Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
42-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting
Understanding IPS Blocking
When you configure a router interface or switch VLAN as a blocking interface, you can optionally
specify the names of pre- and post-ACLs or VACLs. Although specifying ACL or VACL names is
optional, if you have configured ACLs or VACLs on the interface or VLAN, you must identify them to
the IPS or ARC will remove them from your device configuration.
The pre- and post-ACL/VACL have the following uses:
The Pre-Block ACL/VACL is mainly used for permitting what you do not want the sensor to ever
block. When a packet is checked against the ACL/VACL, the first line that gets matched determines
the action. If the first line matched is a permit line from the Pre-Block ACL/VACL, the packet is
permitted even though there may be a deny line (from an automatic block) listed later in the
ACL/VACL. The Pre-Block ACL/VACL can override the deny lines resulting from the blocks.
The Post-Block ACL/VACL is best used for additional blocking or permitting that you want to occur
on the same interface or direction. If you have an existing ACL on the interface or direction that the
sensor will manage, that existing ACL can be used as a Post-Block ACL/VACL. If you do not have
a Post-Block ACL/VACL, the sensor inserts permit ip any any at the end of the new ACL/VACL.
If you are managing the IOS Software blocking device in Security Manager, you can identify the
ACL name by selecting the blocking device, then selecting Tools > Preview Config. Look for the
ip access-group command in the interface configuration, and check the direction. For example, the
following lines show that there is an ACL named CSM_FW_ACL_GigabitEthernet0/1 in the In
direction attached to the GigabitEthernet0/1 interface.
interface GigabitEthernet0/1
ip access-group CSM_FW_ACL_GigabitEthernet0/1 in
In this example, if you configure GigabitEthernet0/1 in the In direction as a blocking interface,
ensure that you specify CSM_FW_ACL_GigabitEthernet0/1 as a pre- or post-ACL. In most cases,
you should specify the ACL as the post-ACL, so that the relatively short IPS blocking ACL first
filters out undesirable traffic before the blocking device implements your other access rules.
Because Security Manager does not manage Catalyst OS devices, you must examine a Catalyst OS
device configuration outside of Security Manager to determine VACL names. Keep in mind that a
Catalyst 6500/7600 device that runs IOS Software can also have VACLs, but the IPS does not do
VLAN blocking on Catalyst 6500/7600 VLANs when the device is running IOS Software.
When the sensor starts up, it reads the contents of the two ACL/VACLs. It creates a third ACL/VACL
with the following entries in this order, and this combined ACL/VACL is applied to the interface or
VLAN:
1. A permit line with the sensor IP address or, if specified, the NAT address of the sensor.
If you select the Allow Sensor IP address to be Blocked option on the General tab of the Blocking
policy, this permit entry is not added. For more information, see General Tab, IPS Blocking Policy,
page 42-10.
2. Pre-Block ACL/VACL, if specified.
3. Any active blocks generated by the IPS (deny statements).
4. The Post-Block ACL/VACL, if specified.
If you do not specify a Post-Block ACL/VACL, a permit ip any any entry is added to allow all
unfiltered traffic. Note that this negates the normal implicit deny any that ends interface ACLs.
When using Catalyst OS, IDSM-2 inserts permit ip any any capture at the end of the new VACL.