The Cisco IPS uses the blocking feature to prevent packets from reaching their destination by using another Cisco device as the initiator at the request of the sensor. THe blocking device must be reachable and accessible by the sensor for management purposes.
The sensor must be able to communicate with the blocking device and should have Telnet or Secure Shell (SSH) access configured. The sensor will connect to the blocking device through either of these protocols.
Using ACLs on a Router
On a blocking device, you can have only one active access control list (ACL) for each interface and direction combination. To accomodate other ACL entries apart from the ones that are generated by the sensor, you should configure the additional ACL in the form of pre-blocked and post-block ACLs. These ACLs allow an administrator to include access rules that must be processed before and after the blockig rules are added by the sensor:
* Pre-block ACLs: These are used for permitting what you do not want the sensor to block and thus override the deny lines resulting from blocks. From example, when a packet is checked against an ACL, the first line that is matched determines the action. Therefore, if the first line matched is a permit line from the pre-block ACL, the packet is permitted, even though there could be a deny line from an automatic block that is listed later in the ACL.
* Post-block ACLs: These are used for additional blocking or permitting of traffic on an interface when there is an existing ACL that must be there after the block action. The sensor creates an ACL with the following entries and applies it to the specified interface and direction as required:
* A permit line for the sensor IP addres if it is currently blocked
* A copy of all the configuratio nlines in the pre-block ACL
* A deny line for each address being blocked by the sensor
* A copy of all the configuration lines of the post-block ACL
Configuration Tasks
A number of steps need to be performed to complete the configuration process for blocking. They are grouped here into tasks to make them easy to follow:
Step 1: Add the blocking device to the sensor known host list. This involves importing an authentic copy of the public key of the blocking device to later reliably authenticate it in SSH connections. This is only required if you use SSH to communicate with the blocking devices, and it is optional.
Step 2: Configure the sensor global blocking properties. This involves enabling blocking and defining blocking parameters, such as the maximum number of blocking entries, IP addresses to be blocked, and IP addresses that cannot be blocked.
Step 3: Create blocking device login profiles. This task involves defining the username, password, and enable password for communication between the sensor and the blocking device for blocking.
Step 4: Define the blocking device properties: This task involves defining the properties of the blocking device such as device type, IP address, login profile, and communication method.
Step 5: Configure properties of managed interfaces: This involves selecting the blocking interfaces or VLAN and specifying the direction in which to apply the ACL and also defining pre-block and post- block ACLs. This step is optional and is not required for Cisco ASA devices.
Step 6: Assign a block action to a signature. This task involves configuring a signature action to request blocking from an external device.
For Task 1, if you select SSH-DES or 3DES as the secure communication method, the sensor uses SSH password authentication to log in to the managed device. To configure the sensor to communicate with a blocking device using SSH, you must manually retrieve the SSH public key of the blocking device to the sensor. Follow these steps to add the blocking device to the sensor known host list:
Step 1: Navigate to Configuration > Sensor Management > SSH > Known Host Keys.
Step 2: Click Add. The Add Known Host Key window opens.
Step 3: Enter the IP address of the managed (blocking) device, and click Retreive Host Key.
Step 4: The sensor will retrieve the host key of the device. Verify the authenticity of this key by comparing it with a known authentic copy, and click OK to confirm that it is authentic.
Follow these steps to configure the sensor blocking properties:
Step 1: Navigate to Configuration > Sensor Management > Blocking > Blocking Properties to display the Blocking Properties panel.
Step 2: Verify that the Enable Blocking check box is selected. Blocking is enabled by default, so it should be selected.
Step 3: There is an Allow Sensor IP Address to Be Blocked check box as well, which should remain deselecte. Selecting this box can allow the sensor to block itself and not be able to communicate with the devices it is managing.
Step 4: There is a Maximum Block Entries Field that has values ranging from 1 to 65,535. The default is 250 and is the recommended amount of entries to be blocked. After the sensor reaches it maximum, newer blocks will not occur.
Step 5: Click the Add button to add a host or network to the list of addresses never to be blocked, which will appear under the Never Block Addresses section.
Step 6: Enter the IP address of the host or network in the IP Address field.
Step 7: Choose the network mask that corresponds to the IP address from the Mask drop-down menu.
Step 8: Click OK. The new host or network appears in the Never Block Addresses list on the Blocking Properties panel.
Step 9: Click Apply to apply your changes and save the updated configuration. In Task 3, you will be specifying the username and password that the sensor will use when logging in to the blocking devices. This is created under a login profile, where one login profile can be used for multiple devices.
An example will be creating a login profile for routers that share the same username and password.
Follow these steps to create a device login profile:
Step 1: Navigate to Configuration > Sensor Management > Blocking > Device Login Profiles. This displays the Device Login Profiles window.
Step 2: Click Add to add a profile, add the Add Device Login Profile window opens.
Step 3: Enter a name for your profile in the Profile Name field.
Step 4: Enter the username that will be used to log in to the blocking device in the Username field.
This step is optional if a username is not required by the blocking device.
Step 5: Enter the password that is used to log in to the blocking device in the New Password field. Enter the same password in the Confirm New Password field.
Step 6: Enter the enable password that is used on the blocking device under the Enable Password section in the New Password field. This is optional if an enable password is not used. If this is entered, it will have to be confirmed by entering the same password in the Confirm New Password field.
Step 7: Click OK and the new device login profile appears in the list in the Device Login Profiles window.
Step 8: Click Apply to apply your changes and save the revised configuration.
In Task 4, you will define the properties of the blocking device by following these steps:
Step 1: Navigate to Configuration > Sensor Management > Blocking > Blocking Devices to display the Blocking Devices panel.
Step 2: Click Add and the Add Blocking Device window opens. You might receive an error message if you have not configured the device login profile.
Step 3: Enter the IP address of the blocking device in the IP Address field.
Step 4: Enter the sensor's Network Address Translation (NAT) address in the Sensor's NAT Address field. This is an optional field and should only be used if there is a NAT device between the management interface of the sensor and the management interface of the blocking device.
Step 5: Choose the device login profile from the Device Login Profile drop-down list. The login profile was created in Task 3 and is a prerequisite to this step.
Step 6: Choose the device type form the Device Type drop-down list. The options from the list are Cisco Router, PIX/ASA, and Cat 6K.
Step 7: Observe the Block and Rate Limit check boxes in the Response Capabilities section. The Block check box is selected, as the response action by the blocking device is to block.
Step 8: From the communication drop-down list, choose the connection method that will be used for the management access. It is recommended that you use the SSSH 3DES method.
Step 9: Click OK.
Step 10: Click Apply to apply your changes and save the upload configuration.
In Task 5, you will configure the properties of the managed interface by following these steps:
Step 1: Navigate to Configuration > Blocking > Router Blocking Device Interfaces. Because a router was selected in Task 3, it only follows that the interfaces will be router interfaces. If the blocking device is not created in Task 3, an error message will be produced when attempting the next step.
Step 2: Click Add and the Add Router Blocking Device Interface window opens.
Step 3: Choose the IP address of the blocking device from the Router Blocking Device drop-down list.
Step 4: Type in the blocking interface name in the Blocking Interface field.
Step 5: Select the direction in which you want to apply the blocking ACL, which can be in or out.
Step 6: Enter the name of the pre-block ACL in the Pre-Block ACL field. This is optional.
Step 7: Enter the nam of the post-block ACL in the Post-Block ACL field. This is also an optional field.
Step 8: Click OK and the new interface appears in the Router Blocking Device interface list. If the exact same information already exists, you will receive an error message.
Step 9: Click Apply to apply your changes and save the revised configuration. Task 6 is the last set of steps when configuring remote blocking. The key here is selecting a signature and modifying it such that the alert response is to block the malicious host. Follow these steps to modify the signature so that a block is performed when triggered.
Step 1: Navigate to Configuration > Policies > Signature Definition > sig0 to reveal the Signature window.
Step 2: From the Sig0 window, select a signature or a group of signatures and click Edit Actions. The Edit Action window opens.
Step 3: Select the Request Block Host, Request Rate Limit, or Request Block Connection action from the Other Actions section.
Step 4: Click OK.
Step 5: Click Apply to apply your changes and save the revised configuration.
The sensor must be able to communicate with the blocking device and should have Telnet or Secure Shell (SSH) access configured. The sensor will connect to the blocking device through either of these protocols.
Using ACLs on a Router
On a blocking device, you can have only one active access control list (ACL) for each interface and direction combination. To accomodate other ACL entries apart from the ones that are generated by the sensor, you should configure the additional ACL in the form of pre-blocked and post-block ACLs. These ACLs allow an administrator to include access rules that must be processed before and after the blockig rules are added by the sensor:
* Pre-block ACLs: These are used for permitting what you do not want the sensor to block and thus override the deny lines resulting from blocks. From example, when a packet is checked against an ACL, the first line that is matched determines the action. Therefore, if the first line matched is a permit line from the pre-block ACL, the packet is permitted, even though there could be a deny line from an automatic block that is listed later in the ACL.
* Post-block ACLs: These are used for additional blocking or permitting of traffic on an interface when there is an existing ACL that must be there after the block action. The sensor creates an ACL with the following entries and applies it to the specified interface and direction as required:
* A permit line for the sensor IP addres if it is currently blocked
* A copy of all the configuratio nlines in the pre-block ACL
* A deny line for each address being blocked by the sensor
* A copy of all the configuration lines of the post-block ACL
Configuration Tasks
A number of steps need to be performed to complete the configuration process for blocking. They are grouped here into tasks to make them easy to follow:
Step 1: Add the blocking device to the sensor known host list. This involves importing an authentic copy of the public key of the blocking device to later reliably authenticate it in SSH connections. This is only required if you use SSH to communicate with the blocking devices, and it is optional.
Step 2: Configure the sensor global blocking properties. This involves enabling blocking and defining blocking parameters, such as the maximum number of blocking entries, IP addresses to be blocked, and IP addresses that cannot be blocked.
Step 3: Create blocking device login profiles. This task involves defining the username, password, and enable password for communication between the sensor and the blocking device for blocking.
Step 4: Define the blocking device properties: This task involves defining the properties of the blocking device such as device type, IP address, login profile, and communication method.
Step 5: Configure properties of managed interfaces: This involves selecting the blocking interfaces or VLAN and specifying the direction in which to apply the ACL and also defining pre-block and post- block ACLs. This step is optional and is not required for Cisco ASA devices.
Step 6: Assign a block action to a signature. This task involves configuring a signature action to request blocking from an external device.
For Task 1, if you select SSH-DES or 3DES as the secure communication method, the sensor uses SSH password authentication to log in to the managed device. To configure the sensor to communicate with a blocking device using SSH, you must manually retrieve the SSH public key of the blocking device to the sensor. Follow these steps to add the blocking device to the sensor known host list:
Step 1: Navigate to Configuration > Sensor Management > SSH > Known Host Keys.
Step 2: Click Add. The Add Known Host Key window opens.
Step 3: Enter the IP address of the managed (blocking) device, and click Retreive Host Key.
Step 4: The sensor will retrieve the host key of the device. Verify the authenticity of this key by comparing it with a known authentic copy, and click OK to confirm that it is authentic.
Follow these steps to configure the sensor blocking properties:
Step 1: Navigate to Configuration > Sensor Management > Blocking > Blocking Properties to display the Blocking Properties panel.
Step 2: Verify that the Enable Blocking check box is selected. Blocking is enabled by default, so it should be selected.
Step 3: There is an Allow Sensor IP Address to Be Blocked check box as well, which should remain deselecte. Selecting this box can allow the sensor to block itself and not be able to communicate with the devices it is managing.
Step 4: There is a Maximum Block Entries Field that has values ranging from 1 to 65,535. The default is 250 and is the recommended amount of entries to be blocked. After the sensor reaches it maximum, newer blocks will not occur.
Step 5: Click the Add button to add a host or network to the list of addresses never to be blocked, which will appear under the Never Block Addresses section.
Step 6: Enter the IP address of the host or network in the IP Address field.
Step 7: Choose the network mask that corresponds to the IP address from the Mask drop-down menu.
Step 8: Click OK. The new host or network appears in the Never Block Addresses list on the Blocking Properties panel.
Step 9: Click Apply to apply your changes and save the updated configuration. In Task 3, you will be specifying the username and password that the sensor will use when logging in to the blocking devices. This is created under a login profile, where one login profile can be used for multiple devices.
An example will be creating a login profile for routers that share the same username and password.
Follow these steps to create a device login profile:
Step 1: Navigate to Configuration > Sensor Management > Blocking > Device Login Profiles. This displays the Device Login Profiles window.
Step 2: Click Add to add a profile, add the Add Device Login Profile window opens.
Step 3: Enter a name for your profile in the Profile Name field.
Step 4: Enter the username that will be used to log in to the blocking device in the Username field.
This step is optional if a username is not required by the blocking device.
Step 5: Enter the password that is used to log in to the blocking device in the New Password field. Enter the same password in the Confirm New Password field.
Step 6: Enter the enable password that is used on the blocking device under the Enable Password section in the New Password field. This is optional if an enable password is not used. If this is entered, it will have to be confirmed by entering the same password in the Confirm New Password field.
Step 7: Click OK and the new device login profile appears in the list in the Device Login Profiles window.
Step 8: Click Apply to apply your changes and save the revised configuration.
In Task 4, you will define the properties of the blocking device by following these steps:
Step 1: Navigate to Configuration > Sensor Management > Blocking > Blocking Devices to display the Blocking Devices panel.
Step 2: Click Add and the Add Blocking Device window opens. You might receive an error message if you have not configured the device login profile.
Step 3: Enter the IP address of the blocking device in the IP Address field.
Step 4: Enter the sensor's Network Address Translation (NAT) address in the Sensor's NAT Address field. This is an optional field and should only be used if there is a NAT device between the management interface of the sensor and the management interface of the blocking device.
Step 5: Choose the device login profile from the Device Login Profile drop-down list. The login profile was created in Task 3 and is a prerequisite to this step.
Step 6: Choose the device type form the Device Type drop-down list. The options from the list are Cisco Router, PIX/ASA, and Cat 6K.
Step 7: Observe the Block and Rate Limit check boxes in the Response Capabilities section. The Block check box is selected, as the response action by the blocking device is to block.
Step 8: From the communication drop-down list, choose the connection method that will be used for the management access. It is recommended that you use the SSSH 3DES method.
Step 9: Click OK.
Step 10: Click Apply to apply your changes and save the upload configuration.
In Task 5, you will configure the properties of the managed interface by following these steps:
Step 1: Navigate to Configuration > Blocking > Router Blocking Device Interfaces. Because a router was selected in Task 3, it only follows that the interfaces will be router interfaces. If the blocking device is not created in Task 3, an error message will be produced when attempting the next step.
Step 2: Click Add and the Add Router Blocking Device Interface window opens.
Step 3: Choose the IP address of the blocking device from the Router Blocking Device drop-down list.
Step 4: Type in the blocking interface name in the Blocking Interface field.
Step 5: Select the direction in which you want to apply the blocking ACL, which can be in or out.
Step 6: Enter the name of the pre-block ACL in the Pre-Block ACL field. This is optional.
Step 7: Enter the nam of the post-block ACL in the Post-Block ACL field. This is also an optional field.
Step 8: Click OK and the new interface appears in the Router Blocking Device interface list. If the exact same information already exists, you will receive an error message.
Step 9: Click Apply to apply your changes and save the revised configuration. Task 6 is the last set of steps when configuring remote blocking. The key here is selecting a signature and modifying it such that the alert response is to block the malicious host. Follow these steps to modify the signature so that a block is performed when triggered.
Step 1: Navigate to Configuration > Policies > Signature Definition > sig0 to reveal the Signature window.
Step 2: From the Sig0 window, select a signature or a group of signatures and click Edit Actions. The Edit Action window opens.
Step 3: Select the Request Block Host, Request Rate Limit, or Request Block Connection action from the Other Actions section.
Step 4: Click OK.
Step 5: Click Apply to apply your changes and save the revised configuration.
No comments:
Post a Comment