Cisco Systems IPS4510K9 manual ARC Features

Appendix A System Architecture

MainApp

ARC Features

The ARC has the following features:

•Communication through Telnet and SSH 1.5 with 3DES (the default) or DES encryption

Only the protocol specified in the ARC configuration for that device is attempted. If the connection fails for any reason, the ARC attempts to reestablish it.

•Preexisting ACLs on routers and VACLs on switches

If a preexisting ACL exists on a router interface or direction that is controlled by the ARC, you can specify that this ACL be merged into the ARC-generated configuration, either before any blocks by specifying a preblock ACL or after any blocks by specifying a postblock ACL. The Catalyst 6000 VACL device types can have a preblock and postblock VACL specified for each interface that the ARC controls. The firewall device types use a different API to perform blocks and the ARC does not have any effect on preexisting ACLs on the firewalls.

Note Catalyst 5000 RSM and Catalyst 6000 MSFC2 network devices are supported in the same way as Cisco routers.

•Forwarding blocks to a list of remote sensors

The ARC can forward blocks to a list of remote sensors, so that multiple sensors can in effect collectively control a single network device. Such remote sensors are referred to as master blocking sensors.

•Specifying blocking interfaces on a network device

You can specify the interface and direction where blocking is performed in the ARC configuration for routers. You can specify the interface where blocking is performed in the VACL configuration. The ARC can simultaneously control up to 250 interfaces.

Note Cisco firewalls do not block based on interface or direction, so this configuration is never specified for them.

•Blocking hosts or networks for a specified time

The ARC can block a host or network for a specified number of minutes or indefinitely. The ARC determines when a block has expired and unblocks the host or network at that time.

•Logging important events

The ARC writes a confirmation event when block or unblock actions are completed successfully or if any errors occur. The ARC also logs important events such as loss and recovery of a network device communication session, configuration errors, and errors reported by the network device.

•Maintaining the blocking state across ARC restarts

The ARC reapplies blocks that have not expired when a shutdown or restart occurs. The ARC removes blocks that have expired while it was shut down.

Note The ARC can only maintain the blocking state successfully if no one changes the system time while the application is shut down.