Understanding Blocking - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Configuring Blocking
This chapter provides procedures for configuring the sensor to use blocking devices and for configuring
the sensor to be a master blocking sensor.
This chapter contains the following sections:
•
•
•
•
•
•
•
•
•

Understanding Blocking

Network Access Controller, the blocking application on the sensor, starts and stops blocks on routers,
switches, PIX Firewalls, FWSM, and ASA. Network Access Controller blocks the IP address on the
devices it is managing. It sends the same block to all the devices it is managing, including any other
master blocking sensors. Network Access Controller monitors the time for the block and removes the
block after the time has expired.
If ASA or FWSM is configured in multi-mode, blocking is not supported for the admin context. Blocking
Caution
is only supported in single mode and in multi-mode customer context.
There are three types of blocks:
•
•
78-16527-01
Understanding Blocking, page 10-1
Blocking Prerequisites, page 10-3
Supported Blocking Devices, page 10-3
Configuring Blocking Properties, page 10-4
Configuring User Profiles, page 10-17
Configuring Blocking Devices, page 10-18
Configuring the Sensor to be a Master Blocking Sensor, page 10-25
Configuring Manual Blocking, page 10-27
Obtaining a List of Blocked Hosts and Connections, page 10-28
Host block—Blocks all traffic from a given IP address.
Connection block—Blocks traffic from a given source IP address to a given destination IP address
and destination port.
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
10
C H A P T E R
10-1