Re: Implementing shunning on 3 4210 IDS’s.

helvey-johnson · ‎10-25-2002

I have 1 IDS at each location inside, DMZ and outside. My inside is connected to 2 PIX 520’s and a 7206. DMZ is connected to a PIX 515 and a 2610. Outside is connected to 2 2610’s. Are there any specific caveats I should be looking for after I implement shunning?

Thanks, Helvey

stleary · ‎10-25-2002

Never configure a network device manually while the sensor is

connected for shunning. If you need to manually configure the

network device, first use your management interface to disable

shunning. For example, using IDM 3.1, click Configuration.

Blocking.Blocking properties and uncheck the Enable blocking

checkbox (don't forget to apply the changes). After you have

finished configuring the network device, re-enable shunning.

The most common problems with shunning are due to misconfiguration

of the sensor or the network device. After you configure the sensor,

use your management interface to ensure that the sensor is

communicating with the network devices. E.G. using IDM 3.1, click

Administration.manual blocking. The device status should

be 'Active' for all connected network devices.

Never try to control the same network device from two different

sensors.

If you are going to shun from each IDS device and you want the shuns

to be forwarded to all of the network devices, be careful not to set up

circular forwarding. The management interfaces will probably

not warn you, and it will cause problems when a shun is attempted.

PIXes do not support the Shun Net command. If you want to

use your management interface to manually shun an entire network,

the shun will only work on routers and switches. You will have to

configure the PIX ACLs yourself to filter out the network.

Implementing shunning on 3 4210 IDSs.

Implementing shunning on 3 4210 IDSs.