Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Autoblock thru router

If I want to block attacks that sense by the IDS thru a router, what configuration should I place in my router?

Is there any Case study on IDS?

Thanks!

8 REPLIES
Cisco Employee

Re: Autoblock thru router

Hi,

It depends on what version and which management platform you are using.

If you are using VMS for management;

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_1/idsmc11/ug/ch05.htm

If IDM/IEV4.0, then goto the below url

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids9/idmiev/swchap3.htm#593299

If IDM/IEV 3.x then the below;

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#xtocid49

Thanks,

yatin

Cisco Employee

Re: Autoblock thru router

By the way, on the target (blocking device) you do not have to configure anything except for allowing the IDS to telnet or ssh into that blocking device.

The dynamic ACL will be configured by the IDS onto this blocking device, which in your case is the router.

thanks,

yatin

New Member

Re: Autoblock thru router

I am using IDS Sensor ver. 3.1

so, that means what I need to do was just configure my IDS on those specific signature that I want to block, then configure my blocking device and the blocking interface?

If I have more that 1 sensor, does that mean I need to configure every single sensor's signature?

Cisco Employee

Re: Autoblock thru router

Yes. Just configure the required sigs for the action of blocking and configure the blocking through the management platform (I didn't see what it is in your case) as per the instructions on the urls provided earlier.

If you use the VMS IDSMC, and if the sensor's configs are exactly the same, then you could use the "copy config" option to replicate the config across multiple sensors.

Thanks,

Yatin

New Member

Re: Autoblock thru router

I am using Ciscoworks IDS MC.

I had already configure my blocking device. but, it seems that the router does not create any ACL... why?? the attack are still on the network. Any access list number should I reserve for the sensor?

New Member

Re: Autoblock thru router

the router's IOS version was: IOS (tm) 3600 Software (C3640-I-M), Version 12.1(1)T, RELEASE SOFTWARE (fc1)

Does the IOS version affect the creation of Dynamic ACL on the router?

Cisco Employee

Re: Autoblock thru router

Hi,

Are you using SSH or telnet to the router for blocking? Try to do this manually from the sensor to the router, run deb ip packet on the router for just the traffic between the sensor and the router and see what you get in the deb.

access-list 101 permit ip host x.x.x.x host y.y.y.y

access-list 101 permit ip host y.y.y.y host x.x.x.x

deb ip pack det 101

thanks,

yatin

New Member

Re: Autoblock thru router

I know why the router doesn't create Dynamic ACL. the IDS MC doesn't write the configuration to my sensor. I had raise this problem in another conversation.

FYI, I am using telnet to the router for blocking.

111
Views
6
Helpful
8
Replies