Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

shunning

I'm interested in getting a IDS, but have one question. I know the IDS can do shunning on a router or PIX firewall. I was wondering if it is easy/possible to set it to shun a particular IP when the IDS detects someone doing a general port scan (on any port)?

6 REPLIES
Cisco Employee

Re: shunning

Port scans will be detected by the IDS, and if you then set up that signature for blocking, then the sensor will write an access-list or use the "shun" command on a PIX to block all packets from that source host.

The configuration is quite simple, just configure the IP and login parameters for the router/PIX so the sensor can SSH into it, and enable blocking for the particular signature (checking a box).

New Member

Re: shunning

So there is a signature for general ports scans?

If setup correctly, if I were to start scanning the network with on a random port, I should be shunned within seconds?

New Member

Re: shunning

Yes, you would be shunned almost immediately - there is very little lag time involved. Careful with shunning on port scans, as MANY MANY and I repeat MANY MANY Microsoft products trigger nmap port sweeps ALL the time... DNS triggers port sweeps, SMS, Active Directory, etc... I suggest you spend a good amount of time learning your network, capturing traffic, and analyzing to see if it's legit... set up filters ... then look at blocking features...

New Member

Re: shunning

I'm looking to shun anyone outside of my network doing scans for services. I've been watching the traffic/port scans into my network and most of it seems to be either virus related (DCOM port scans for example) or someone scanning for http or ssh servers, etc.

I think I should be good there.

New Member

Re: shunning

Understand it can take a few seconds, so scans that fire many probes per second will still get through before the IDS can get the shun applied. We see this continuously, so be prepared for it.

New Member

Re: shunning

I'd like the shun to be applied before the person scanning reaches over 10,000 flows. A scan reaches 40,000 flows just kills everything. I'm hoping the IDS can catch it and shun before it goes over 10,000.

120
Views
0
Helpful
6
Replies
CreatePlease login to create content