Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
0
Helpful
2
Replies

Dynamically changing ACLs

cco1
Level 1
Level 1

‎12-04-2006 01:58 AM - edited ‎03-10-2019 03:21 AM

Hi!

I've got a question concerning the IPS module.

How is it possible for the IPS to dynamically change any of the existing ACLs on the firewall module in case of an attack e.g.?

The reason i ask is, because there seems no possibilty for me to script any commands on a linux pc and then execute them remotely on the FWSM like i can do it on a Router via rsh.

So if a user can't execute any command remotely on the FWSM, how can the IPS do it when it has to change an ACL on the FWSM?

Thanks.

Labels:
0 Helpful
2 Replies 2

rhermes
Level 7
Level 7

‎12-07-2006 02:00 PM

An IPS sensor will log into a FWSM and put in and take down host blocks when it shuns a host. If you set the IPS to telnet for it's connection to the FWSM, you can capture the session (Ethereal has a wonderful "follow TCP session" for seeing this) and see the exact commands and logic employed. There is no reason you can not script a telnet or ssh session from your linux host to change host blocks. However, if you have more than one device doing this, you can get into some problems. The IPS sensor assumes it is the only blocking device and will clear all blocks that it didn't create.

0 Helpful

Fernando_Meza
Level 7
Level 7

‎12-07-2006 05:24 PM

HI .. the IPS actually connects to the FWSM by telnet or ssh and drops in the shun command on its configuration ..

You should be able to do the same using a scripting tool.

NOTE: the IPS DOES NOT modify the ACLs but adds a shun command

I hope it helps .. please rate it if it does !!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card