Re: Never Block Addresses - Sensor IP

d-garnett · ‎07-04-2005

Ok, finally convinced the boss to buy a 4240 and I am setting it up....

As far as Never Block IP's are concerned, is it profitable to use the Sensor IP since it uses that IP as the Source Address?

What I mean is..say this is your setup

INET --> PIX --> Router

Besides using the PIX as a blocking device I am also using the Router as it connects to some other networks and VPN Devices. I have an Inbound ACL that I am using as a PostBlock ACL. This ACL blocks spoofing. But, when the sensor logs into the router and reconfigures the ACLs (per host manual block), the sensor IP is permitted first and this undos some of the Antispoofing ACEs in the Postshun ACL as if on the chance the Sensors IP was used in a spoofing attack, it would be given a free pass into the network.

BTW, I do have uRPF and other Antispoofing measures setup on the PIX, but I am a big fan of layered security and don't want to comprimise our Network.

markb · ‎07-11-2005

As far as never block addresses is concerned, my view is that you shouldn’t block you own range as you could create a denial of service on yourself.

With regards to using the router as a blocking device you need to move your anti spoofing ACL from the outside I/F as the sensor needs to use this exclusively to dynamically create ACL’s I suggest you move it to the inside I/F and change the direction i.e. instead of inbound change to outbound.

If you have a Pix you could also consider using the Pix as the shunning device and leave your anti-spoofing ACL on the transit router, unless your transit router is quick performance wise the Pix will probably be a better option.

I hope this helps

Regards Mark