Filter
Top Products
42-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting
Understanding IPS Blocking
ARC completes the action response for a new block in no more than 7 seconds. In most cases, it
completes the action response in less time. To meet this performance goal, you should not configure the
sensor to perform blocks at too high a rate or to manage too many blocking devices and interfaces. We
recommend that the maximum number of blocks not exceed 250 and the maximum number of blocking
items not exceed 10. To calculate the maximum number of blocking items, a security appliance counts
as one blocking item per blocking context. A router counts as one blocking item per blocking
interface/direction. A switch running Catalyst software counts as one blocking item per blocking VLAN.
If the recommended limits are exceeded, ARC might not apply blocks in a timely manner or might not
be able to apply blocks at all.
For security appliances configured in multiple-context mode, Cisco IPS does not include VLAN
information in the block request. Therefore you must make sure the IP addresses being blocked are
correct for each security appliance. For example, the sensor is monitoring packets on a security appliance
customer context that is configured for VLAN A, but is blocking on a different security appliance
customer context that is configured for VLAN B. Addresses that trigger blocks on VLAN A might refer
to a different host on VLAN B.
Note Blocking is not supported on the FWSM on the admin context in multiple-context mode.
There are three types of blocks:
• Host block—Blocks all traffic from a given IP address.
To configure the IPS to initiate automatic host blocks when a signature is triggered, add the Request
Block Host event action to a signature, or add it to events based on risk rating using the event action
override policy. See Configuring Event Action Overrides, page 39-13 and Configuring Signatures,
page 38-4.
• Connection block—Blocks traffic from a given source IP address to a given destination IP address
and destination port. Multiple connection blocks from the same source IP address to either a
different destination IP address or destination port automatically switch the block from a connection
block to a host block.
To configure the IPS to initiate automatic connection blocks when a signature is triggered, add the
Request Block Connection event action to a signature, or add it to events based on risk rating using
the event action override policy.
• Network block—Blocks all traffic from a given network.
You can initiate host and connection blocks manually or automatically when a signature is triggered.
You can only initiate network blocks manually. You cannot initiate network blocks from within
Security Manager; use the IPS Device Manager instead.
Tip Connection blocks and network blocks are not supported on security appliances (firewalls). Security
appliances only support host blocks with additional connection information.
Note Do not confuse blocking with the ability of the sensor to drop packets. The sensor can drop packets when
the following actions are configured for a sensor in inline mode: deny packet inline, deny connection
inline, and deny attacker inline.