TABLE OF CONTENTS Blocking This is a word that just sounds like security, doesn't it? We will block you from our network. In the world of Cisco, blocking is another name for "shunning," which is the art of actively interacting with a device such as a router and reconfiguring the Cisco device to stop or "block" the attack. The managed device could be a router or a firewall. The IDS sensor uses the control port to establish the connection with the device and applies an ACL to the managed interface. We can have the Cisco IDS sensor talk with the Cisco PIX firewall and dynamically change the configuration to shun an attack. The Cisco IDS sensor can also manage other Cisco IOS devices such as the following:
1600
2500
2600
3600
4500
4700
7200
7500
PIX firewalls such as the 501, 506E, 515E, 525, and 535
IP blocking eliminates the need for the engineer to log in to the device and make the blocking changes manually. However, you need to be careful with blocking so as not to inadvertently block someone or something that is not attacking your network, such as a particular server or an extranet connection.
| Note | The PIX firewall uses the shun command to block. Unlike the routers, the PIX ACLs are not modified. |
Other devices that can be managed are the Cisco Catalyst 6000 series switches with CatOS, 6000 switches with MSFC (Multilayer Switching Feature Card) and the Catalyst 5000 switch with an RSM (Route Switch Module).
