A-18
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Appendix A System Architecture
MainApp
Caution
Cisco firewalls do not support connection blocking of hosts. When a connection block is applied, the
firewall treats it like an unconditional block. Cisco firewalls also do not support network blocking.
Network Access Controller never tries to apply a network block to a Cisco firewall.
Blocking with Cisco Firewalls
Network Access Controller performs blocks on firewalls using the
shun
command. The
shun
command
has the following formats:
•
To block an IP address:
shun srcip
[
destination_ip_address source_port destination_port
[
port
]]
•
To unblock an IP address:
no shun ip
•
To clear all blocks:
clear shun
•
To show active blocks or to show the global address that was actually blocked:
show shun
[
ip_address
]
Network Access Controller uses the response to the
show shun
command to determine whether the block
was performed.
The
shun
command does not replace existing ACLs, conduits, or outbound commands, so there is no
need to cache the existing firewall configuration, nor to merge blocks into the firewall configuration.
Caution
Do not perform manual blocks or modify the existing firewall configuration while Network Access
Controller is running.
If the
block
command specifies only the source IP address, existing active TCP connections are not
broken, but all incoming packets from the blocked host are dropped.
When Network Access Controller first starts up, the active blocks in the firewall are compared to an
internal blocking list. Any blocks that do not have a corresponding internal list entry are removed.
For more information, see
Supported Blocking Devices, page 10-3
.
Network Access Controller supports authentication on a firewall using local usernames or a
server. If you configure the firewall to authenticate using AAA but without the server,
Network Access Controller uses the reserved username
pix
for communications with the firewall.
If the firewall uses a server for authentication, you use a username. In some
firewall configurations that use AAA logins, you are presented with three password prompts: the initial
firewall password, the AAA password, and the enable password. Network Access Controller requires
that the initial firewall password and the AAA password be the same.
When you configure a firewall to use NAT or PAT and the sensor is checking packets on the firewall
outside network, if you detect a host attack that originates on the firewall inside network, the sensor tries
to block the translated address provided by the firewall. If you are using dynamic NAT addressing, the
block can be ineffective or cause innocent hosts to be blocked. If you are using PAT addressing, the
firewall could block the entire inside network. To avoid these situations, position your sensor on the
inside interface or do not configure the sensor to block.