Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Shunting with Netranger and PIX

I Have 2 Cisco secure IDS formerly Netranger current 3.0(1)S8 and PIx 525 ver 6.1 am USING CSPM 2.3.2

When I set up the signatures to shun they appear to do so but not in a very fast manner and then not throughly. As I look at my logs I am getting many signatures from external machines that appear to be Nimda. However they come in very fast and not from the same port on the assailing maching. My shun may be good for only a specific machines / ports combination. I would like the ability to shun an external machine from any access thru my firewall for the designated time.

An exanple of the current shun follows.

PIX525-1# sh shun

Shun lawweb 14621 80


-----Original Message-----

From: Cisco Secure Policy Manager [mailto:Cisco Secure Policy Manager]

Sent: Wednesday, November 21, 2001 9:54 PM

Subject: Cisco Notification Alarm Level 5

Time: 21:53:46 Date: 2001/11/21 Sensor ID: 108

Direction: OUT To: IN

Signature ID: 5081 Subsignature ID: 0

Source: Port: 14621 Dest: Port: 80

Alarm Details: /system32/cmd.exe

Message Count: 2

Is this planned or comming.

Cisco Employee

Re: Shunting with Netranger and PIX

A couple of things to be aware of.

When the shun command is issued on the Pix the syntax has the source address, destination address, source port and destination port.

Some people have mistaken this to mean that only that single connection is shunned by the Pix, but in fact the Pix will shun the entire Source Address.

It uses the rest of the information to internally close down that specific connection instead of having to way for a timeout to close it down. The additional information, therefore, is not manadatory it just helps clean up the internal connection list kept in the Pix memory.

So in this case, once the sensor is able to reconfigure the Pix no more connections should be allowed through from the source address. If after the Pix is reconfigured the connections are still coming through, you should contact the TAC and ask for assistance from the Pix team, as this could be a bug on the Pix.

Something to be aware of is the fact that the Pix will only be able to block new connections AFTER the sensor has reconfigured it. This reconfiguration by the sensor can take a few seconds depending on the number of shuns taking place and the number of network devices being managed by the sensor, during which time additional connections from the source address may have already come through. This may be what you are seeing.

We are conitnually trying to improve the sensor and shunning performance, but there will always be a slight delay from the time the alarm is detected to the time we can change the network device configuration.

Currently there is also a limit to the total number of shuns that can be applied to a network device. We will be raising this upper limit in a future version, but users need to be aware that the more addresses being shunned the longer it takes to apply new shuns to the network devices.

We are working on ways to apply the shuns faster on the network devices, but we are somewhat limited by the commands supported on the network devices themselves, and the speed at which they respond to our reconfiguration requests. (i.e. it takes longer to apply a shun on a Pix Firewall that is heavily utilized because it takes the Pix longer to respond to our configuration changes)

CreatePlease to create content