Blocking With Cisco Firewalls - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

MainApp
Cisco firewalls do not support connection blocking of hosts. When a connection block is applied, the
Caution
firewall treats it like an unconditional block. Cisco firewalls also do not support network blocking.
Network Access Controller never tries to apply a network block to a Cisco firewall.

Blocking with Cisco Firewalls

Network Access Controller performs blocks on firewalls using the shun command. The shun command
has the following formats:
•
•
•
•
Network Access Controller uses the response to the show shun command to determine whether the block
was performed.
The shun command does not replace existing ACLs, conduits, or outbound commands, so there is no
need to cache the existing firewall configuration, nor to merge blocks into the firewall configuration.
Caution Do not perform manual blocks or modify the existing firewall configuration while Network Access
Controller is running.
If the block command specifies only the source IP address, existing active TCP connections are not
broken, but all incoming packets from the blocked host are dropped.
When Network Access Controller first starts up, the active blocks in the firewall are compared to an
internal blocking list. Any blocks that do not have a corresponding internal list entry are removed.
For more information, see
Network Access Controller supports authentication on a firewall using local usernames or a TACACS+
server. If you configure the firewall to authenticate using AAA but without the TACACS+ server,
Network Access Controller uses the reserved username pix for communications with the firewall.
If the firewall uses a TACACS+ server for authentication, you use a TACACS+ username. In some
firewall configurations that use AAA logins, you are presented with three password prompts: the initial
firewall password, the AAA password, and the enable password. Network Access Controller requires
that the initial firewall password and the AAA password be the same.
When you configure a firewall to use NAT or PAT and the sensor is checking packets on the firewall
outside network, if you detect a host attack that originates on the firewall inside network, the sensor tries
to block the translated address provided by the firewall. If you are using dynamic NAT addressing, the
block can be ineffective or cause innocent hosts to be blocked. If you are using PAT addressing, the
firewall could block the entire inside network. To avoid these situations, position your sensor on the
inside interface or do not configure the sensor to block.
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
A-18
To block an IP address:
destination_ip_address source_port destination_port
shun srcip [
To unblock an IP address:
no shun ip
To clear all blocks:
clear shun
To show active blocks or to show the global address that was actually blocked:
ip_address
show shun [ ]
Supported Blocking Devices, page
Appendix A System Architecture
port
[ ]]
10-3.
78-16527-01