Table Of Contents
Configuring Blocking
Understanding Blocking
Before Configuring Blocking
Supported Blocking Devices
Configuring Blocking Properties
Overview
Supported User Role
Field Definitions
Blocking Properties Panel
Add and Edit Never Block Address Dialog Boxes
Configuring Blocking Properties
Configuring Device Login Profiles
Overview
Supported User Role
Field Definitions
Device Login Profile Panel
Add and Edit Device Login Profile Dialog Boxes
Configuring Device Login Profiles
Configuring Blocking Devices
Overview
Supported User Role
Field Definitions
Configuring Blocking Devices
Configuring Router Blocking Device Interfaces
About ACLs
Overview
Supported User Role
Field Definitions
Router Blocking Device Interfaces Panel
Add and Edit Router Blocking Device Interface Dialog Boxes
Configuring the Router Blocking Device Interfaces
Configuring Cat 6K Blocking Device Interfaces
Overview
Supported User Role
Field Definitions
Cat 6K Blocking Device Interfaces Panel
Add and Edit Cat 6K Blocking Device Interface Dialog Boxes
Configuring Cat 6K Blocking Device Interfaces
Configuring the Master Blocking Sensor
Overview
Supported User Role
Field Definitions
Master Blocking Sensor Panel
Add and Edit Master Blocking Sensor Dialog Boxes
Configuring the Master Blocking Sensor
Configuring Active Host Blocks
Overview
Supported User Role
Field Definitions
Active Host Blocks Panel
Add Active Host Block Dialog Box
Configuring Active Host Blocks
Configuring Network Blocks
Overview
Supported User Role
Field Definitions
Network Blocks Panel
Add Network Block Dialog Box
Configuring Network Blocks
Configuring Blocking
This chapter provides information for setting up blocking on the sensor. It contains the following sections:
•
Understanding Blocking
•Before Configuring Blocking
•Supported Blocking Devices
•Configuring Blocking Properties
•Configuring Device Login Profiles
•Configuring Blocking Devices
•Configuring Router Blocking Device Interfaces
•Configuring Cat 6K Blocking Device Interfaces
•Configuring the Master Blocking Sensor
•Configuring Active Host Blocks
•Configuring Network Blocks
Understanding Blocking
Network Access Controller, the blocking application on the sensor, starts and stops blocks on routers, switches, PIX. Firewalls, FWSM, and ASA. Network Access Controller blocks the IP address on the devices it is managing. It sends the same block to all the devices it is managing, including any other master blocking sensors. Network Access Controller monitors the time for the block and removes the block after the time has expired.
Caution If ASA or FWSM is configured in multi-mode, blocking is not supported for the admin context. Blocking is only supported in single mode and in multi-mode customer context.
There are three types of blocks:
•Host block—Blocks all traffic from a given IP address.
•Connection block—Blocks traffic from a given source IP address to a given destination IP address and destination port.
Note Connection blocks are not supported on firewalls. Firewalls only support host blocks with additional connection information.
Note Multiple connection blocks from the same source IP address to either a different destination IP address or destination port automatically switch the block from a connection block to a host block.
•Network block—Blocks all traffic from a given network.
Note You can initiate host and connection blocks manually or automatically when a signature is triggered. You can only initiate network blocks manually.
Note Do not confuse blocking with the sensor's ability to drop packets. The sensor can drop packets when the following actions are configured for a sensor in inline mode: deny packet inline, deny connection inline, and deny attacker inline.
On Cisco routers and Catalyst 6500 series switches, Network Access Controller creates blocks by applying ACLs or VACLs. ACLs and VACLs permit or deny passage of data packets through interface ports or VLANs. Each ACL or VACL contains permit and deny conditions that apply to IP addresses. The PIX Firewall, FWSM, and ASA do not use ACLs or VACLs. The built-in shun/no shun command is used.
You need the following information for Network Access Controller to manage a device:
•Login user ID (if the device is configured with AAA)
•Login password
•Enable password (not needed if the user has enable privileges)
•Interfaces to be managed (for example, ethernet0, vlan100)
•Any existing ACL/VACL information you want applied at the beginning (Pre-Block ACL/VACL) or end (Post-Block ACL/VACL) of the ACL/VACL that will be created
This does not apply to a PIX Firewall, FWSM, or ASA because they do not use ACLs to block.
•Whether you are using Telnet or SSH to communicate with the device
•IP addresses (host or range of hosts) you never want blocked
•How long you want the blocks to last
Tip To check the status of Network Access Controller, type show statistics network-access at the sensor#. The output shows the devices you are managing, any active blocks, and the status for all devices. Or in the IDM, click Monitoring > Statistics to see the status of Network Access Controller.
Before Configuring Blocking
Before you configure blocking, make sure you do the following:
•Analyze your network topology to understand which devices should be blocked by which sensor, and which addresses should never be blocked.
Caution Two sensors cannot control blocking on the same device. If this situation is needed, configure one sensor as the master blocking sensor to manage the devices and the other sensors can forward their block requests to the master blocking sensor. For the procedure, see
Configuring the Master Blocking Sensor.
•Gather the usernames, device passwords, enable passwords, and connections types (Telnet or SSH) needed to log in to each device.
•Know the interface names on the devices.
•Know the names of the Pre-Block ACL/VACL and Post-Block ACL/VACL if needed.
•Understand which interfaces should and should not be blocked and in which direction (in or out). You do not want to accidentally shut down an entire network.
Supported Blocking Devices
By default, Network Access Controller supports up to 250 devices in any combination. The following devices are supported by Network Access Controller:
•Cisco series routers using Cisco IOS 11.2 or later (ACLs):
–Cisco 1600 series router
–Cisco 1700 series router
–Cisco 2500 series router
–Cisco 2600 series router
–Cisco 2800 series router
–Cisco 3600 series router
–Cisco 3800 series router
–Cisco 7200 series router
–Cisco 7500 series router
•Catalyst 5000 switches with RSM with IOS 11.2(9)P or later (ACLs)
•Catalyst 6500 switches and 7600 routers with IOS 12.1(13)E or later (ACLs)
•Catalyst 6500 switches 7600 routers with Catalyst software version 7.5(1) or later (VACLs)
–Supervisor Engine 1A with PFC
–Supervisor Engine 1A with MSFC1
–Supervisor Engine 1A with MFSC2
–Supervisor Engine 2 with MSFC2
–Supervisor Engine 720 with MSFC3
Note We support VACL blocking on the Supervisor Engine and ACL blocking on the MSFC.
•PIX Firewall with version 6.0 or later (shun command)
–501
–506E
–515E
–525
–535
•ASA with version 7.0 or later (shun command)
–ASA-5510
–ASA-5520
–ASA-5540
•FWSM 1.1 or later (shun command)
You configure blocking using either ACLs, VACLS, or the shun command. All firewall and ASA models support the shun command.
Configuring Blocking Properties
This section describes how to configure blocking properties, and contains the following topics:
•Overview
•Field Definitions
•Field Definitions
•Configuring Blocking Properties
Overview
Use the Blocking Properties panel to configure the basic settings required to enable blocking.
Network Access Controller controls blocking actions on managed devices.
You must tune your sensor to identify hosts and networks that should never be blocked, not even manually. You may have a trusted network device whose normal, expected behavior appears to be an attack. Such a device should never be blocked, and trusted, internal networks should never be blocked. Properly tuning signatures reduces the number of false positives and helps ensure proper network operations. Tuning and filtering signatures prevents alarms from being generated. If an alarm is not generated, the associated block does not occur.
If you specify a netmask, this is the netmask of the network that should never be blocked. If no netmask is specified, only the IP address you specify will never be blocked.
Caution We recommend that you do not permit the sensor to block itself, because it may stop communicating with the blocking device. You can configure this option if you can ensure that if the sensor creates a rule to block its own IP address, it will not prevent the sensor from accessing the blocking device.
By default, blocking is enabled on the sensor. If Network Access Controller is managing a device and you need to manually configure something on that device, you should disable blocking first. You want to avoid a situation in which both you and Network Access Controller could be making a change at the same time on the same device. This could cause the device or Network Access Controller to fail.
Supported User Role
The following user roles are supported:
•Administrator
•Operator
•Viewer
You must be Administrator or Operator to add or edit blocking properties.
Field Definitions
This section lists the field definitions for blocking properties, and contains the following topics:
•Blocking Properties Panel
•Add and Edit Never Block Address Dialog Boxes
Blocking Properties Panel
The following fields and buttons are found on the Blocking Properties panel.
Field Descriptions:
•Enable Blocking— Whether or not to enable blocking of hosts.
The default is enabled. You receive an error message if Enable Blocking is disabled and nondefault values exist in the other fields.
Note Even if you do not enable blocking, you can configure all other blocking settings.
•Allow the sensor IP address to be blocked—Whether or not the sensor IP address can be blocked.
The default is disabled.
•Maximum Block Entries—Maximum number of entries to block.
The value is 1 to 65535. The default is 250.
•IP Address—IP address to never block.
•Mask—Mask corresponding to the IP address never to block.
Button Functions:
•Add—Opens the Add Never Block Address dialog box.
From this dialog box, you can add a host or network to the list of hosts and networks never to be blocked.
•Edit—Opens the Edit Never Block dialog box.
From this dialog box, you can change the host or network that is never to be blocked.
•Delete—Removes this host or network from the list of hosts and networks never to be blocked.
•Apply—Applies your changes and saves the revised configuration.
•Reset—Refreshes the panel by replacing any edits you made with the previously configured value.
Add and Edit Never Block Address Dialog Boxes
The following fields and buttons are found in the Add and Edit Never Block Address dialog boxes.
Field Descriptions:
•IP Address—IP address to never block.
•Mask—Mask corresponding to the IP address never to block.
Button Functions:
•OK—Accepts your changes and closes the dialog box.
•Cancel—Discards your changes and closes the dialog box.
•Help—Displays the help topic for this feature.
Configuring Blocking Properties
To configure blocking properties, follow these steps:
Step 1 Click Configuration > Blocking > Blocking Properties.
The Blocking Properties panel appears.
Step 2 Select the Enable blocking check box.
Step 3 Do not select the Allow the sensor IP address to be blocked check box unless necessary.
Caution We recommend that you do not allow the sensor to block itself, because it may stop communicating with the blocking device. You can select this option if you can ensure that if the sensor creates a rule to block its own IP address, it will not prevent the sensor from accessing the blocking device.
Step 4 Type how many blocks are to be maintained simultaneously (1 to 65535) in the Maximum Block Entries field.
Note We do not recommend setting the maximum block entries higher than 250.
Note The number of blocks will not exceed the maximum block entries. If the maximum is reached, new blocks will not occur until existing blocks time out and are removed.
Step 5 Click Add to add a host or network to the list of addresses never to be blocked.
The Add Never Block Address dialog box appears.
Step 6 Type the IP address of the host or network in the IP Address field.
Step 7 Type the network mask of the host or network in the Network Mask field or select a network mask from the drop-down list.
Tip To discard your changes and close the Add Never Block Address dialog box, click Cancel.
Step 8 Click OK.
You receive an error message if the entries are identical.
The new host or network appears in the Never Block Addresses list on the Blocking Properties panel.
Step 9 To edit an existing entry in the never block addresses list, select it, and click Edit.
The Edit Never Block Address dialog box appears.
Step 10 Edit the IP address of the host or network in the IP Address field.
Step 11 Edit the network mask of the host or network in the Network Mask field.
Tip To discard your changes and close the Edit Never Block Address dialog box, click Cancel.
Step 12 Click OK.
The edited host or network appears in the never block addresses list on the Allowed Hosts panel.
Step 13 To delete a host or network from the list, select it, and click Delete.
The host no longer appears in the never block addresses list on the Blocking Properties panel.
Tip To discard your changes, click Reset.
Step 14 Click Apply to apply your changes and save the revised configuration.
Configuring Device Login Profiles
This section describes how to configure device login profiles, and contains the following topics:
•Overview
•Supported User Role
•Field Definitions
•Configuring Device Login Profiles
Overview
Use the Device Login Profiles panel to configure the profiles that the sensor uses when logging in to blocking devices.
You must set up device login profiles for the other hardware that the sensor manages. The device login profiles contain username, login password, and enable password information under a name that you create. For example, routers that all share the same passwords and usernames can be under one device login profile name.
Note You must have a device login profile created before configuring the blocking devices.
Supported User Role
The following user roles are supported:
•Administrator
•Operator
•Viewer
You must be Administrator or Operator to add or edit device login profiles.
Field Definitions
This section lists the field definitions for device login profiles, and contains the following topics:
•Device Login Profile Panel
•Add and Edit Device Login Profile Dialog Boxes
Device Login Profile Panel
The following fields and buttons are found on the Device Login Profile panel.
Field Descriptions:
•Profile Name—Name of the profile.
•Username—Username used to log in to the blocking device (optional).
•Login Password—Login password used to log in to the blocking device (optional).
Found only in the Add Device Login Profile dialog box.
Note If a password exists, it is displayed with a fixed number of asterisks.
•Enable Password—Enable password used on the blocking device (optional).
Found only in the Add Device Login Profile dialog box.
Note If a password exists, it is displayed with a fixed number of asterisks.
•Change the login password—If selected, lets you change the login password.
Found only in the Edit Device Login Profile dialog box.
•Change the enable password—If selected, lets you change the enable password.
Found only in the Edit Device Login Profile dialog box.
Button Functions:
•Add—Opens the Add Device Login Profile dialog box.
From this dialog box, you can add a device login profile.
•Edit—Opens the Edit Device Login Profile box.
From this dialog box, you can change the values associated with this device login profile.
•Delete—Removes this device login profile from the list of device login profiles.
You receive an error message if you try to delete a profile that is being used.
•Apply—Applies your changes and saves the revised configuration.
•Reset—Refreshes the panel by replacing any edits you made with the previously configured value.
Add and Edit Device Login Profile Dialog Boxes
The following fields and buttons are found in the Add and Edit Device Login Profile dialog boxes.
Field Descriptions:
•Profile Name—Name of the profile.
•Username—Username used to log in to the blocking device (optional).
•Login Password—Login password used to log in to the blocking device (optional).
Found only in the Add Device Login Profile dialog box.
Note If a password exists, it is displayed with a fixed number of asterisks.
•Enable Password—Enable password used on the blocking device (optional).
Found only in the Add Device Login Profile dialog box.
Note If a password exists, it is displayed with a fixed number of asterisks.
•Change the login password—If selected, lets you change the login password.
Found only in the Edit Device Login Profile dialog box.
•Change the enable password—If selected, lets you change the enable password.
Found only in the Edit Device Login Profile dialog box.
Button Functions:
•OK—Accepts your changes and closes the dialog box.
•Cancel—Discards your changes and closes the dialog box.
•Help—Displays the help topic for this feature.
Configuring Device Login Profiles
To configure device login profiles, follow these steps:
Step 1 Click Configuration > Blocking > Device Login Profiles.
The Device Login Profiles panel appears.
Step 2 Click Add to add a profile.
The Add Device Login Profile dialog box appears.
Step 3 Type the profile name in the Profile Name field.
Step 4 Type the username used to log in to the blocking device in the Username field.
Step 5 Type the login password in the New Password field and retype it in the Confirm New Password field.
Step 6 Type the enable password in the New Password field and retype it in the Confirm New Password field.
Tip To discard your changes and close the Add Device Login Profile dialog box, click Cancel.
Step 7 Click OK.
You receive an error message if the profile name already exists.
The new device login profile appears in the list on the Device Login Profile panel.
Step 8 To edit an existing entry in the device login profile list, select it, and click Edit.
The Edit Device Login Profile dialog box appears.
Step 9 Edit the username used to log in to the blocking device in the Username field.
Step 10 Select Change the login password to change the login password.
Step 11 Type the new login password in the New Password field and retype it in the Confirm New Password field.
Step 12 Select the Change the enable password to change the enable password.
Step 13 Type the new enable password in the New Password field and retype it in the Confirm New Password field.
Tip To discard your changes and close the Edit Device Login Profile dialog box, click Cancel.
Step 14 Click OK.
The edited device login profile appears in the list on the Device Login Profile panel.
Step 15 To delete a device login profile from the list, select it, and click Delete.
The device login profile no longer appears in the list on the Device Login Profile panel.
Tip To discard your changes, click Reset.
Step 16 Click Apply to apply your changes and save the revised configuration.
Configuring Blocking Devices
This section describes how to configure blocking devices, and contains the following topics:
•Overview
•Supported User Role
•Field Definitions
•Configuring Blocking Devices
Overview
Use the Blocking Devices panel to configure the devices that the sensor uses to implement blocking.
You can configure your sensor to block an attack by generating ACL rules for deployment to a Cisco IOS router, or a Catalyst 6500 switch, or by generating shun rules on a PIX Firewall or ASA. The router, switch, or firewall is called a blocking device.
Caution A single sensor can manage multiple devices but multiple senors cannot manage a single device. For that you must use a master blocking sensor. For the procedure for setting up a master blocking sensor, see
Configuring the Master Blocking Sensor.
You must specify a device login profile for each device that the sensor manages before you can configure the devices on the Blocking Devices panel.
Supported User Role
The following user roles are supported:
•Administrator
•Operator
•Viewer
You must be Administrator or Operator to configure blocking devices.
Field Definitions
The following fields and buttons are found on the Blocking Devices panel and the Add/Edit Blocking Device dialog boxes.
Field Descriptions:
•IP Address—IP address of the blocking device.
•Sensor's NAT Address—NAT address of the sensor.
•Device Login Profile—Device login profile used to log in to the blocking device.
•Device Type—Type of device (Cisco Router, Cat 6K, PIX/ASA).
The default is Cisco Router.
•Communication—Communication mechanism used to log in to the blocking device (SSH 3DES, SSH DES, Telnet).
The default is SSH 3DES.
Button Functions:
•Add—Opens the Add Blocking Device dialog box.
From this dialog box, you can add a blocking device.
You receive an error message if the IP address already exists.
•Edit—Opens the Edit Blocking Device box.
From this dialog box, you can change the values associated with this blocking device.
•Delete—Removes this blocking device from the list of blocking devices.
You receive an error message if you try to delete a blocking device that is being used.
•Apply—Applies your changes and saves the revised configuration.
•Reset—Refreshes the panel by replacing any edits you made with the previously configured value.
The following fields and buttons are found in the Add/Edit Blocking Device dialog boxes.
Field Descriptions:
•IP Address—IP address of the blocking device.
•Sensor's NAT Address—NAT address of the sensor.
•Device Login Profile—Device login profile used to log in to the blocking device.
•Device Type—Type of device (Cisco Router, Cat 6K, PIX/ASA).
The default is Cisco Router.
•Communication—Communication mechanism used to log in to the blocking device (SSH 3DES, SSH DES, Telnet).
The default is SSH 3DES.
Button Functions:
•OK—Accepts your changes and closes the dialog box.
•Cancel—Discards your changes and closes the dialog box.
•Help—Displays the help topic for this feature.
Configuring Blocking Devices
To configure blocking devices, follow these steps:
Step 1 Click Configuration > Blocking > Blocking Devices.
The Blocking Devices panel appears.
Step 2 Click Add to add a blocking device.
You receive an error message if you have not configured the device login profile. For the procedure, see Configuring Device Login Profiles.
The Add Blocking Device dialog box appears.
Step 3 Type the IP address of the blocking device in the IP Address field.
Step 4 (Optional) Type the sensor's NAT address in the Sensor's NAT Address field.
Step 5 Select the device login profile from the Device Login Profile drop-down list.
Step 6 Select the device type from the Device Type drop-down list.
Step 7 Select the communication type from the Communication drop-down list.
If you select SSH 3DES or SSH DES, go to Step 9.
Tip To discard your changes and close the Add Blocking Device dialog box, click Cancel.
Step 8 Click OK.
You receive an error message if the IP address has already been added.
The new device appears in the list on the Blocking Devices panel.
Step 9 If you select SSH 3DES or SSH DES, you must add the host to the known hosts list:
Note If you select SSH 3DES or SSH DES, the blocking device must have a feature set or license that supports the desired 3DES/DES encryption.
Note You can also add the host to the known hosts list on the Configuration > SSH > Known Host Keys > Add Known Host Key dialog box. For the procedure, see Defining Known Host Keys.
a. Telnet to your sensor and log in to the CLI.
b. Enter global configuration mode:
sensor# configure terminal
c. Obtain the public key:
sensor(config)# ssh host-key blocking_device_ip_address
d. You are prompted to confirm adding the public key to the known hosts list:
Would you like to add this to the trusted certificate table for this host?[yes]:
e. Type yes.
f. Exit global configuration mode and the CLI:
Step 10 To edit an existing entry in the blocking devices list, select it, and click Edit.
The Edit Blocking Device dialog box appears.
Step 11 Edit the sensor's NAT address.
Step 12 Change the device login profile.
Step 13 Change the communication type.
Tip To discard your changes and close the Edit Blocking Device dialog box, click Cancel.
Step 14 Click OK.
The edited blocking device appears in the list on the Blocking Device panel.
Step 15 To delete a blocking device from the list, select it, and click Delete.
The blocking device no longer appears in the list on the Blocking Device panel.
Tip To discard your changes, click Reset.
Step 16 Click Apply to apply your changes and save the revised configuration.
Configuring Router Blocking Device Interfaces
This section describes how to configure the router interfaces, and contains the following topics:
•About ACLs
•Overview
•Field Definitions
•Field Definitions
•Configuring the Router Blocking Device Interfaces
About ACLs
Network Access Controller uses ACLs on Cisco routers and switches to manage those devices. These ACLs are built as follows:
1. A permit line with the sensor's IP address or, if specified, the NAT address of the sensor
Note If you permit the sensor to be blocked, this line does not appear in the ACL.
2. Pre-Block ACL (if specified)
This ACL must already exist on the device.
Note Network Access Controller reads the lines in the ACL and copies these lines to the beginning of the ACL.
3. Any active blocks
4. Either:
–Post-Block ACL (if specified)
This ACL must already exist on the device.
Note Network Access Controller reads the lines in the ACL and copies these lines to the end of the ACL.
Note Make sure the last line in the ACL is permit ip any any if you want all unmatched packets to be permitted.
–permit ip any any (not used if a Post-Block ACL is specified)
Network Access Controller uses two ACLs to manage devices. Only one is active at any one time. It uses the offline ACL name to build the new ACL, then applies it to the interface. Network Access Controller then reverses the process on the next cycle.
Note The ACLs that NAC creates are not removed from the managed device after you configure NAC to no longer manage that device. You must remove the ACLs manually on any device that NAC formerly managed.
If you need to modify the Pre-Block or Post-Block ACL, do the following:
1. Disable blocking on the sensor.
2. Make the changes to the device's configuration.
3. Reenable blocking on the sensor.
When blocking is reenabled, the sensor reads the new device configuration. For the procedure, see Configuring Blocking Properties.
Caution A single sensor can manage multiple devices, but you cannot use multiple sensors to control a single device. In this case, use a master blocking sensor. For the procedure, see
Configuring the Master Blocking Sensor.
Overview
You must configure the blocking interfaces on the router and specify the direction of traffic you want blocked on the Router Blocking Device Interfaces panel.
You create and save Pre-Block and Post-Block ACLs in your router configuration. These ACLs must be extended IP ACLs, either named or numbered. See your router documentation for more information on creating ACLs.
Enter the names of these ACLs that are already configured on your router in the Pre-Block ACL and Post-Block ACL fields.
The Pre-Block ACL is mainly used for permitting what you do not want the sensor to ever block. When a packet is checked against the ACL, the first line that gets matched determines the action. If the first line matched is a permit line from the Pre-Block ACL, the packet is permitted even though there may be a deny line (from an automatic block) listed later in the ACL. The Pre-Block ACL can override the deny lines resulting from the blocks.
The Post-Block ACL is best used for additional blocking or permitting that you want to occur on the same interface or direction. If you have an existing ACL on the interface or direction that the sensor will manage, that existing ACL can be used as a Post-Block ACL. If you do not have a Post-Block ACL, the sensor inserts a permit ip any any at the end of the new ACL.
When the sensor starts up, it reads the contents of the two ACLs. It creates a third ACL with the following entries:
•A permit line for the IP address of the sensor
•Copies of all configuration lines of the Pre-Block ACL
•A deny line for each address being blocked by the sensor
•Copies of all configuration lines of the Post-Block ACL
The sensor applies the new ACL to the interface and direction that you designate.
Note When the new ACL is applied to an interface or direction of the router, it removes the application of any other ACL to that interface or direction.
Supported User Role
The following user roles are supported:
•Administrator
•Operator
•Viewer
You must be Administrator or Operator to configure the router blocking device interfaces.
Field Definitions
This section lists the field definitions for router interfaces, and contains the following topics:
•Router Blocking Device Interfaces Panel
•Add and Edit Router Blocking Device Interface Dialog Boxes
Router Blocking Device Interfaces Panel
The following fields and buttons are found on the Router Blocking Device Interfaces panel.
Field Descriptions:
•Router Blocking Device—IP address of the router blocking device.
•Blocking Interface—Interface to be used on the router blocking device.
A valid value is 1 to 64 characters in the format a-z, A-Z, 0-9 and the special characters "." and "/."
•Direction—Direction to apply the blocking ACL.
A valid value is In or Out.
•Pre-Block ACL—ACL to apply before the blocking ACL.
A valid value is 0 to 64 characters.
•Post-Block ACL—ACL to apply after the blocking ACL.
A valid value is 0 to 64 characters.
Note The Post-Block ACL cannot be the same as the Pre-Block ACL.
Button Functions:
•Add—Opens the Add Router Blocking Device Interface dialog box.
From this dialog box, you can add a router blocking device interface.
You receive an error message if there are no router blocking devices.
•Edit—Opens the Edit Router Blocking Device Interface box.
From this dialog box, you can change the values associated with this router blocking device interface.
•Delete—Removes this router blocking device interface from the list of router blocking device interfaces.
•Apply—Applies your changes and saves the revised configuration.
•Reset—Refreshes the panel by replacing any edits you made with the previously configured value.
Add and Edit Router Blocking Device Interface Dialog Boxes
The following fields and buttons are found in the Add and Edit Router Blocking Device Interface dialog boxes.
Field Descriptions:
•Router Blocking Device—IP address of the router blocking device.
•Blocking Interface—Interface to be used on the router blocking device.
A valid value is 1 to 64 characters in the format a-z, A-Z, 0-9 and the special characters "." and "/."
•Direction—Direction to apply the blocking ACL.
A valid value is In or Out.
•Pre-Block ACL—ACL to apply before the blocking ACL.
A valid value is 0 to 64 characters.
•Post-Block ACL—ACL to apply after the blocking ACL.
A valid value is 0 to 64 characters.
Note The Post-Block ACL cannot be the same as the Pre-Block ACL.
Button Functions:
•OK—Accepts your changes and closes the dialog box.
•Cancel—Discards your changes and closes the dialog box.
•Help—Displays the help topic for this feature.
Configuring the Router Blocking Device Interfaces
To configure router blocking device interfaces, follow these steps:
Step 1 Click Configuration > Blocking > Router Blocking Device Interfaces.
The Router Blocking Device Interfaces panel appears.
Step 2 Click Add to add a router blocking device interface.
The Add Router Blocking Device Interface dialog box appears.
Step 3 Select the IP address of the router blocking device from the drop-down list.
Step 4 Type the blocking interface name in the Blocking Interface field.
Step 5 Select the direction (in or out) from the Direction drop-down list.
Step 6 (Optional) Enter the name of the Pre-Block ACL in the Pre-Block ACL field.
Step 7 (Optional) Enter the name of the Post-Block ACL in the Post-Block ACL field.
Tip To discard your changes and close the Add Router Blocking Device Interface dialog box, click Cancel.
Step 8 Click OK.
You receive an error message if the IP address/interface/direction combination already exists.
The new interface appears in the list on the Router Blocking Device Interfaces panel.
Step 9 To edit an existing entry in the router blocking device interfaces list, select it, and click Edit.
The Edit Router Blocking Device dialog box appears.
Step 10 Edit the blocking interface name.
Step 11 Change the direction.
Step 12 Edit the Pre-Block ACL name.
Step 13 Edit the Post-Block ACL name.
Tip To discard your changes and close the Edit Router Blocking Device Interface dialog box, click Cancel.
Step 14 Click OK.
The edited router blocking device interface appears in the list on the Router Blocking Device Interfaces panel.
Step 15 To delete a router blocking device interface from the list, select it, and click Delete.
The router blocking device interface no longer appears in the list on the Router Blocking Device Interfaces panel.
Tip To discard your changes, click Reset.
Step 16 Click Apply to apply your changes and save the revised configuration.
Configuring Cat 6K Blocking Device Interfaces
This section describes how to configure Catalyst 6500 series switch interfaces, and contains the following topics:
•Overview
•Overview
•Field Definitions
•Configuring Cat 6K Blocking Device Interfaces
Overview
You specify the VLAN ID and VACLs on the blocking Catalyst 6500 series switch on the Cat 6K Blocking Device Interfaces panel.
You can configure Network Access Controller to block using VACLs on the switch itself when running Cisco Catalyst software, or to block using router ACLs on the MSFC or on the switch itself when running Cisco IOS software. This section describes blocking using VACLs. For blocking using the router ACLS, seeConfiguring the Master Blocking Sensor.
You must configure the blocking interfaces on the Catalyst 6500 series switch and specify the VLAN of traffic you want blocked.
You create and save Pre-Block and Post-Block VACLs in your switch configuration. These VACLs must be extended IP VACLs, either named or numbered. See your switch documentation for more information on creating VACLs.
Enter the names of these VACLs that are already configured on your switch in the Pre-Block VACL and Post-Block VACL fields.
The Pre-Block VACL is used mainly for permitting what you do not want the sensor to ever block. When a packet is checked against the VACL, the first line that gets matched determines the action. If the first line matched is a permit line from the Pre-Block VACL, the packet is permitted even though there may be a deny line (from an automatic block) listed later in the VACL. The Pre-Block VACL can override the deny lines resulting from the blocks.
The Post-Block VACL is best used for additional blocking or permitting that you want to occur on the same VLAN. If you have an existing VACL on the VLAN that the sensor will manage, the existing VACL can be used as a Post-Block VACL. If you do not have a Post-Block V ACL, the sensor inserts a permit ip any any at the end of the new VACL.
Note The IDSM-2 inserts a permit ip any any capture at the end of the new VACL.
When the sensor starts up, it reads the contents of the two VACLs. It creates a third VACL with the following entries:
•A permit line for the sensor's IP address
•Copies of all configuration lines of the Pre-Block VACL
•A deny line for each address being blocked by the sensor
•Copies of all configuration lines of the Post-Block VACL
The sensor applies the new VACL to the VLAN that you designate
Note When the new VACL is applied to a VLAN of the switch, it removes the application of any other VACL to that VLAN.
Supported User Role
The following user roles are supported:
•Administrator
•Operator
•Viewer
You must be Administrator or Operator to configure the Catalyst 6500 series switches blocking device interfaces.
Field Definitions
This section lists the field definitions for the Catalyst 6500 series switch interfaces, and contains the following topics:
•Cat 6K Blocking Device Interfaces Panel
•Add and Edit Cat 6K Blocking Device Interface Dialog Boxes
Cat 6K Blocking Device Interfaces Panel
The following fields and buttons are found on the Cat 6K Blocking Device Interfaces panel.
Field Descriptions:
•Cat 6K Blocking Device—IP address of the Catalyst 6500 series switch blocking device.
•VLAN ID—VLAN ID to be used on the Catalyst 6500 series switch blocking device.
The value is 1 to 65535.
•Pre-Block VACL—VACL to apply before the blocking VACL.
The value is 0 to 64 characters.
•Post-Block VACL—VACL to apply after the blocking VACL.
The value is 0 to 64 characters.
Note The Post-Block VACL cannot be the same as the Pre-Block VACL.
Button Functions:
•Add—Opens the Add Cat 6K Blocking Device Interface dialog box.
From this dialog box, you can add a Catalyst 6500 series switch blocking device interface.
You receive an error if there are no Catalyst 6500 series switches.
•Edit—Opens the Edit Cat 6K Blocking Device Interface box.
From this dialog box, you can change the values associated with this Catalyst 6500 series switch blocking device interface.
•Delete—Removes this switch interface from the list of switch blocking device interfaces.
•Apply—Applies your changes and saves the revised configuration.
•Reset—Refreshes the panel by replacing any edits you made with the previously configured value.
Add and Edit Cat 6K Blocking Device Interface Dialog Boxes
The following fields and buttons are found in the Add and Edit Cat 6K Blocking Device Interface dialog boxes.
Field Descriptions:
•Cat 6K Blocking Device—IP address of the Catalyst 6500 series switch blocking device.
•VLAN ID—VLAN ID to be used on the Catalyst 6500 series switch blocking device.
The value is 1 to 65535.
•Pre-Block VACL—VACL to apply before the blocking VACL.
The value is 0 to 64 characters.
•Post-Block VACL—VACL to apply after the blocking VACL.
The value is 0 to 64 characters.
Note The Post-Block VACL cannot be the same as the Pre-Block VACL.
Button Functions:
•OK—Accepts your changes and closes the dialog box.
•Cancel—Discards your changes and closes the dialog box.
•Help—Displays the help topic for this feature.
Configuring Cat 6K Blocking Device Interfaces
To configure Catalyst 6500 series switch blocking device interfaces, follow these steps:
Step 1 Click Configuration > Blocking > Cat 6K Blocking Device Interfaces.
The Cat 6K Blocking Device Interfaces panel appears.
Step 2 Click Add to add a Catalyst 6500 series switch blocking device interface.
The Add Cat 6K Blocking Device Interface dialog box appears.
Step 3 Select the IP address of the Catalyst 6500 series switch from the drop-down list.
Step 4 Enter the VLAN ID in the VLAN ID field.
Step 5 (Optional) Enter the name of the Pre-Block VACL in the Pre-Block VACL field.
Step 6 (Optional) Enter the name of the Post-Block VACL in the Post-Block VACL field.
Tip To discard your changes and close the Add Cat 6K Blocking Device Interface dialog box, click Cancel.
Step 7 Click OK.
You receive an error message if issued if the IP address/VLAN combination already exists.
The new interface appears in the list on the Cat 6K Blocking Device Interfaces panel.
Step 8 To edit an existing entry in the Catalyst 6500 series switch blocking device interfaces list, select it, and click Edit.
The Edit Cat 6K Blocking Device Interface dialog box appears.
Step 9 Edit the VLAN ID.
Step 10 Edit the Pre-Block VACL name.
Step 11 Edit the Post-Block VACL name.
Tip To discard your changes and close the Edit Cat 6K Blocking Device Interface dialog box, click Cancel.
Step 12 Click OK.
The edited Catalyst 6500 series switch blocking device interface appears in the list on the Cat 6K Blocking Device Interfaces panel.
Step 13 To delete a Catalyst 6500 series switch blocking device interface from the list, select it, and click Delete.
The Catalyst 6500 series switch blocking device interface no longer appears in the list on the Cat 6K Blocking Device Interfaces panel.
Tip To discard your changes, click Reset.
Step 14 Click Apply to apply your changes and save the revised configuration.
Configuring the Master Blocking Sensor
This section describes how to configure the sensor to be a master blocking sensor, and contains the following topics:
•Overview
•Supported User Role
•Field Definitions
•Configuring the Master Blocking Sensor
Overview
You specify the master blocking sensor that is used to configure the blocking devices on the Master Blocking Sensor panel.
Multiple sensors (blocking forwarding sensors) can forward blocking requests to a specified master blocking sensor, which controls one or more devices. The master blocking sensor is the Network Access Controller running on a sensor that controls blocking on one or more devices on behalf of one or more other sensors. The Network Access Controller on a master blocking sensor controls blocking on devices at the request of the Network Access Controllers running on other sensors.
On the blocking forwarding sensor, identify which remote host serves as the master blocking sensor; on the master blocking sensor you must add the blocking forwarding sensors to its access list.
If the master blocking sensor requires TLS for web connections, you must configure the Network Access Controller of the blocking forwarding sensor to accept the X.509 certificate of the master blocking sensor remote host. Sensors by default have TLS enabled, but you can change this option.
Note Typically the master blocking sensor is configured to manage the network devices. Blocking forwarding sensors are not normally configured to manage other network devices, although doing so is permissible.
Caution Only one sensor should control all blocking interfaces on a device.
Supported User Role
The following user roles are supported:
•Administrator
•Operator
•Viewer
You must be Administrator or Operator to configure the MBS.
Field Definitions
This section lists the field definitions for the master blocking sensor, and contains the following topics:
•Master Blocking Sensor Panel
•Add and Edit Master Blocking Sensor Dialog Boxes
Master Blocking Sensor Panel
The following fields and buttons are found on the Master Blocking Sensor panel.
Field Descriptions:
•IP Address—IP address of the master blocking sensor.
•Port—Port on which to connect to the master blocking sensor.
The default is 443.
•Username—Username used to log in to the master blocking sensor.
A valid value is 1 to 64 characters.
•TLS Used—Whether or not TLS is being used.
Button Functions:
•Add—Opens the Add Master Blocking Sensor dialog box.
From this dialog box, you can add an master blocking sensor.
•Edit—Opens the Edit Master Blocking Sensor box.
From this dialog box, you can change the values associated with this master blocking sensor.
•Delete—Removes this master blocking sensor from the list of master blocking sensors.
•Apply—Applies your changes and saves the revised configuration.
•Reset—Refreshes the panel by replacing any edits you made with the previously configured value.
Add and Edit Master Blocking Sensor Dialog Boxes
The following fields and buttons are found in the Add and Edit Master Blocking Sensor dialog boxes.
Field Descriptions:
•IP Address—IP address of the master blocking sensor.
•Port—Port on which to connect to the master blocking sensor.
The default is 443.
•Username—Username used to log in to the master blocking sensor.
A valid value is 1 to 64 characters.
•TLS Used—Whether or not TLS is being used.
Button Functions:
•OK—Accepts your changes and closes the dialog box.
•Cancel—Discards your changes and closes the dialog box.
•Help—Displays the help topic for this feature.
Configuring the Master Blocking Sensor
To configure the master blocking sensor, follow these steps:
Step 1 Click Configuration > Blocking > Master Blocking Sensor.
The Master Blocking Sensor panel appears.
Step 2 Click Add to add an master blocking sensor.
The Add Master Blocking Sensor dialog box appears.
Step 3 Type the IP address of the master blocking sensor in the IP Address field.
Step 4 (Optional) Enter the port number in the Port field.
The default is 443.
Step 5 Type the username in the Username field.
Step 6 Type the password for the user in the Password field.
Step 7 Retype the password in the Confirm Password field.
Step 8 Select the TLS check box.
Tip To discard your changes and close the Add Master Blocking Sensor dialog box, click Cancel.
Step 9 Click OK.
You receive an error message if the IP address has already been added.
The new master blocking sensor appears in the list on the Master Blocking Sensor panel.
Step 10 If you selected TLS, configure the NAC of the blocking forwarding sensor to accept the TLS/SSL X.509 certificate of the master blocking sensor remote host:
Note You can also configure the blocking forwarding sensor to accept the X.509 certificate by clicking Configuration > Certificates > Trusted Hosts > Add Trusted Host. For the procedure, see Adding Trusted Hosts.
a. Log in to the blocking forwarding sensor's CLI using an account with Administrator privileges.
b. Enter global configuration mode:
sensor# configure terminal
c. Add the trusted host:
sensor(config)# tls trusted-host ip-address master_blocking_sensor_ip_address
You are prompted to confirm adding the trusted host:
Would you like to add this to the trusted certificate table for this host?[yes]:
d. Enter yes to add the host.
e. Exit global configuration mode and the CLI:
Note You are prompted to accept the certificate based on the certificate's fingerprint. Sensors provide only self-signed certificates (instead of certificates signed by a recognized certificate authority). You can verify the host sensor certificate of the master blocking sensor by logging in to the host sensor and entering the show tls fingerprint command to see that the host certificate's fingerprints match.
Step 11 To edit an existing entry in the master blocking sensor list, select it, and click Edit.
The Edit Master Blocking Sensor dialog box appears.
Step 12 (Optional) Edit the port.
Step 13 Edit the username.
Step 14 Select Change the password if you want to change the password for this user.
a. Type the new password in the New Password field.
b. Confirm the new password in the Confirm Password field.
Step 15 Select or clear the TLS check box.
Tip To discard your changes and close the Edit Master Blocking Sensor dialog box, click Cancel.
Step 16 Click OK.
The edited master blocking sensor appears in the list on the Master Blocking Sensor panel.
Step 17 To delete a master blocking sensor from the list, select it, and click Delete.
The master blocking sensor no longer appears in the list on the Master Blocking Sensor panel.
Tip To discard your changes, click Reset.
Step 18 Click Apply to apply your changes and save the revised configuration.
Configuring Active Host Blocks
This section describes how to configure active host blocks, and contains the following topics:
•Overview
•Supported User Role
•Field Definitions
•Configuring Active Host Blocks
Overview
Use the Active Host Blocks panel to configure blocking of hosts.
An active host block denies traffic from a specific host permanently (until you remove the block) or for a specified amount of time. You can base the block on a connection by specifying the destination IP address and the destination protocol and port.
An active host block is defined by its source IP address. If you add a block with the same source IP address as an existing block, the new block overwrites the old block.
If you specify an amount of time for the block, the value must be in the range of 1 to 70560 minutes (49 days). If you do not specify a time, the host block remains in effect until the sensor is rebooted or the block is deleted.
Supported User Role
The following user roles are supported:
•Administrator
•Operator
•Viewer
You must be Administrator or Operator to configure active host blocks.
Field Definitions
This section lists the field definitions for active host blocks, and contains the following topics:
•Active Host Blocks Panel
•Add Active Host Block Dialog Box
Active Host Blocks Panel
The following fields and buttons are found on the Active Host Blocks panel.
Field Descriptions:
•Source IP—Source IP address for the block.
•Destination IP—Destination IP address for the block.
•Destination Port—Destination port for the block.
•Protocol—Type of protocol (TCP, UDP, or ANY).
The default is ANY.
•Minutes Remaining—Time remaining for the blocks in minutes.
•Timeout—Original timeout value for the block in minutes.
A valid value is between 1 to 70560 minutes (49 days).
•VLAN— Indicates the VLAN that carried the data that fired the signature.
Caution Even though the VLAN ID is included in the block request, it is not passed to the firewall. Sensors cannot block on FWSM 2.1 or greater when logged in to the admin context.
•Connection Block Enabled—Whether or not to block the connection for the host.
Button Functions:
•Add—Opens the Add Active Host Block dialog box.
From this dialog box, you can add a manual block for a host.
•Delete—Removes this manual block from the list of active host blocks.
•Refresh—Refreshes the contents of the table.
Add Active Host Block Dialog Box
The following fields and buttons are found in the Add Active Host Block dialog box.
Field Descriptions:
•Source IP—Source IP address for the block.
•Enable connection blocking—Whether or not to block the connection for the host.
•Connection Blocking—Lets you configure parameters for connection blocking:
–Destination IP—Destination IP address for the block.
–Destination Port—Destination port for the block.
–Protocol—Type of protocol (TCP, UDP, or ANY).
The default is ANY. This field is optional.
•VLAN—Indicates the VLAN that carried the data that fired the signature.
Caution Even though the VLAN ID is included in the block request, it is not passed to the firewall. Sensors cannot block on FWSM 2.1 or later when logged in to the admin context.
This field is optional.
•Enable Timeout—Lets you set a timeout value for the block in minutes.
•Timeout—Number of minutes for the block to last.
A valid value is between 1 and 70560 minutes (49 days).
•No Timeout—Lets you choose to have no timeout for the block.
Button Functions:
•Apply—Applies your changes and saves the revised configuration.
•Cancel—Discards your changes and closes the dialog box.
•Help—Displays the help topic for this feature.
Configuring Active Host Blocks
To configure active host blocks, follow these steps:
Step 1 Click Monitoring > Active Host Blocks.
The Active Host Blocks panel appears.
Step 2 Click Add to add an active host block.
The Add Active Host Block dialog box appears.
Step 3 Type the source IP address of the host you want blocked.
Step 4 Select the Enable Connection Blocking check box if you want the block to be connection-based.
Note A connection block blocks traffic from a given source IP address to a given destination IP address and destination port.
a. Type the destination IP address in the Destination IP field.
b. (Optional) Type the destination port in the Destination Port field.
c. Select the protocol from the Protocol drop-down list.
Step 5 (Optional) Type the VLAN for the connection block in the VLAN field.
Step 6 Select the Enable Timeout check box if you want to configure the block for a specified amount of time.
Step 7 Type the amount of time in minutes in the Timeout field.
Tip To discard your changes and close the Add Active Host Block dialog box, click Cancel.
Step 8 Select the No Timeout check box if you do not want to configure the block for a specified amount of time.
Step 9 Click Apply.
You receive an error message if a block is configured for that IP address.
The new active host block appears in the list on the Active Host Blocks panel.
Step 10 Click Refresh to refresh the contents of the active host blocks list.
Step 11 To delete a block, select an active host block in the list, and click Delete.
The Delete Active Host Block dialog box asks if you are sure you want to delete this block.
Tip To discard your changes and close the Delete Active Host Block dialog box, click Cancel.
Step 12 Click Yes to delete the block.
Configuring Network Blocks
This section describes how to configure network blocks, and contains the following topics:
•Overview
•Supported User Role
•Field Definitions
•Configuring Network Blocks
Overview
Use the Network Blocks panel to configure blocking of networks.
A network block denies traffic from a specific network permanently (until you remove the block) or for a specified amount of time.
A network block is defined by its source IP address and netmask. The netmask defines the blocked subnet. A host subnet mask is accepted also.
If you specify an amount of time for the block, the value must be in the range of 1 to 70560 minutes (49 days). If you do not specify a time, the block remains in effect until the sensor is rebooted or the block is deleted.
Supported User Role
The following user roles are supported:
•Administrator
•Operator
•Viewer
You must be Administrator or Operator to configure network blocks.
Field Definitions
This section lists the field definitions for network blocks, and contains the following topics:
•Network Blocks Panel
•Add Network Block Dialog Box
Network Blocks Panel
The following fields and buttons are found on the Network Blocks panel.
Field Descriptions:
•IP Address—IP address for the block.
•Mask—Network mask for the block.
•Minutes Remaining—Time remaining for the blocks in minutes.
•Timeout—Original timeout value for the block in minutes.
A valid value is between 1 and 70560 minutes (49 days).
Button Functions:
•Add—Opens the Add Network Block dialog box.
From this dialog box, you can add a block for a network.
•Delete—Removes this network block from the list of blocks.
•Refresh—Refreshes the contents of the table.
Add Network Block Dialog Box
The following fields and buttons are found on the Add Network Block dialog box.
Field Descriptions:
•Source IP—IP address for the block.
•Netmask—Network mask for the block.
•Enable Timeout—Indicates a timeout value for the block in minutes.
•Timeout—Indicates the duration of the block in minutes.
A valid value is between 1 and 70560 minutes (49 days).
•No Timeout—Lets you choose to have no timeout for the block.
Button Functions:
•Apply—Sends this block to the sensor immediately.
•Cancel—Discards your changes and closes the dialog box.
•Help—Displays the help topic for this feature.
Configuring Network Blocks
To configure network blocks, follow these steps:
Step 1 Click Monitoring > Network Blocks.
The Network Blocks panel appears.
Step 2 Click Add to add a network block.
The Add Network Block dialog box appears.
Step 3 Type the source IP address of the network you want blocked.
Step 4 Select the netmask from the Netmask drop-down list.
Step 5 Select the Enable Timeout check box if you want to configure the block for a specified amount of time.
Step 6 Type the amount of time in minutes in the Timeout field.
Tip To discard your changes and close the Add Network Block dialog box, click Cancel.
Step 7 Click Apply.
You receive an error message if a block has already been added.
The new network block appears in the list on the Network Blocks panel.
Step 8 Click Refresh to refresh the contents of the network blocks list.
Step 9 Select a network block in the list and click Delete to delete that block.
The Delete Network Block dialog box asks if you are sure you want to delete this block.
Step 10 Click Yes to delete the block.
Feedback
