© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lesson 10 Configuring Blocking
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Introduction
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Definitions Blocking: A Cisco IPS sensor feature that prevents packets from reaching their destination; initiated by a sensor and performed by another Cisco device at the request of the sensor NAC: The blocking application on the sensor Device management: The ability of a sensor to interact with a Cisco device and dynamically reconfigure the Cisco device to stop an attack Blocking device: The Cisco device that blocks the attack; also referred to as a managed device Blocking sensor: The Cisco IPS sensor configured to control the managed device Managed interface or VLAN: The interface or VLAN on the managed device where the Cisco IPS sensor applies the ACL or VACL Active ACL or VACL: The ACL or VACL created and applied to the managed interfaces or VLANs by the sensor
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Blocking Devices Cisco routers PIX Security Appliances Firewall Services Modules Catalyst 5000 family switches Catalyst 6000 family switches
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Blocking Device Requirements The sensor must be able to communicate with the device via IP. Remote network access must be enabled and permitted from the sensor to the managed device via one of the following: –Telnet –SSH If using SSH, the blocking device must have an encryption license for DES or 3DES.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Adding the Device to the Sensor Known Hosts List Configuration SSH Known Hosts Key Add Sensor Setup
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Adding the Device to the Sensor Known Hosts List (Cont.) IP Address Retrieve Host Key Public Exponent Public Modulus OK Modulus Length
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Blocking Guidelines Implement antispoofing mechanisms. Identify hosts that are to be excluded from blocking. Identify network entry points that will participate in blocking. Assign a block reaction to signatures that are deemed an immediate threat. Determine the appropriate blocking duration.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v NAC Block Actions Two events cause the NAC to initiate a block. Automatic blocking: A signature configured with one of the following block actions generates an alert: –Request block host –Request block connection Manual blocking: You manually configure the NAC to block a specific host or network address.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v ACL Considerations
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Blocking Scenario Attacker attacks Deny Sensor writes ACL. 3 Untrusted Network Protected Network Sensor detects attack. 2 Router blocks attacker. 4 1
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuration Tasks Tasks to configure a sensor for automatic blocking: Assign a block reaction to a signature. Assign the sensor global blocking properties. Create the device login profiles that the sensor uses when logging in to blocking devices. Define the blocking device properties. For Cisco IOS or Catalyst 6000 devices, assign the managed interfaces properties. (Optional.) Define a master blocking sensor.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v External Interfaces Internal Interfaces Untrusted Network Outbound ACL Inbound ACL Where to Apply ACLs When the sensor has full control, no manually entered ACLs are allowed. For an external interface, prefer an inbound direction. For an internal interface prefer an outbound direction. Protected Network
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Applying ACLs on External Versus Internal Interfaces External interface in the inbound direction: –Denies packets from the host before they enter the router –Provides the best protection against an attacker Internal interface in the outbound direction: –Denies packets from the host before they enter the protected network –Does not apply to the router itself
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Using Existing ACLs The sensor takes full control of ACLs on the managed interface. Existing ACL entries can be included before the dynamically created ACL. This is referred to as applying a pre-block ACL. Existing ACL entries can be added after the dynamically created ACL. This is referred to as applying a post-block ACL. The existing ACL must be an extended IP ACL, either named or numbered.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Automatic Blocks
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Blocking Actions Configuration Signature Definition Signature Configuration Actions
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Blocking Actions (Cont.) Request Block Host Request Block Connection
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Blocking Properties Configuration Maximum Block Entries Allow the sensor... blocked Enable blocking Blocking Blocking Properties Add
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Adding Never Block Addresses IP Address Mask
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Device Login Profiles Configuration Blocking Device Login Profiles Add
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Device Login Profiles (Cont.) Profile Name Username New Password Confirm New Password New Password Confirm New Password
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Blocking Devices Configuration Blocking Add Blocking Devices
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Blocking Devices (Cont.) IP Address Sensors NAT Address Device Login Profile Device Type Communication
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Router Blocking Device Interfaces Configuration Blocking Router Blocking Device Interfaces Add
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Blocking Device Interfaces (Cont.) Router Blocking Device Direction Pre-Block ACL Post- Block ACL Blocking Interface
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Switch Blocking Device Interfaces Configuration Blocking Add Cat 6K Blocking Devices
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Switch Blocking Device Interfaces (Cont.) Cat 6K Blocking Device VLAN ID Pre-Block VACL Post- Block VACL
© 2005 Cisco Systems, Inc. All rights reserved. IPS v PIX Security Appliance Blocking Device Considerations PIX Security Appliance interfaces and ACLs do not need to be configured when the PIX Security Appliance is defined as a blocking device. Blocking is enforced using the PIX Security Appliance shun command. The shun command is limited to blocking hosts. The shun command does not support the blocking of specific host connections or the manual blocking of entire networks or subnetworks.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Manual Blocks
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Active Host Blocks Monitoring Active Host Blocks Add
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Active Host Blocks (Cont.) Source IP Enable Connection Blocking Destination IP Destination Port Protocol VLAN Enable Timeout Timeout No Timeout
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Network Blocks Monitoring Network Blocks Add
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Network Blocks (Cont.) Source IP Netmask Enable Timeout Timeout No Timeout
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Master Blocking Sensors
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Master Blocking Sensors Protected network... Provider X Attacker Provider Y Sensor A Blocks Sensor A Sensor B Target Sensor B Blocks Sensor A commands Sensor B to block Router A PIX B
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Master Blocking Sensor Characteristics Characteristics of a master blocking sensor: A master blocking sensor can be any sensor that controls blocking on a device on behalf of another sensor. A blocking forwarding sensor is a sensor that sends block requests to a master blocking sensor. Any 5.0 sensor can act as a master blocking sensor for any other 5.0 sensor. A sensor can forward block requests to a maximum of 10 master blocking sensors. A Master blocking sensor can handle block requests from multiple blocking forwarding sensors. A master blocking sensor can use other master blocking sensors to control other devices.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring the Use of a Master Blocking Sensor On the blocking forwarding –specify the master blocking sensor –if TLS is enabled, add the master blocking sensor to the TLS trusted host table On the master blocking sensor, add each blocking forwarding sensor to the allowed hosts table
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring the Blocking Forwarding Sensor Configuration Blocking Master Blocking Sensor Add
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Blocking Forwarding Sensor (Cont.) IP Address Username Port New Password Confirm New Password Use TLS
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring the Master Blocking Sensor IP Address Network Mask
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary Blocking means that a sensor can dynamically reconfigure a Cisco device to block the source of an attack in real time. Guidelines for designing an IPS solution with blocking: –Implement an antispoofing mechanism. –Identify critical hosts and network entry points. –Select applicable signatures. –Determine the blocking duration.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary (Cont.) The sensor performs blocking by writing an ACL on a managed device that denies traffic from the attacking host. ACLs may be applied on the external or the internal interface of the Cisco IOS device and may be configured for inbound or outbound traffic on either interface. You can configure a master blocking sensor to block on behalf of another sensor.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lab Exercise
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Q.0 Lab Visual Objective Q Web FTP RBB Q P.0.4 sensorQ Student PC 10.0.Q.12 RTS sensorP Student PC 10.0.P.12 RTS P.0 rP rQ prQ prP 10.0.P.0