Question on Network and Host Blocking feature of IDSM

Unanswered Question
Apr 9th, 2007
User Badges:

Hi there,


Is the IDSM capable of blocking host and network by itself through manual blocking. Or is it just capable of sending the blocks to its managed devices. Thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
aghaznavi Fri, 04/13/2007 - 06:12
User Badges:
  • Silver, 250 points or more

The IDSM is capable of blocking host and network by itself through manual blocking

ronmarcojr Sun, 04/15/2007 - 17:31
User Badges:

Thanks,


This is what I did, from the IDM I configured a certain IP address to be blocked. Monitoring > Active Host Block > Add.

I specified the IP address to be blocked inline, but the continuous ping still succeeds, http and ftp still works. Is there something missing from my configuration. I enabled blocking of course...

marcabal Sun, 04/15/2007 - 21:08
User Badges:
  • Cisco Employee,

There is a confusion in terms.


Blocking refers to the sensor's ability to create ACLs or Shun lists on other devices.

It requires that you setup the sensor to connect to that other device.


Denying on the other hand refers to the sensor's ability to be deployed InLine and for the sensor itself to drop the offending packets.


The Host Blocking panel is only for the Blocking feature. The Host Blocking panel does not control what an InLine Sensor will "Deny".


At this time the sensor does not support the user manually adding IP Addresses to the sensor's Denied Attacker list.

User's may view the current list, clear counters for the list, or remove attacker ip addresses from the list. But may not manually add addresses to the list.

Addresses are added to the Denied Attacker list Only when signatures are triggered with one of the deny-attacker-.... event actions.

You can view the Denied Attacker List through IDM:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids13/idmguide/dmmntr.htm#wp1029926


The Deny Actions do require that the sensor be deployed InLine and will not work on sensor's deployed Promiscuously.



ronmarcojr Sun, 04/15/2007 - 21:40
User Badges:

Ok thanks, so that means I cannot manually block hosts inline using the host blocking feature. Thanks for the clarification.

Actions

This Discussion