- On November 20, 2007
- 0 Comments
- appliance, ASA, IPS, shunning
Network Access Controller, the blocking application on the sensor, starts and stops blocks on routers, switches, PIX. Firewalls, FWSM, and ASA. Network Access Controller blocks the IP address on the devices it is managing. It sends the same block to all the devices it is managing, including any other master blocking sensors. Network Access Controller monitors the time for the block and removes the block after the time has expired.
There are three types of blocks:
- Host block – Blocks all traffic from a given IP address.
- Connection block– Blocks traffic from a given source IP address to a given destination IP address and destination port. Connection blocks are not supported on firewalls. Firewalls only support host blocks with additional connection information.
- Network block – Blocks all traffic from a given network.
Do not confuse blocking with the sensor’s ability to drop packets. The sensor can drop packets when the following actions are configured for a sensor in inline mode: deny packet inline, deny connection inline, and deny attacker inline.
The PIX Firewall, FWSM, and ASA do not use ACLs or VACLs. The built-in shun/no shun command is used.
You need the following information for Network Access Controller to manage a device:
- Login user ID (if the device is configured with AAA)
- Login password
- Enable password (not needed if the user has enable privileges)
- Whether you are using Telnet or SSH to communicate with the device
- IP addresses (host or range of hosts) you never want blocked
- How long you want the blocks to last
Use the Blocking Properties panel to configure the basic settings required to enable blocking. Network Access Controller controls blocking actions on managed devices. You must tune your sensor to identify hosts and networks that should never be blocked, not even manually. You may have a trusted network device whose normal, expected behavior appears to be an attack. Such a device should never be blocked, and trusted, internal networks should never be blocked.
We recommend that you do not permit the sensor to block itself, because it may stop communicating with the blocking device. You can configure this option if you can ensure that if the sensor creates a rule to block its own IP address, it will not prevent the sensor from accessing the blocking device.
Device Login Profiles
Use the Device Login Profiles panel to configure the profiles that the sensor uses when logging in to blocking devices. You must set up device login profiles for the other hardware that the sensor manages. The device login profiles contain username, login password, and enable password information under a name that you create. You must have a device login profile created before configuring the blocking devices.
Use the Blocking Devices panel to configure the devices that the sensor uses to implement blocking. You can configure your sensor to block an attack by generating ACL rules for deployment to a Cisco IOS router, or a Catalyst 6500 switch, or by generating shun rules on a PIX Firewall or ASA. The router, switch, or firewall is called a blocking device.