Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Block IP address

Reply
Thread Tools

Block IP address

 
 
J1C
Guest
Posts: n/a
 
      05-25-2005
Is there an 'easy' way to block IP addresses from accessing anything
behind the PIX? Some of my web sites are getting numerous hack attempts
and I would like to block those right from the firewall rather than the
webserver whenever the IDS sends an alert.

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      05-25-2005
In article <(E-Mail Removed) .com>,
J1C <(E-Mail Removed)> wrote:
:Is there an 'easy' way to block IP addresses from accessing anything
:behind the PIX? Some of my web sites are getting numerous hack attempts
:and I would like to block those right from the firewall rather than the
:webserver whenever the IDS sends an alert.

If you want it automated in connection with an IDS, you may wish
to configure your IDS to use the PIX 'shun' command.

If you have PIX 6.2 or later, then you can edit access lists in
place. Supposing your outside ACL is out2in and the attacking
IP is X.Y.Z.W then you can

access-list out2in line 1 deny ip host X.Y.Z.W any

and that will insert the ban at the top of the access list
without you having to know anything about what else is in the ACL.


Note: 'shun' commands are NOT saved when you save the configuration.
ACL changes -are- saved when you save the configuration.
--
Oh, to be a Blobel!
 
Reply With Quote
 
 
 
 
J1C
Guest
Posts: n/a
 
      05-26-2005
Great - thanks!

I'll have to check out that SHUN command a little more ... that would
be ideal to tie the PIX into the IDS

 
Reply With Quote
 
arturo.servin
Guest
Posts: n/a
 
      05-26-2005
About the shun command.

If it is configured for an offending host, will the Pix block all the
traffic to the offended host when the IDS (of the PIX)detect some
extrange behaivor or will always filter the traffic especified in the
shun command no matter if the IDS detect something?

-as

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      05-26-2005
In article <(E-Mail Removed) .com>,
arturo.servin <(E-Mail Removed)> wrote:
:About the shun command.

:If it is configured for an offending host, will the Pix block all the
:traffic to the offended host when the IDS (of the PIX)detect some
:extrange behaivor or will always filter the traffic especified in the
:shun command no matter if the IDS detect something?

shun is unconditional: all traffic to and from the designated
host is -immediately- stopped (whereas an access-list change would
only deal with -new- attempts.)

The idea is that when the IDS detects monkey business, it tells
the PIX to shun the host, and it leaves it shunned until the IDS
policies deem it safe to open up again (e.g. if the policy is
a 10 minute block, then 10 minutes later the IDS would tell the PIX
to stop shunning the host.)


If you do use shun, here's something to watch out for: each
time the shunned system attempts to communicate, a log message
is generated. If you log level and configuration so permit, that
log message will be sent to your syslog server. The load
generated by the log message may be more than the load generated
by the attacking host itself Thus, depending on your needs,
you might wish to specifically disable the shun log message.
--
"This was a Golden Age, a time of high adventure, rich living and
hard dying... but nobody thought so." -- Alfred Bester, TSMD
 
Reply With Quote
 
J1C
Guest
Posts: n/a
 
      06-15-2005
What IDS' can create a SHUN entry on a PIX?

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      06-15-2005
In article <(E-Mail Removed) .com>,
J1C <(E-Mail Removed)> wrote:
:What IDS' can create a SHUN entry on a PIX?


http://www.cisco.com/en/US/products/...8025c533.shtml

http://www.cisco.com/en/US/products/...0800b4744.html

http://www.cisco.com/en/US/products/...80145270.shtml
--
"Who Leads?" / "The men who must... driven men, compelled men."
"Freak men."
"You're all freaks, sir. But you always have been freaks.
Life is a freak. That's its hope and glory." -- Alfred Bester, TSMD
 
Reply With Quote
 
J1C
Guest
Posts: n/a
 
      06-15-2005
thanks!

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Fo:Block can you check to see if a block contains any text by using the block id? morrell XML 1 10-10-2006 07:18 PM
Problem with enterprise application block - data block Showjumper ASP .Net 1 03-19-2005 03:48 PM
Block DIV within a block DIV? Noozer HTML 3 01-06-2005 10:24 PM
XML schema validation of one xml block based on values from another xml block Andy XML 0 11-18-2004 11:04 PM



Advertisments