Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3370
Views
0
Helpful
4
Replies

Using Blacklist/whitelist on IDS

onslaught99
Level 1
Level 1

‎06-06-2014 01:20 PM - edited ‎03-10-2019 06:12 AM

Hello,

 

I am currently planning on implementation of 4360 IDS system that will not be inline but monitoring the data VLAN on a switch. Someone asked me if I was going to create a blacklist and a whitelist for the IDS. Would that even be worth creating such lists if the device is not going to be inline with data flows? And they also stated that Cisco, when they push out new IPS/IDS signatures, that they have a default blacklist/whitelist within the code of the signatures. Is that correct?

 

Thanks

Labels:
0 Helpful
4 Replies 4

jason.loera
Level 1
Level 1

‎06-09-2014 09:32 AM

You can opt for your IPS/IDS to participate in the CIsco Global Correlation Network. This will send some of your traffic statistics to a centralized location for analysis and policies will be created and distributed to IPS/IDS globally. This includes blacklisting certain IP addresses.

As for creating a whitelist/blacklist for your specific IDS, you can add hosts to a "Never Block" list. Typically, this is reserved for your NMS since its polling can be perceived as scanning. Your colleague may be talking about zones. The IDS allows multiple zones (internal, external, DMZ) with different policies assigned to each.

0 Helpful

onslaught99
Level 1
Level 1
In response to jason.loera

‎06-10-2014 08:32 AM

Thanks for the reply Jason!

I was wondering though would a blacklist/whitelist be beneficial since our implementation of the IDS is not inline to the data flow? The IDS implementation that we were approved to do is monitoring a switch port that is is OOB. So if there were a blacklist/whitelist implemented on the IDS then it will be worthless because it will not be able block or allow that traffic flow, correct?

0 Helpful

area51ravi
Level 1
Level 1

‎03-12-2017 04:54 AM

My website (dealslama.com) is constantly getting attacked from china ip address I found a resource which lists all ip address should be banned but I'm not sure how to use this ip's ?

Can you help ?

Resource is : http://www.wizcrafts.net/chinese-iptables-blocklist.html

Thanks

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to area51ravi

‎03-12-2017 07:17 AM

How you use them (if indeed that is possible in your environement) depends on the setup you have for hosting your site.

Can you tell us more about your hosting environment?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card