cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
455
Views
0
Helpful
5
Replies

Blocking Devices

bz
Level 1
Level 1

Hi all...can someone give me some pointers in helping me configure my sensors (4210) to use the shun/tcp reset feature. I can apply the ACLs on the internal interface of my edge routers, so is that inbound or outbound? Any help will be highly appreciated...thanks!!!

5 Replies 5

marcabal
Cisco Employee
Cisco Employee

Here is a very basic scenario:

mynetwork----------e0 router e1-------------internet

Mynetwork is connected to interface e0 of my router.

My router is then connected to the internet on interface e1.

Both interfaces e0 and e1 can have an ACL applied to traffic for the IN direction, and traffic for the OUT direction. This results in 4 possible combinations to apply an ACL:

e0 in, e0 out, e1 in, and e1 out.

NOTE: The user could have a different ACL applied to each of the combinations listed above. Resulting in 4 different ACLs.

When traffic is routed from the internet to mynetwork, the router will check the traffic first againt the ACL applied to "e1 in" (since the traffic is coming in the e1 interface) and then check against the ACL applied to "e0 out" (since it will be leaving out the router on the e0 interface) before transmitting the packets to mynetwork.

When traffic comes from mynetwork will check the traffic first against the ACL applied to "e0 in" and then "e1 out" before transmitting the packets to the internet.

So when considering where to apply the shuns, you need to understand what you want to shun.

NOTE: CSPM and IDM terminology also refers to shun as block. The two terms are can be used interchangeably.

If you want to shun/block attacks from the internet then you need to apply the shun to either "e1 in" or "e0 out". If you don't already have an ACL on "e1 in" then this would be the best place for it. BUT If you already have an ACL on "e1 in", but not on "e0 out" then applying the shun to "e0 out" would be an easy and viable solution.

If, however, you already have ACLs on both "e1 in" and "e0 out" then you will need to use the special functionality of the Pre/Post Shun ACLs.

Let's say you have the ACL "BlockInternet" already on "e1 in", and another ACL on "e0 out". You can configure the sensor to shun on "e1 in" by configuring the 'BlockInternet" ACL that you created as a PostShun ACL. The sensor will create it's ACL that blocks traffic, and then append your original ACL.

If you want to try something advanced then you could also split up your original "BlockInternet" ACL into 2 ACLs "BlockInternet-1" and "BlockInternet-2".

Now configure the the sensor to shun on "e1 in" using "BlockInternet-1" as the PreShunACL, and "BlockInternet-2" as the PostShun ACL.

The sensor will prepend the contents of "BlockInternet-1" to the top of the ACL it creates, and append the contents of "BlockInternet-2" to the bottom of the ACL it creates.

------

If you want to shun your internal traffic to keep it from going out to the internet.

Then you would need to configure the sensor to shun on either "e0 in" or "e1 out".

The same pricinciples as I described above will apply.

The preference in this case would be to shun on "e0 in".

If you want to block both traffic from the internet as well as traffic leaving your network, then you would need to actually shun on 2 interface direction pairs.

For example:

e0 in, and e0 out

e1 in, and e1 out

e0 in, and e1 in (preferred)

e0 out, and e1 out

It's up to you which combination to use based upon my previous explanations.

Now that you've figured out which interface direction pairs, then you need to configure the sensor to communicate with the router and tell it which interface direction pairs and possibly the Pre and Post Shun ACLs to use.

Then you can either choose to manually shun the ipaddresses. There is a meny option in the Event Viewer in CSPM, and tab in IDM for this. Or you can choose to have the sensor automatically shun when specific attacks are detected.

Select the signatures you want to configure for automated shuns, and set their action to shun (or block).

My recommendation is to choose which alarms you may want to shun, and then watch these alarms for a day or two, and see if there are any false positives for them.

In most cases you are probably safe when configuring level 5 (High) alarms with a shun action.

AS FOR TCP RESETS:

The TCP Reset feature works independantly of the Shun feature.

The TCP Reset feature does not require modifcations to or knowledge of the routers.

With TCP Resets, the sensor will send TCP Reset packets out of it's monitoring interface to try and tear down the TCP Connection.

TCP Resets can be configured as automated response on most of the single session based TCP signatures.

NOTE: TCP Reset and Shun can both be configured on the same signature to give the maximum possible automated protection.

Thanks for the detailed explanation...greatly appreciated.

I think I'm running into another problem.

The CSPM doesn't seem to be pushing out the config. to the sensors. For example, I entered the blocking device info in the CSPM and pushed it out to the sensor. But when I go to IDM, I don't see the settings there...is this normal? Same as for other settings like internal network, never block addresses, etc. I'm starting to believe the reason why the shun/tcp reset doesn't work because the sensor's signature is not being updated when I make the changes on the CSPM...Any suggestions? Thanks!

marcabal
Cisco Employee
Cisco Employee

Are you logging into IDM after CSPM has pushed the configuration files?

If you are logged in prior to CSPM pushing the configs then IDM won't see the changes.

IDM reads in the configuration when you first login. So to see the CSPM changes be sure to logout of IDM and then log back in after CSPM makes the changes.

As for the changes not getting pushed to the sensor. Are you both Updating the database, and Approving the individual sensor configurations? May people didn't realize you have to Update/Save the changes, and then go to each sensor and hit's own Approve button to get the configurations to be pushed to the sensor.

Another thing to try, is to generate a Diagnostic report through IDM. This shoudl show you the contents of any error files, and the contents of the configuration files.

You can check to see if your changes are being written to managed.conf, and packetd.conf.

Thanks...everything is working fine now!!! I forgot to approve... Thank you all!!!