Connection-Based And Unconditional Blocking - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Appendix A System Architecture
The following scenarios demonstrate how Network Access Controller maintains state across restarts.
Scenario 1
There are two blocks in effect when Network Access Controller stops and one of them expires before
Network Access Controller restarts. When Network Access Controller restarts, it first reads the
nac.shun.txt file. It then reads the preblock and postblock ACLs or VACLs. The active ACL or VACL is
built in the following order:
1.
2.
3.
4.
5.
When a host is specified as never block in the Network Access Controller configuration, it does not get
translated into permit statements in the ACL. Instead, it is cached by Network Access Controller and
used to filter incoming addShunEvent events and addShunEntry control transactions.
Scenario 2
There are no preblock or postblock ACLs specified, but there is an existing active ACL. The new ACL
is built in the following order:
1.
2.
3.
4.

Connection-Based and Unconditional Blocking

Network Access Controller supports two types of blocking for hosts and one type of blocking for
networks. Host blocks are connection-based or unconditional. Network blocks are always unconditional.
When a host block is received, Network Access Controller checks for the connectionShun attribute on
the host block. If connectionShun is set to true, Network Access Controller performs connection
blocking. Any host block can contain optional parameters, such as destination IP address, source port,
destination port, and protocol. For a connection block to take place, at least the source IP address must
be present.
Under the following conditions, Network Access Controller forces the block to be unconditional,
converting the block from connection type if necessary:
•
•
•
When a block is updated (for example, when a new block arrives while an existing block for that source
IP address or network is already in effect), the remaining minutes of the existing block are determined.
If the time for the new block is less than or equal to the remaining minutes, no action is taken. Otherwise,
the new block timeout replaces the existing block timeout.
78-16527-01
The allow sensor_ ip_address command (unless the allow sensor shun command has been
configured)
Preblock ACL
The always block command entries from the configuration
Unexpired blocks from nac.shun.txt
Postblock ACL
The allow sensor_ ip_address command (unless the allow sensor shun command has been
configured)
The always block command entries from the configuration
Unexpired blocks from nac.shun.txt
The permit IP any any command
A block of any type is active for a specified source IP address
A new block of any type is received for that source IP address
The new block differs in any of its optional parameters (except the source port) from the old block
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
MainApp
A-17