Release Notes for CSPM 2.3.3.i and Caveat CSCdr78318

rcrowe · ‎10-30-2001

can someone please elaborate on this bug ?? i was getting ready to upgrade my CSPM 2.3.2.i box to 2.3.3.i and i read the release notes. this bug is in the release notes as:

"CSCdr78318: Sensors cannot define blocking rules for IOS routers that are managed devices. You cannot use Cisco Secure Policy Manager to manage an IOS router for which you want a sensor to generate blocking rules based on deteced attacks.

Workaround/Solution: No workaround exists. Do not attemot to enable blocking by a managed IOS router within the Network Topology tree."

does this mean that the sensor is not going to be able to generate ACL's when someone attacks or telnet to the router and block the attackers? this is how I am reading it.

rcrowe · ‎10-30-2001

or does this mean that you just cant use a router as a blocking device if you are using CSPM to regularly manage that router?

danrodri · ‎10-30-2001

hello,

I read it as the latter. The IOS device cannot be managed by CSPM. It can, however, exist in the CSPM topology as an "unmanaged" device.

marcabal · ‎10-30-2001

danrodi is correct,

Router management by CSPM is when CSPM is generating the configuration files for the router based on your CSPM policy.

Router management by the IDS Sensor is when the sensor generates ACLs to block specific addresses. The sensor communication with the router is configured through CSPM in the sensor configuration area.

You can not both manage a cisco router with CSPM and with the IDS Sensor.

Because they will be trying to apply ACLs to the same interfaces and overwriting each other's ACLs.

If using the senor to manage the router ACLs then you will have to manualy configure the router instead of using CSPM.