Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Blocking/Shunning on Version 4 Sensors

Does version 4 sensors support blocking or shunning?

  • Other Security Subjects
1 REPLY
Cisco Employee

Re: Blocking/Shunning on Version 4 Sensors

Blocking and shunning mean the same thing.

The original term was shunning, but when dealing with overseas customers the term was confusing so it was renamed to blocking.

Blocking is the feature in IDS systems where the sensor establishes a telnet or ssh connection to a router, switch, or firewall that the user has designated. The sensor then creates an acl on the router or switch that denies the ip address of the attacker machine, or in the case of the Pix firewall will execute the firewall's own shun command to deny the attacker ip address.

All Cisco IDS versions will support blocking.

For version 4.x sensors refer to the following areas of the configuration guide:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#32394

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap5.htm#987105

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#31460 (In step 4 set the EventAction to either Block Host or Block Connection)

With Blocking/shunning the sensor connects to and reconfigures another network device which does the deny.

Some other IDS vendors have also implemented the ability for the IDS itself to drop or deny the offending packet without having to rely on another networking device. This feature is not implemented in version 4.x or prior versions of Cisco IDS.

86
Views
0
Helpful
1
Replies
This widget could not be displayed.