP address on the devices it is managing.

It sends the same block to all the devices it is managing, including any other master blocking sensors.

The ARC monitors the time for the block and removes the block after the time has expired.

The ARC completes the action response for a new block in no more than 7 seconds. In most cases, it

completes the action response in less time. To meet this performance goal, you should not configure the

sensor to perform blocks at too high a rate or to manage too many blocking devices and interfaces. We

recommend that the maximum number of blocks not exceed 250 and the maximum n umber of blocking

items not exceed 10. To calculate the maximum number of blocking items, a security applia nce counts

as one blocking item per blocking context. A router counts as on e blocking item per blocking

interface/direction. A switch running Catalyst software counts as one blocking item per blocking VLAN.

If the recommended limits are exceeded, the ARC may not apply blocks in a tim ely manner or may not

be able to apply blocks at all.

Caution

Blocking is not supported on the FWSM in multiple mode admin context.

For security appliances configured in multi-mode, CiscoIPS does not include VLAN information in the

block request. Therefore you must make sure the IP a ddresses being blocked are correct for each security

appliance. For example, the sensor is monitoring packets on a secur ity appliance customer context that