Shuning with PIX 515

sasa.rasovic · ‎07-20-2005

Hello,

I have IDS 4215 and PIX 515 in failover with 7.0 image.

IDS is configured for shuning connection on specified signature regarding DNS looping.

Everthing works fine, and I get connection shuned on PIX with the following entry: shun (interface) 1.1.1.1 2.2.2.2 53 7124 0

The only problem is that now every connection (not just the one that is blocked - the one to 2.2.2.2 from port 53) from 1.1.1.1 is blocked. So, essentially now I have my DNS server blocked.

Anyone knows is it possible to make shunning work only for that particular connection? Thanks

S

marcabal · ‎07-20-2005

There is a misunderstanding on what the shun command does on the Pix.

The shun command on the Pix shuns the entire source address (in your case 1.1.1.1).

Even though 2.2.2.2 53 7124 0 is seen on the rest of the shun, you need to realize it is still the entire 1.1.1.1 address that is blocked.

The Pix only supports Block/Shun Host, and does not support Block/Shun Connection.

Block/Shun Connection is only supported on the Routers and Switches.

The additional shun information provided does not limit the shun to that one connection. The additional connection information is just so that the Pix can remove that connection entry from it's connection table while it is in the process of shunning the entire source address.

You might be tempted to switch to Blocking on a Router or Switch in order to get the shunning for just the one connection.

BUT be aware that connection shunning can be upgraded to a full Host Shun when multiple shuns take place.

So in the beginning the shun may limited to one type of connection, but if enough shuns happen the sensor may automatically upgrade it to a full Host shun and still block your DNS Server.

Machines like your DNS server that are required for access should be considered when deploying Shuns.

You can put them into the Never Block Host list so they won't ever be blocked (Host or Connection Blocks).

If you are managing a Router or Switch instead of the Pix you might alternatively consider using a Pre ACL that always permits certain types of traffic to/from your DNS Server. So even if there is a Block Host done there will still be certain types of traffic allowed in.

sasa.rasovic · ‎07-20-2005

Thanks marcabal, I understood the shun mechanism at first I implemented it.

But I was just wishing there could be some detour in doing this on the PIX since it is the newest version - 7.0- all of my servers are controlled by this one and it is very important to me able to controll traffic initiated from those servers, preferablly on the firewall itself. This way, I lose the control needed to block only certain traffic. This shortcoming is quite confusing and interesting since most of the times one needs to do exactly that...shun on the pix for a particular connection.

However, I decided to move to VACL shunning on my 6500.

P.S. Is this going to remain the same in future versions of PIX?

Thanks,

S

marcabal · ‎07-20-2005

I have not heard of any planned changes on the Pix.

With the release of version 5.0 and the ability to do InLine monitoring on the sensor itself, the sensor itself denying the traffic has become the main focus point, and where new features are primarily being added.

Especially with the recent release of the ASA Appliances where the SSM-AIP card can run IPS on a card within the firewall itself. The denies would be done on the IPS card without needing to send the Shun commands to the firewall (though it is still supported).

sasa.rasovic · ‎07-20-2005

Thank you