cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
461
Views
0
Helpful
4
Replies

IDS 4.0 using the blocking ACL list procedure

garyprice
Level 1
Level 1

I am configuring a k9-4235 to create ACL's on one of the internal 6513's.

I am confused about the userid's that a referenced on the html configuration page configuration/blocking. Why use the enable password? Should you not create a userid that can only do ACL's? Is the what the second password and userid entries are for?

Also I'm confused about the wording of Pre-Block ACL Name and Post-Block ACL Name.

Has anyone used the k9 to block on a 6513 using ACL's?

4 Replies 4

ovanjara
Cisco Employee
Cisco Employee

Hi,

I will try to take your question in two parts:

1) Why use the enable password.

Well, if you don't have any AAA configured on your 6513, then you would telnet to the blade using the enable password. Similarly, when the sensor tries to telnet to the blade to write the acl's it will telnet using the enable password. However if you do configure AAA on the switch, then you would require the username and password.

2) What is Pre-Block ACL

The ACL's to be applied before placing the block ACL's. For eg, say if you had a acl that said:

access-list 101 permit tcp host 10.1.1.1 any

Then if you wanted to apply this ACL before you applied the block ACL's, you would specify the ACL name, that is 101 to be applied.

The post ACL works in the same manner, only difference it will be applied after the block commands.

Hope this clarifies your questions.

I'm a security person and i have one of our network engineers inmy cube. The question is :

on the block-ACL is the last statement an "allow ip any any"?

We understand the AAA issue. But we need to test this process before we put it in production.

thanks garyprice

The following applies, with very minor differences, to 3.x and 4.x

sensor appliances and blades.

Here is the precise sequence that a sensor uses when it connects

to and blocks on a router. Router ACLs are associated by access group

to interface/directions. The sequence for switches is similar, but

uses VACLs mapped to VLANs.

1. Telnet or ssh to the net device, depending on the sensor config.

2. If prompted for a username, send it.

3. If prompted for a password, send it.

4. After connecting succesfully, set enable mode, unless the

account already has enable privileges.

5. Housekeeping (parse the current config, set up the ACLs to

be used, get the pre and post acls, etc).

6. Periodically send a keep-alive to the net device, to keep the

conneciton alive.

When a block occurs, these actions are taken:

1. Put the net device into configure mode.

For each interface to be controlled....

2. Delete the ACL that is about to be used.

3. Create the ACL to be used.

4. Add an ACL entry to permit the sensor, unless configured otherwise,

using either the sensor C&C IP or the specified NAT address.

5. If there is a pre-block ACL, insert it into the new ACL.

6. Insert the addresses to be blocked as ACL entries.

7. Insert the networks to be blocked as ACL entries.

8. If there is a post-block ACL, insert it. Otherwise, insert

the permit ip any any ACL entry.

9. Remove the current access group from the interface.

10. Set a new access group for the interface, using the new ACL.

11. Remove the old ACL.

Thank you for the info...

It has explained alot...

The Cisco K9 now has teeth.....

working very well with the limited number of sigs that i have shunned the host on..........

Thank you

Gary Price

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: