I'm interested in getting a IDS, but have one question. I know the IDS can do shunning on a router or PIX firewall. I was wondering if it is easy/possible to set it to shun a particular IP when the IDS detects someone doing a general port scan (on any port)?
Port scans will be detected by the IDS, and if you then set up that signature for blocking, then the sensor will write an access-list or use the "shun" command on a PIX to block all packets from that source host.
The configuration is quite simple, just configure the IP and login parameters for the router/PIX so the sensor can SSH into it, and enable blocking for the particular signature (checking a box).
Yes, you would be shunned almost immediately - there is very little lag time involved. Careful with shunning on port scans, as MANY MANY and I repeat MANY MANY Microsoft products trigger nmap port sweeps ALL the time... DNS triggers port sweeps, SMS, Active Directory, etc... I suggest you spend a good amount of time learning your network, capturing traffic, and analyzing to see if it's legit... set up filters ... then look at blocking features...
I'm looking to shun anyone outside of my network doing scans for services. I've been watching the traffic/port scans into my network and most of it seems to be either virus related (DCOM port scans for example) or someone scanning for http or ssh servers, etc.
I'd like the shun to be applied before the person scanning reaches over 10,000 flows. A scan reaches 40,000 flows just kills everything. I'm hoping the IDS can catch it and shun before it goes over 10,000.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :