Lesson 10

Configuring Blocking

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-1

Introduction

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-2

 Definitions

• Blocking: A Cisco IPS sensor feature that prevents packets

from reaching their destination; initiated by a sensor and
performed by another Cisco device at the request of the sensor
• NAC: The blocking application on the sensor
• Device management: The ability of a sensor to interact with a
Cisco device and dynamically reconfigure the Cisco device to
stop an attack
• Blocking device: The Cisco device that blocks the attack; also
referred to as a managed device
• Blocking sensor: The Cisco IPS sensor configured to control
the managed device
• Managed interface or VLAN: The interface or VLAN on the
managed device where the Cisco IPS sensor applies the ACL or
VACL
• Active ACL or VACL: The ACL or VACL created and applied to
the managed interfaces or VLANs by the sensor
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-3
 Blocking Devices

• Cisco routers
• PIX Security Appliances
• Firewall Services Modules
• Catalyst 5000 family switches
• Catalyst 6000 family switches

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-4

 Blocking Device Requirements

• The sensor must be able to communicate with the

device via IP.
• Remote network access must be enabled and
permitted from the sensor to the managed device
via one of the following:
– Telnet
– SSH
• If using SSH, the blocking device must have an
encryption license for DES or 3DES.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-5

 Adding the Device to the Sensor Known
Hosts List

Configuratio
n

Sensor Setup

SSH

Add
Known Hosts
Key

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-6

 Adding the Device to the Sensor Known
Hosts List (Cont.)

IP Address

Retrieve
Host Key

Modulus
Length
Public
Exponent

Public
Modulus

OK

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-7

 Blocking Guidelines

• Implement antispoofing mechanisms.

• Identify hosts that are to be excluded from
blocking.
• Identify network entry points that will participate in
blocking.
• Assign a block reaction to signatures that are
deemed an immediate threat.
• Determine the appropriate blocking duration.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-8

 NAC Block Actions

Two events cause the NAC to initiate a block.

• Automatic blocking: A signature configured with
one of the following block actions generates an
alert:
– Request block host
– Request block connection
• Manual blocking: You manually configure the NAC
to block a specific host or network address.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-9

ACL Considerations

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-10

 Blocking Scenario

192.168.1.10 172.26.26.1

1
Sensor  Attacker 
2 detects  attacks 
attack. 192.168.1.10.

Protected Deny Untrusted

Network 172.26.26.1 Network

3 Sensor writes ACL. 4 Router blocks attacker.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-11

 Configuration Tasks

Tasks to configure a sensor for automatic

blocking:
• Assign a block reaction to a signature.
• Assign the sensor global blocking properties.
• Create the device login profiles that the sensor
uses when logging in to blocking devices.
• Define the blocking device properties.
• For Cisco IOS or Catalyst 6000 devices, assign the
managed interface’s properties.
• (Optional.) Define a master blocking sensor.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-12

 Where to Apply ACLs

Untrusted
• When the sensor has Network
full control, no manually
entered ACLs are
allowed. External  Inbound 
Interfaces ACL
• For an external
interface, prefer an
inbound direction. Internal  Outbound 
Interfaces ACL
• For an internal interface
prefer an outbound
direction. Protected
Network

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-13

 Applying ACLs on External Versus Internal
Interfaces
• External interface in
the inbound direction:
– Denies packets from
the host before they
enter the router
– Provides the best
protection against
an attacker
© 2005 Cisco Systems, Inc. All rights reserved.
• Internal interface in the
outbound direction:
– Denies packets from
the host before they
enter the protected
network
– Does not apply to
the router itself
IPS v5.0—10-14
 Using Existing ACLs

• The sensor takes full control of ACLs on the

managed interface.
• Existing ACL entries can be included before the
dynamically created ACL. This is referred to as
applying a pre-block ACL.
• Existing ACL entries can be added after the
dynamically created ACL. This is referred to as
applying a post-block ACL.
• The existing ACL must be an extended IP ACL,
either named or numbered.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-15

Automatic Blocks

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-16

 Configuring Blocking Actions

Configuration

Signature
Definition

Signature
Configuration

Actions

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-17

 Configuring Blocking Actions (Cont.)

Request
Block
Connection

Request
Block
Host

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-18

 Configuring Blocking Properties

Configuration

Enable blocking

Blocking Maximum
Block Entries
Blocking
Properties

Add

Allow the
sensor . . .
blocked

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-19

 Adding Never Block Addresses

IP Address

Mask

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-20

 Configuring Device Login Profiles

Configuration

Blocking
Add

Device Login
Profiles

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-21

 Configuring Device Login Profiles (Cont.)

Profile
Name

Username
New
Password

Confirm
New
Password
New
Password

Confirm
New
Password

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-22

 Configuring Blocking Devices

Configuration

Blocking

Blocking
Add
Devices

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-23

 Configuring Blocking Devices (Cont.)

IP Address

Sensor’s NAT
Address

Device Login
Profile

Device Type

Communication

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-24

 Configuring Router Blocking Device
Interfaces

Configuration

Blocking

Add
Router
Blocking
Device
Interfaces

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-25

 Configuring Blocking Device Interfaces
(Cont.)
Router
Blocking
Device

Blocking
Interface

Direction

Pre-Block
ACL

Post-
Block
ACL

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-26

 Configuring Switch Blocking Device
Interfaces

Configuration

Blocking

Add

Cat 6K
Blocking
Devices

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-27

 Configuring Switch Blocking Device
Interfaces (Cont.)

Cat 6K
Blocking
Device

VLAN ID

Pre-Block
VACL

Post-
Block
VACL

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-28

 PIX Security Appliance Blocking Device
Considerations

• PIX Security Appliance interfaces and ACLs do not

need to be configured when the PIX Security
Appliance is defined as a blocking device.
• Blocking is enforced using the PIX Security
Appliance shun command.
• The shun command is limited to blocking hosts.
• The shun command does not support the blocking
of specific host connections or the manual
blocking of entire networks or subnetworks.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-29

Manual Blocks

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-30

 Configuring Active Host Blocks

Monitoring

Active Host
Blocks

Add

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-31

 Configuring Active Host Blocks (Cont.)

Source IP

Enable
Connection
Destination
Blocking
Port

Protocol
Destination
IP
VLAN

Enable
Timeout

Timeout No Timeout

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-32

 Configuring Network Blocks

Monitoring

Network
Blocks

Add

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-33

 Configuring Network Blocks (Cont.)

Source IP

Netmask

Enable
Timeout

Timeout

No
Timeout

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-34

Master Blocking Sensors

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-35

 Master Blocking Sensors

Provider Provider
X Y
Attacker Sensor B
Sensor A Blocks
Router A Blocks

Sensor A PIX B Sensor B

Sensor A
... Protected commands
network Sensor B
to block
Target
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-36
 Master Blocking Sensor Characteristics

Characteristics of a master blocking sensor:

• A master blocking sensor can be any sensor that controls
blocking on a device on behalf of another sensor.
• A blocking forwarding sensor is a sensor that sends block
requests to a master blocking sensor.
• Any 5.0 sensor can act as a master blocking sensor for any
other 5.0 sensor.
• A sensor can forward block requests to a maximum of 10
master blocking sensors.
• A Master blocking sensor can handle block requests from
multiple blocking forwarding sensors.
• A master blocking sensor can use other master blocking
sensors to control other devices.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-37

 Configuring the Use of a Master Blocking
Sensor

• On the blocking forwarding

– specify the master blocking sensor
– if TLS is enabled, add the master blocking
sensor to the TLS trusted host table
• On the master blocking sensor, add each blocking
forwarding sensor to the allowed hosts table

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-38

 Configuring the Blocking Forwarding
Sensor

Configuration

Blocking

Add

Master
Blocking
Sensor

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-39

 Configuring Blocking Forwarding Sensor
(Cont.)

IP Address

Port

Username

New
Password

Confirm
New
Password

Use TLS

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-40

 Configuring the Master Blocking Sensor

IP
Address

Network
Mask

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-41

Summary

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-42

 Summary

• Blocking means that a sensor can dynamically

reconfigure a Cisco device to block the source of
an attack in real time.
• Guidelines for designing an IPS solution with
blocking:
– Implement an antispoofing mechanism.
– Identify critical hosts and network entry points.
– Select applicable signatures.
– Determine the blocking duration.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-43

 Summary (Cont.)

• The sensor performs blocking by writing an ACL

on a managed device that denies traffic from the
attacking host.
• ACLs may be applied on the external or the
internal interface of the Cisco IOS device and may
be configured for inbound or outbound traffic on
either interface.
• You can configure a master blocking sensor to
block on behalf of another sensor.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-44

Lab Exercise

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-45

 Lab Visual Objective

Web
FTP
.50
172.26.26.0
.150
172.30.P.0 .1 .1 172.30.Q.0
.2 .2
RBB
prP prQ
172.16.Q.0
172.16.P.0 .1 .1
.4 .4

sensorP sensorQ
.2 .2

rP rQ

10.0.P.0 .2 .2 10.0.Q.0
.100
.100

RTS
RTS

Student PC Student PC
10.0.P.12 10.0.Q.12
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—10-46