Restricting Access from IPS

Unanswered Question
Jul 18th, 2007

Hello,

I have a server with external and internal IP address. I want to restrict the access to this server. I have 5 IP addresses that should have access to this server. Is there a way I can restrict the access from IPS or this can only be done with access-list on firewall.

Thanks for the help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Wed, 07/18/2007 - 13:11

You don't say what kind of host this is, but most newer OS's have host-based firewalls that can be used for this purpose.

If your sensor is inline, you could also create an atomic IP signature to block all access to this destination IP. Then create an event action filter that will remove the block action for those 5 source IP address.

dynacare1 Thu, 07/19/2007 - 06:46

Thanks for the reply. We have IPS 4240 and server is for client FTP.

I can create a signature to produce alert when there is any connectivity for the destination server ip address. From what I understand it will produce a alert for any activity for the server ip address. Now I don't see any option in Event Action which tells me to allow the connection because I will have 5 ip addresses in attacker list option, this way it will just allow the connection and if it doesn?t match attackers IP address it should block it.

Thanks

mhellman Thu, 07/19/2007 - 06:59

I'm not exactly sure what you're asking, but here goes a better explaination:

I will assume your running at least version 5.x and that you are actually inline. each signature can have numerous actions. for example, you can "product alert" AND "deny connection inline". If you create just the signature (atomic ip, specify ip addr options->enter dst ip), all connections to that destination IP will be denied right, including the 5 source IP addresses you want to allow?

So the next step is to create an event action filter. for details please read:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00803eb027.html

an event action filter is used to SUBTRACT an action from an alarm. you want to remove the "deny connection inline" action from the alarm if the source ip is one of those 5. So you create an event action filter for that signature and for those 5 source IP addresses.

dynacare1 Thu, 07/26/2007 - 11:57

I created Custom Signature with Atomic IP but it's not working. Is there any other settings I will be checking. In the custom signature I only have destination IP address of FTP server.

Thanks for your help.

Actions

This Discussion