topic IOS IPS and VMS and shunning in Network Security

IOS IPS and VMS and shunning

MICHAEL YOUNG — Sun, 10 Mar 2019 09:30:15 GMT

Installed 12.3.14T2 (advanced security) on 2811 router with new

VMS update to the IDS Management Center (2.1) to support IOS IPS SDEE event monitoring. When I configure a specific signature, there is no option to shun. Only alert, block or reset. Where do you configure the dynamic shuning or "local shun action" that seems to be in all the "new features" of the IOS IPS.

Configuring the signature to block, alert or reset works fine. Just no options to shun. Also the IPS device does not show up in the device list under Monitoring on VMS, even though it shows up as a device in Monitoring Center Device Page.

Maybe this is where the problem may lie.

Re: IOS IPS and VMS and shunning

darin.marais — Tue, 21 Jun 2005 03:44:31 GMT

Is block not the same as shun

ie. block = shun

Re: IOS IPS and VMS and shunning

MICHAEL YOUNG — Tue, 21 Jun 2005 09:18:56 GMT

No....

To Block something in IDS/IPS means to block any connection until affending signature action is stopped. The IPS IOS Signatures will immediately block if configured that way, whenever it "sees" the signature.

Shunning is different. It will block just the effected port....ie tcp port 137 from source host to destination etc...

Also, it will do this for a configurable pre-defined period or will start shunning when a positive signature is detected in a certain number of seconds. This is to prevent "false positive" blocking of legit traffic....

I need to know how this is done on the IPS IOS (It works fine on the IDSM2 blades, etc.)

Re: IOS IPS and VMS and shunning

abouzidzineb — Tue, 21 Jun 2005 09:32:36 GMT

Hi,

the concepts of IP blocking and shunning are identical for me.

Can any one clarify more and more the difference?

Re: IOS IPS and VMS and shunning

MICHAEL YOUNG — Tue, 21 Jun 2005 10:36:29 GMT

Here is the official explanation from Cisco....not mine...

Types of actions IPS Performs:

•Send an alarm

•Drop the packet

•Reset the connection

•Local shunning

Local shunning is a dynamic ACL that allows undesirable traffic to be blocked sooner.

Re: IOS IPS and VMS and shunning

MICHAEL YOUNG — Tue, 21 Jun 2005 10:39:25 GMT

The IPS IOS Device "shun" places an ACL-type block on the interface from which the attacking traffic is entering the router to more quickly defend the network from attack traffic

Re: IOS IPS and VMS and shunning

daftary — Thu, 18 Aug 2005 17:48:58 GMT

IOS versions before 12.3(14)T support the following

actions for IOS IPS:

- alarm

- drop (drop just the offending packet)

- reset (reset tcp connection - works for tcp only)

Version 12.3(14)T and later (including 12.4 versions) added support for the "local shunning" through two different actions:

- denyFlowInline

- denyAttackerInline

DenyFlowInline creates an ACL that drops all traffic on that connection for a certain idle-timeout.

DenyAttackerInline creates an ACL that drops all traffic from that source address (including other connections from that source address) for a certain idle-timeout.

Re: IOS IPS and VMS and shunning

mgarciar — Wed, 26 Oct 2005 16:48:30 GMT

Hi.

I have VMS 2.3, and I have IOS IPS with version 12.4(3). I have that features in my VMS (denyFlowInline and denyAttackerInline).

I configured the signature ICMP Echo Req (ID 2004) with first denyFlowInline and then with denyAttackerInline. It´s works like "drop" action.

I didn´t see the automatic ACL configured in the IOS IPS. So, I thougt that denyAttackerInline could block my telnet session if I send ping of my PC, but it not happened. I can ping the device, the device drop´s the ICMP because of the signature, but It doesn´t block any other connection of my PC.

Do you know why?

Thank´s.

Re: IOS IPS and VMS and shunning

daftary — Wed, 26 Oct 2005 23:54:46 GMT

Not sure how you checked the automatic ACLs created by IOS IPS. You should use the following show cmd for that:

"show ip access-list dynamic"

Re: IOS IPS and VMS and shunning

MICHAEL YOUNG — Thu, 27 Oct 2005 04:28:58 GMT

You are doing 2 things.....denyFlowInline and denyAttackerInline. The first action is being taken and

the second doesn't get a chance to take an action because the first action has already taken care of the attack. Change the action to denyAttackerInline and run your test again. You should get dynamic ACL's created...use the "show ip access-lists dynamic" to see the acl's....

Hope this helps...

Re: IOS IPS and VMS and shunning

mgarciar — Sat, 05 Nov 2005 01:53:54 GMT

I used just denyAttackerInline and the access dynamic list is applied.

Thank´s.