What's the difference between blocking a host and a connection?
In the MC for IDS signature config screen, I see you can now block by host or connection. The help screens do not elaborate on the difference. Muchas gracias to anyone who can explain the difference. Thanks.
Re: What's the difference between blocking a host and a connecti
Some additional information:
A Shun Host (or Block Host) will deny the source ip address, in effect denying ALL ip packets from that address,
deny ip host 10.1.1.1 any
A Shun Connection (or Block Connection) will deny Just the ip packets from the source ip address to the specific destination ip address and destination port (service).
deny tcp host 10.1.1.1 host 172.21.1.1 eq telnet
NOTE: It doesn't deny just that one connection, but instead denies all connections of that type to that destination address. You will notice that the source port is not in the deny statement so all connections for that service from the source to the destination ip will be denied rather than just the connection in which the attack was executed.
If a user executes a web attack against a web server, then all web connection from that user's ip to that specific server ip will be blocked. But the user can still send an email, or use telnet or ftp to that server, and can continue to make web connections to other ips.
Something to be aware of, however, is that multiple Shun Connection for the same source ip to either different destination ips or different destination ports will cause the Shun Connections to be upgraded to a Shun Host.
This is to prevent filling up the shun table with multiple Shun Connections from the same ip.
Also multiple Shun Connections for the same ip usually means that the ip is attacking multiple boxes or multiple services which helps rule out the possibility of a false positive, and so the sensor blocks the entire ip by upgrading it to a Shun Host.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...