© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 11 Blocking Configuration

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe the device management capability of the Sensor and how it is used to perform blocking with a Cisco device. Design a Cisco IDS solution using the blocking feature. Configure a Sensor to perform blocking with a Cisco IDS device. Configure a Sensor to perform blocking through a Master Blocking Sensor.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Introduction

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Definitions BlockingA Cisco IDS Sensor feature Device managementThe ability of a Sensor to interact with a Cisco device and dynamically reconfigure the Cisco device to stop an attack Logical deviceLogical settings to be applied to blocking devices Managed deviceThe Cisco IDS device that is to block the attack; also referred to as a blocking device Blocking SensorThe Cisco IDS Sensor configured to control the managed device Interface/directionThe combination of a device interface and a direction, in or out Managed interface or VLANThe interface or VLAN on the managed device where the Cisco IDS Sensor applies the ACL or VACL Active ACL or VACLThe ACL or VACL created and applied to the managed interfaces or VLANs by the Sensor

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Blocking Devices Cisco routers PIX Firewalls Catalyst 6000 switches

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Blocking Device Requirements The Sensor must be able to communicate with the device via IP. Remote network access must be enabled and permitted from the Sensor to the managed device via one of the following: –Telnet –SSH If using SSH, the blocking device must have an encryption license for DES or 3DES.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Blocking Guidelines Implement antispoofing mechanisms. Identify hosts that are to be excluded from blocking. Identify network entry points that will participate in blocking. Assign the block reaction to signatures that are deemed as an immediate threat. Determine the appropriate blocking duration.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS NAC Block Actions The following events cause the NAC to initiate a block: A signature configured with a block action generates an alert. You manually initiate a temporary block from a management interface such as the CLI, IDM, or IDS MC. You manually configure the NAC to permanently block a host or network address.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Blocking Process The following explains the blocking process: An event or action occurs that has a block action associated with it. The Sensor pushes a new set of ACL entries, one for each interface/direction, to each managed device. An alarm is sent to the EventStore at the same time the Sensor initiates the block. When the block expires, all configurations or ACLs are updated to remove the block.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Blocking Scenario Untrusted network Protected network Deny Write the ACL Detect the attack 2

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS ACL Considerations

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS External interfaces Internal interfaces Untrusted network Outbound ACL Inbound ACL Where to Apply ACLs When the Sensor has full control, no manually entered ACLs are allowed. Apply to an external interface in an inbound direction. Apply to an internal interface in an outbound direction. Protected network

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Applying ACLs on the External vs. Internal Interfaces External interface in the inbound direction –Denies packets from the host before they enter the router. –Provides the best protection against an attacker. Internal interface in the outbound direction –Denies packets from the host before they enter the protected network. –The block does not apply to the router itself.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Using Existing ACLs The Sensor takes full control of ACLs on the managed interface. Existing ACL entries can be included before the dynamically created ACL. This is referred to as applying a Pre-block ACL. Existing ACL entries can be added after the dynamically created ACL. This is referred to as applying a Post-block ACL. The existing ACL must be an extended IP ACL, either named or numbered.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Blocking Sensor Configuration

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuration Tasks Complete the following tasks to configure a Sensor for blocking: Assign the block reaction to a signature. Assign the Sensor global blocking properties. Define the logical device properties. Define the managed device properties. For Cisco IOS or Catalyst 6000 devices, assign the managed interfaces properties. (Optional.) Assign the list of devices that are never blocked. (Optional.) Define a Master Blocking Sensor.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Assign Block Reaction EventAction

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sensors Blocking Properties Choose Configuration > Blocking > Blocking Properties.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Managed DeviceCisco Router Choose Configuration > Blocking > Logical Devices, and select Add.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Managed DeviceCisco Router (Cont.) Choose Configuration > Blocking > Blocking Devices, and select Add. Device Type

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Managed DeviceCisco Router (Cont.) Choose Configuration > Blocking > Router Blocking Device Interfaces, and select Add. Blocking Interface

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Managed DevicePIX Firewall Choose Configuration > Blocking > Logical Devices, and select Add.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Managed DevicePIX Firewall (Cont.) Choose Configuration > Blocking > Blocking Devices, and select Add. Device Type

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Managed DeviceCatalyst 6000 Switch Choose Configuration > Blocking > Logical Devices, and select Add.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Managed DeviceCatalyst 6000 Switch (Cont.) Choose Configuration > Blocking > Blocking Devices, and select Add. Device Type

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Managed DeviceCatalyst 6000 Switch (Cont.) Choose Configuration > Blocking > Blocking Devices > Cat 6K Blocking Device Interfaces, and select Add. IP Address

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Never-Block Addresses Choose Configuration > Blocking > Never Block Addresses, and select Add.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Master Blocking Sensor Configuration

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Master Blocking Sensors Protected network... Provider X Attacker Provider Y Sensor A blocks Sensor A Sensor B Target Sensor B blocks Sensor A commands Sensor B to block Router A PIX Firewall B

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Master Blocking Sensor Characteristics The following are the characteristics of a Master Blocking Sensor: A Master Blocking Sensor can be any Sensor that controls blocking on a device on behalf of another Sensor. A Blocking Forwarding Sensor is a Sensor that sends block requests to a Master Blocking Sensor. Any 4. x Sensor can act as a Master Blocking Sensor for any other 4. x Sensor. A Sensor can forward block requests to a maximum of 10 Master Blocking Sensors. A Master Blocking Sensor can handle block requests from multiple Blocking Forwarding Sensors. A Master Blocking Sensor can use other Master Blocking Sensors to control other devices.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring the Use of a Master Blocking Sensor On the Blocking Forwarding Sensor, complete the following tasks: –Specify the Master Blocking Sensor. –Define RDEP communication parameters. If you use the IDS MC for configuration, RDEP parameters of the Master Blocking Sensor are automatically retrieved. If you use the IDM or CLI for configuration, you must manually configure the RDEP parameters. –If TLS is enabled, add the Master Blocking Sensor to the TLS trusted host table. On the Master Blocking Sensor, add each Blocking Forwarding Sensor to the allowed hosts table.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring Master Blocking Sensors Choose Configuration > Blocking > Master Blocking Sensor, and select Add.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary Device management is the ability of a Sensor to dynamically reconfigure a Cisco device to block the source of an attack in real time. Guidelines for designing an IDS solution with blocking include the following: –Implement an antispoofing mechanism. –Identify critical hosts and network entry points. –Select applicable signatures. –Determine the blocking duration. Sensors can serve as master blocking sensors. The ACLs may be applied on either the external or internal interface of the Cisco IOS device and may be configured for inbound or outbound traffic on either interface.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lab Exercise

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS sensorP.4 sensorQ Q P.0 Lab Visual Objective Student PC.2 Student PC Router.1.2 Router P Q P Q.0 RTS Web FTP RBB