IOS IPS and VMS and shunning

MICHAEL YOUNG · ‎06-17-2005

Installed 12.3.14T2 (advanced security) on 2811 router with new

VMS update to the IDS Management Center (2.1) to support IOS IPS SDEE event monitoring. When I configure a specific signature, there is no option to shun. Only alert, block or reset. Where do you configure the dynamic shuning or "local shun action" that seems to be in all the "new features" of the IOS IPS.

Configuring the signature to block, alert or reset works fine. Just no options to shun. Also the IPS device does not show up in the device list under Monitoring on VMS, even though it shows up as a device in Monitoring Center Device Page.

Maybe this is where the problem may lie.

darin.marais · ‎06-20-2005

Is block not the same as shun

ie. block = shun

MICHAEL YOUNG · ‎06-21-2005

No....

To Block something in IDS/IPS means to block any connection until affending signature action is stopped. The IPS IOS Signatures will immediately block if configured that way, whenever it "sees" the signature.

Shunning is different. It will block just the effected port....ie tcp port 137 from source host to destination etc...

Also, it will do this for a configurable pre-defined period or will start shunning when a positive signature is detected in a certain number of seconds. This is to prevent "false positive" blocking of legit traffic....

I need to know how this is done on the IPS IOS (It works fine on the IDSM2 blades, etc.)

abouzidzineb · ‎06-21-2005

Hi,

the concepts of IP blocking and shunning are identical for me.

Can any one clarify more and more the difference?

MICHAEL YOUNG · ‎06-21-2005

Here is the official explanation from Cisco....not mine...

Types of actions IPS Performs:

•Send an alarm

•Drop the packet

•Reset the connection

•Local shunning

Local shunning is a dynamic ACL that allows undesirable traffic to be blocked sooner.

MICHAEL YOUNG · ‎06-21-2005

The IPS IOS Device "shun" places an ACL-type block on the interface from which the attacking traffic is entering the router to more quickly defend the network from attack traffic

daftary · ‎08-18-2005

IOS versions before 12.3(14)T support the following

actions for IOS IPS:

- alarm

- drop (drop just the offending packet)

- reset (reset tcp connection - works for tcp only)

Version 12.3(14)T and later (including 12.4 versions) added support for the "local shunning" through two different actions:

- denyFlowInline

- denyAttackerInline

DenyFlowInline creates an ACL that drops all traffic on that connection for a certain idle-timeout.

DenyAttackerInline creates an ACL that drops all traffic from that source address (including other connections from that source address) for a certain idle-timeout.

mgarciar · ‎10-26-2005

Hi.

I have VMS 2.3, and I have IOS IPS with version 12.4(3). I have that features in my VMS (denyFlowInline and denyAttackerInline).

I configured the signature ICMP Echo Req (ID 2004) with first denyFlowInline and then with denyAttackerInline. It´s works like "drop" action.

I didn´t see the automatic ACL configured in the IOS IPS. So, I thougt that denyAttackerInline could block my telnet session if I send ping of my PC, but it not happened. I can ping the device, the device drop´s the ICMP because of the signature, but It doesn´t block any other connection of my PC.

Do you know why?

Thank´s.

daftary · ‎10-26-2005

Not sure how you checked the automatic ACLs created by IOS IPS. You should use the following show cmd for that:

"show ip access-list dynamic"

MICHAEL YOUNG · ‎10-26-2005

You are doing 2 things.....denyFlowInline and denyAttackerInline. The first action is being taken and

the second doesn't get a chance to take an action because the first action has already taken care of the attack. Change the action to denyAttackerInline and run your test again. You should get dynamic ACL's created...use the "show ip access-lists dynamic" to see the acl's....

Hope this helps...

mgarciar · ‎11-04-2005

I used just denyAttackerInline and the access dynamic list is applied.

Thank´s.