© 2001, Cisco Systems, Inc. CSIDS Chapter 10 IP Blocking Configuration

© 2001, Cisco Systems, Inc. CSIDS Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe the Device Management capability of the Sensor and how it is used to perform IP blocking with a Cisco IOS router. Design IP blocking into an IDS solution including the ACL placement considerations when deciding where to apply Sensor generated ACLs. Configure a Sensor with Device Management, which enables the IP Blocking capability. Configure a Sensor to perform IP blocking through a Master Blocking Sensor.

© 2001, Cisco Systems, Inc. CSIDS Introduction

© 2001, Cisco Systems, Inc. CSIDS Definitions Device ManagementThe ability of a Sensor to interact with Cisco IOS routers and dynamically reconfigure the routers ACL to stop an attack. IP blockingDevice Management is used to implement the IP blocking feature of the Sensor.

© 2001, Cisco Systems, Inc. CSIDS Device Management Requirements Cisco IOS router series –1600, 2500, 2600, 3600, 4500, 4700, 7200, and 7500 Sensor must be able to communicate with the router. Router must be configured to allow telnet access from the Sensor. –VTY access –Enable password set

© 2001, Cisco Systems, Inc. CSIDS IP Blocking Guidelines Implement anti-spoofing mechanisms. Identify hosts that are to be excluded from blocking. Identify network entry points that will participate in blocking. Block signatures that are deemed as an immediate threat. Determine the appropriate blocking duration.

© 2001, Cisco Systems, Inc. CSIDS IP Blocking at the Router Untrusted network Protected network Deny Attack 1 Write the ACL Detect the attack 2

© 2001, Cisco Systems, Inc. CSIDS Master Blocking Sensors Protected network... Provider X Attacker Provider Y Sensor A blocks Sensor A Sensor B Victim Sensor B blocks Sensor A commands Sensor B to block

© 2001, Cisco Systems, Inc. CSIDS ACL Placement Considerations

© 2001, Cisco Systems, Inc. CSIDS External interfaces Internal interfaces Untrusted network Outbound ACL Inbound ACL Where to Apply ACLs The Sensor has full controlNo manually entered ACLs allowed External interface Apply on inbound direction Internal interfaceApply on outbound direction Protected network

© 2001, Cisco Systems, Inc. CSIDS Applying ACLs on the External vs. Internal Interfaces Applying external on the interface –Denies host before it enters the router –Provides the best protection against an attacker –User-defined ACLs applied to internal interface Applying the internal interface –Denies the host before it enters the protected network –The shun does not apply to router itself –User-defined ACLs applied to external interface

© 2001, Cisco Systems, Inc. CSIDS Configuring a Sensor for IP Blocking

© 2001, Cisco Systems, Inc. CSIDS Enter the router s Telnet IP address Enter the router s Telnet username Enter the router s enable password Enter the router s Telnet password Enter the router s ACL interfaces and directions Select Blocking Tab Setting the Blocking Device Properties Select Blocking Devices Tab Select Blocking Devices Tab Enter the block duration

© 2001, Cisco Systems, Inc. CSIDS Setting Never Block Addresses Enter the IP addresses and masks Select the Never Block Addresses Tab Select the Never Block Addresses Tab Select the Blocking Tab Select the Sensor

© 2001, Cisco Systems, Inc. CSIDS Blocking Through a Master Blocking Sensor Select a Sensor from the list Select the Master Blocking Sensor Tab Select the Master Blocking Sensor Tab Select the Blocking Tab Select the Sensor

© 2001, Cisco Systems, Inc. CSIDS Viewing the List of Blocked IP Addresses Select the Sensor Choose View>Block List or Select the alarm generated by the Sensor or Select the alarm generated by the Sensor IP address Time remaining

© 2001, Cisco Systems, Inc. CSIDS Viewing the Managed Network Device IP address Select the Sensor Choose View>Network Device or Select the alarm generated by the Sensor or Select the alarm generated by the Sensor Version Type Status Current Time

© 2001, Cisco Systems, Inc. CSIDS Manual Blocking a Host or Network Choose Actions>Block> Select the alarm generated by the Sensor Select the alarm generated by the Sensor IP address Block Duration

© 2001, Cisco Systems, Inc. CSIDS Removing the Blocked Host or Network Choose Actions>Remove Block> Select the Sensor or Select the alarm generated by the Sensor or Select the alarm generated by the Sensor IP address

© 2001, Cisco Systems, Inc. CSIDS Summary

© 2001, Cisco Systems, Inc. CSIDS Summary Device management is the Sensors ability to dynamically reconfigure a Cisco IOS routers ACLs to block the source of an attack in real time. Guidelines for designing an IDS solution with IP blocking includes the following: –Implement an anti-spoofing mechanism. –Identify critical hosts and network entry points. –Select applicable signatures. –Determine blocking duration.

© 2001, Cisco Systems, Inc. CSIDS Summary (cont.) CSIDS Sensors can serve as a master blocking server. The ACLs may be applied on either the external or internal interface of the router, and can also be configured for inbound or outbound on either interface. The Sensor IP blocking feature is configured from the Blocking tab in CSPM. From CSPMs Event Viewer, you can view or remove blocked hosts, and perform manual IP blocking.

© 2001, Cisco Systems, Inc. CSIDS Lab Configuring a Sensor to Perform IP Blocking with a Cisco IOS Router

© 2001, Cisco Systems, Inc. CSIDS Pod P Your Pod Pod Q Peer Pod CSPM Lab Visual Objective rP e0/0 e0/ P.0 /24.P.1.4 rQ e0/0 e0/1.Q Q.0 / / P.3CSPM10.0.Q.3 Host ID = 3, Org ID = P Host Name = cspm P, Org Name = pod P Host ID = 3, Org ID = Q Host Name = cspm Q, Org Name = pod Q.6 sensorP idsmP sensorQ idsmQ