Appendix A System Architecture

MainApp

Caution Cisco firewalls do not support connection blocking of hosts. When a connection block is applied, the firewall treats it like an unconditional block. Cisco firewalls also do not support network blocking. ARC never tries to apply a network block to a Cisco firewall.

Blocking with Cisco Firewalls

The ARC performs blocks on firewalls using the shun command. The shun command has the following formats:

To block an IP address:

shun srcip [destination_ip_address source_port destination_port [port]]

To unblock an IP address:

no shun ip

To clear all blocks:

clear shun

To show active blocks or to show the global address that was actually blocked: show shun [ip_address]

The ARC uses the response to the show shun command to determine whether the block was performed. The shun command does not replace existing ACLs, conduits, or outbound commands, so there is no need to cache the existing firewall configuration, nor to merge blocks into the firewall configuration.

Caution Do not perform manual blocks or modify the existing firewall configuration while ARC is running.

If the block command specifies only the source IP address, existing active TCP connections are not broken, but all incoming packets from the blocked host are dropped.

When the ARC first starts up, the active blocks in the firewall are compared to an internal blocking list. Any blocks that do not have a corresponding internal list entry are removed.

The ARC supports authentication on a firewall using local usernames or a TACACS+ server. If you configure the firewall to authenticate using AAA but without the TACACS+ server, the ARC uses the reserved username pix for communications with the firewall.

If the firewall uses a TACACS+ server for authentication, you use a TACACS+ username. In some firewall configurations that use AAA logins, you are presented with three password prompts: the initial firewall password, the AAA password, and the enable password. The ARC requires that the initial firewall password and the AAA password be the same.

When you configure a firewall to use NAT or PAT and the sensor is checking packets on the firewall outside network, if you detect a host attack that originates on the firewall inside network, the sensor tries to block the translated address provided by the firewall. If you are using dynamic NAT addressing, the block can be ineffective or cause innocent hosts to be blocked. If you are using PAT addressing, the firewall could block the entire inside network. To avoid these situations, position your sensor on the inside interface or do not configure the sensor to block.

 

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

A-18

OL-29168-01

Page 591 Page 593
Page 592
Image 592
Cisco Systems IPS4510K9 manual Blocking with Cisco Firewalls, To unblock an IP address, To clear all blocks, No shun ip
Page 591 Page 593

IPS4510K9 specifications

Cisco Systems has long been a leading player in network security, and its IPS (Intrusion Prevention System) series is a testament to its commitment to safeguarding digital environments. Among its notable offerings are the IPS4510K9 and IPS4520K9 models, both designed to provide advanced threat protection for mid-sized to large enterprise networks.

The Cisco IPS4510K9 and IPS4520K9 are distinguished by their cutting-edge features that help organizations defend against a myriad of cyber threats. These systems utilize a multi-layered approach to security, integrating intrusion prevention, advanced malware protection, and comprehensive visibility across the network.

One of the primary characteristics of the IPS4510K9 is its high performance. It boasts a throughput of up to 1 Gbps, making it suitable for environments that demand rapid data processing and real-time responses to threats. The IPS4520K9, on the other hand, enhances that capability with improved throughput of up to 2 Gbps, accommodating larger enterprises with heavier network traffic. These models are equipped with powerful processors that support complex signature matching and can intelligently distinguish between legitimate traffic and potential threats.

In addition to performance, both models are designed with scalability in mind. They can be easily integrated into existing Cisco infrastructures. This facilitates a seamless enhancement of security without causing significant interruptions to ongoing operations. Moreover, they offer flexible deployment options, allowing organizations to operate them inline or out of band depending on their specific needs.

The Cisco IPS4510K9 and IPS4520K9 leverage advanced detection technologies, utilizing a variety of signature types and heuristic analysis to detect known and unknown threats effectively. They are equipped with real-time alerting and reporting capabilities, giving security teams immediate visibility into potential breaches and enabling them to respond swiftly.

Furthermore, both models support a range of management options through the Cisco Security Manager, allowing for centralized administration, streamlined policy management, and enhanced monitoring capabilities. Automated updates ensure the systems remain current with the latest threat intelligence, vital for staying ahead of evolving cyber threats.

In summary, the Cisco Systems IPS4510K9 and IPS4520K9 represent powerful solutions for organizations seeking robust intrusion prevention capabilities. With their high performance, scalability, and advanced detection technologies, these systems are essential tools in the ever-changing landscape of cybersecurity, providing enterprises with the peace of mind needed to operate securely in today's digital world.
Top Page Image Contents