Solved: IPS 4240 Blocking Questions with Pix 515E

jmacdonald · ‎04-14-2005

I have enabled Blocking on the 4240 and have set the Blocking Device as our Pix 515E. When I look at the Signature Configurations quite a few Signature Actions are set to Produce Alert only. If blocking is enabled do you have to also go and set the Signature Actions to Deny or TCP Reset? So far my IPS dosen't show any Denied Attackers and it has detected High level Traffic which I would assume should now be blocked. Thanks John

gfullage · ‎04-14-2005

Yes, you have to go under the signatures you want and enable blocking for them as an action. Configuring blocking globally (defining the blocking device, the interface,, the login details for the device, etc), doesn't actually enable any blocking on the sensor per se, you still have to go and enable blocking for that particular signature. when that particular sig fires in future, the sensor will block it on the device you have configured.

Be very careful with blocking, the reason we don't simply block all signatures is that it would be very dangerous to blindly add access-lists to a device that will stop traffic. You first need to make sure you're not getting any false-positives on the signatures and end up blocking valid traffic. Also, on a busy sensor you could easily overrun both the sensor and the blocking device with writing and removing 1000's of access-lists onto it. And finally, although not likely, blocking can even be used as a denial of service attack, where an attacker, if they know what signatures you are blocking on, can spoof packets past your sensor so that it will deny traffic to legitimate hosts.

You need to look at what signatures you really want to block on, then enable blocking on them individually.

View solution in original post

gfullage · ‎04-14-2005

Yes, you have to go under the signatures you want and enable blocking for them as an action. Configuring blocking globally (defining the blocking device, the interface,, the login details for the device, etc), doesn't actually enable any blocking on the sensor per se, you still have to go and enable blocking for that particular signature. when that particular sig fires in future, the sensor will block it on the device you have configured.

Be very careful with blocking, the reason we don't simply block all signatures is that it would be very dangerous to blindly add access-lists to a device that will stop traffic. You first need to make sure you're not getting any false-positives on the signatures and end up blocking valid traffic. Also, on a busy sensor you could easily overrun both the sensor and the blocking device with writing and removing 1000's of access-lists onto it. And finally, although not likely, blocking can even be used as a denial of service attack, where an attacker, if they know what signatures you are blocking on, can spoof packets past your sensor so that it will deny traffic to legitimate hosts.

You need to look at what signatures you really want to block on, then enable blocking on them individually.