Chapter 15 Blocking Configuration © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-1 Objectives Upon completion of this chapter, you will be able to complete the following tasks: • Describe the device management capability of the Sensor and how it is used to perform blocking with a Cisco device. • Design a Cisco IDS solution using the blocking feature, including the ACL placement considerations, when deciding where to apply Sensor-generated ACLs. • Configure a Sensor to perform blocking with a Cisco IDS device. • Configure a Sensor to perform blocking through a Master Blocking Sensor. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-2 Introduction © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-3 Definitions • Blocking—A Cisco IDS Sensor feature. • Device management—The ability of a Sensor to interact with a Cisco device and dynamically reconfigure the Cisco device to stop an attack. • Managed device—The Cisco IDS device that is to block the attack. This is also referred to as a blocking device. • Blocking Sensor—The Cisco IDS Sensor configured to control the managed device. • Interface/direction—The combination of a device interface and a direction, in or out. • Managed interface—The interface on the managed device where the Cisco IDS Sensor applies the ACL. • Active ACL—The ACL created and maintained by the Sensor which is applied to the managed interfaces. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-4 Blocking Devices • Cisco IOS routers (ACLs) • Catalyst 5000 RSM/RSFC (ACLs) • Catalyst 6000 running IOS (ACLs) • Catalyst 6000 running Catalyst OS (VACLs) • PIX Firewall (shun) © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-5 Blocking Guidelines • Implement anti-spoofing mechanisms. • Identify hosts that are to be excluded from blocking. • Identify network entry points that will participate in blocking. • Assign the block reaction to signatures that are deemed as an immediate threat. • Determine the appropriate blocking duration. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-6 NAC Block Actions The following actions will initiate a block: • Response to an alert event generated from a signature that is configured with a block action. • Manually initiated from a management interface. • Configured to initiate a permanent block action. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-7 Blocking Process The following explains the blocking process: • An event or action occurs that has a block action associated with it. • Sensor pushes a new set of configurations or ACLs, one for each interface direction, to each controlled device. • An alarm is sent to the Event Store at the same time the Sensor initiates the block. • When the block completes, all configurations or ACLs are updated to remove the block. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-8 Blocking Scenario 172.26.26.1 192.168.1.10 1 Deny 172.26.26.1 Protected network 3 © 2003, Cisco Systems, Inc. All rights reserved. Write the ACL Untrusted network 2 Detect the attack CSIDS 4.0—15-9 ACL Considerations © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-10 Where to Apply ACLs Untrusted network • When the Sensor has full control, no manually entered ACLs are allowed. External interfaces Inbound ACL Internal interfaces Outbound ACL • Apply an external interface in an inbound direction. • Apply an internal interface in an outbound direction. Protected network © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-11 Applying ACLs on the External vs. Internal Interfaces • External interface in the inbound direction – Denies the host before it enters the router. – Provides the best protection against an attacker. © 2003, Cisco Systems, Inc. All rights reserved. • Internal interface in the outbound direction – Denies the host before it enters the protected network. – The block does not apply to the router itself. CSIDS 4.0—15-12 Using Existing ACLs • The Sensor takes full control of the managed interface. • Existing ACL entries can be included before the dynamically created ACL. This is referred to as applying a Pre-block ACL. • Existing ACL entries can be added after the dynamically created ACL. This is referred to as applying a Post-block ACL. • The existing ACL must be an extended IP access list, either named or numbered. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-13 Blocking Sensor Configuration © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-14 Configuration Tasks Complete the following tasks to configure a Sensor for blocking: • • • • Assign the block reaction to a signature. Assign the Sensor’s global blocking properties. Define the managed device’s properties. Assign the managed interface’s properties for IOS devices. • (Optional.) Assign the list of devices that are never blocked. • (Optional.) Define a Master Blocking Sensor. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-15 Assign Block Reaction © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-16 Sensor’s Blocking Properties Choose Configuration>Settings>Blocking>Blocking Properties. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-17 Managed Device—Cisco Router Choose Configuration>Blocking>Blocking Devices and Select Add. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-18 Managed Device— Cisco Router (cont.) © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-19 Managed Device—PIX Firewall Choose Configuration>Blocking>Blocking Devices and Select Add. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-20 Managed Device— Catalyst 6000 VACL © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-21 Managed Device— Catalyst 6000 VACL (cont.) © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-22 Never Block Addresses Choose Configuration>Settings>Blocking>Never Block Addresses and Click Add. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-23 Master Blocking Sensor Configuration © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-24 Master Blocking Sensors Attacker Provider Y Provider X Sensor A blocks Router A Sensor A PIX Firewall B ... Target © 2003, Cisco Systems, Inc. All rights reserved. Sensor B blocks Protected network Sensor B Sensor A commands Sensor B to block CSIDS 4.0—15-25 Master Blocking Sensor Characteristics The following are the characteristics of a Master Blocking Sensor: • A Master Blocking Sensor can be any Sensor that controls blocking on a device on behalf of another Sensor. • Any Sensor can act as a Master Blocking Sensor. • A Sensor can forward block requests to a maximum of 10 Master Blocking Sensors. • A Master Blocking Sensor can handle block requests from multiple Sensors. • A Master Blocking Sensor can use other Master Blocking Sensors to control other devices. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-26 Master Blocking Sensor Configuration Master Blocking Sensor Configuration: • Add each FBS to the Allowed Hosts table. Blocking Forwarding Sensor Configuration: • Specify the MBS; define RDEP communication parameters – RDEP parameters of MBS are auto-retrieved using IDS MC. – Manually configured using IDM/CLI. • Add MBS to TLS Trusted Host table, if TLS enabled (default), using the “tls trusted-host ip-address” command. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-27 Configuring Master Blocking Sensors Choose Configuration>Settings>Blocking>Master Blocking Sensors and click Add. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-28 Summary © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-29 Summary • Device management is the ability of a Sensor to dynamically reconfigure a Cisco device to block the source of an attack in real time. • Guidelines for designing an IDS solution with blocking include the following: – Implement an anti-spoofing mechanism. – Identify critical hosts and network entry points. – Select applicable signatures. – Determine the blocking duration. • Sensors can serve as master blocking servers. • The ACLs may be applied on either the external or internal interface of the Cisco device, and may be configured for inbound or outbound traffic on either interface. © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-30 Lab Exercise © 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-31 Lab Visual Objective WEB FTP .50 Pods 1–5 sensorP Pods 6–10 .1 .1 172.30.P.0 RBB 172.30.Q.0 .2 ROUTER .4 172.26.26.0 .150 .2 10.0.P.0 .2 sensorQ .2 .4 ROUTER 10.0.Q.0 .100 .100 RTS © 2003, Cisco Systems, Inc. All rights reserved. RTS STUDENT PC STUDENT PC 10.0.P.12 10.0.Q.12 CSIDS 4.0—15-32 [...]... Define a Master Blocking Sensor © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 5-1 5 Assign Block Reaction © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 5-1 6 Sensor’s Blocking Properties Choose Configuration> Settings >Blocking> Blocking Properties © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 5-1 7 Managed Device—Cisco Router Choose Configuration >Blocking> Blocking Devices... Master Blocking Sensor can use other Master Blocking Sensors to control other devices © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 5-2 6 Master Blocking Sensor Configuration Master Blocking Sensor Configuration: • Add each FBS to the Allowed Hosts table Blocking Forwarding Sensor Configuration: • Specify the MBS; define RDEP communication parameters – RDEP parameters of MBS are auto-retrieved... enabled (default), using the “tls trusted-host ip-address” command © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 5-2 7 Configuring Master Blocking Sensors Choose Configuration> Settings >Blocking> Master Blocking Sensors and click Add © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 5-2 8 Summary © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 5-2 9 Summary • Device management is... (cont.) © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 5-2 2 Never Block Addresses Choose Configuration> Settings >Blocking> Never Block Addresses and Click Add © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 5-2 3 Master Blocking Sensor Configuration © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 5-2 4 Master Blocking Sensors Attacker Provider Y Provider X Sensor A blocks Router... to block CSIDS 4.0—1 5-2 5 Master Blocking Sensor Characteristics The following are the characteristics of a Master Blocking Sensor: • A Master Blocking Sensor can be any Sensor that controls blocking on a device on behalf of another Sensor • Any Sensor can act as a Master Blocking Sensor • A Sensor can forward block requests to a maximum of 10 Master Blocking Sensors • A Master Blocking Sensor can handle... or numbered © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 5-1 3 Blocking Sensor Configuration © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 5-1 4 Configuration Tasks Complete the following tasks to configure a Sensor for blocking: • • • • Assign the block reaction to a signature Assign the Sensor’s global blocking properties Define the managed device’s properties Assign the managed... rights reserved CSIDS 4.0—1 5-1 8 Managed Device— Cisco Router (cont.) © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 5-1 9 Managed Device—PIX Firewall Choose Configuration >Blocking> Blocking Devices and Select Add © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 5-2 0 Managed Device— Catalyst 6000 VACL © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 5-2 1 Managed Device— Catalyst... to block the source of an attack in real time • Guidelines for designing an IDS solution with blocking include the following: – Implement an anti-spoofing mechanism – Identify critical hosts and network entry points – Select applicable signatures – Determine the blocking duration • Sensors can serve as master blocking servers • The ACLs may be applied on either the external or internal interface of the... does not apply to the router itself CSIDS 4.0—1 5-1 2 Using Existing ACLs • The Sensor takes full control of the managed interface • Existing ACL entries can be included before the dynamically created ACL This is referred to as applying a Pre-block ACL • Existing ACL entries can be added after the dynamically created ACL This is referred to as applying a Post-block ACL • The existing ACL must be an extended... rights reserved CSIDS 4.0—1 5-3 0 Lab Exercise © 2003, Cisco Systems, Inc All rights reserved CSIDS 4.0—1 5-3 1 Lab Visual Objective WEB FTP 50 Pods 1–5 sensorP Pods 6–10 1 1 172.30.P.0 RBB 172.30.Q.0 2 ROUTER 4 172.26.26.0 150 2 10.0.P.0 2 sensorQ 2 4 ROUTER 10.0.Q.0 100 100 RTS © 2003, Cisco Systems, Inc All rights reserved RTS STUDENT PC STUDENT PC 10.0.P.12 10.0.Q.12 CSIDS 4.0—1 5-3 2