Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : Intrusion Detection System : Understanding Master Blocking

Understanding Master Blocking

Nov 26,2008 by admin

small font medium font large font
image

Understanding Master Blocking

In some network architectures, for reasons such as redundancy or perhaps cost, another ISP may be a feasible solution. An Extranet connection or two may also be present. These connections create multiple entryways to our network and thus generate more risk areas that will need to be monitored.

This is where a feature called master blocking comes in. Master blocking allows one sensor to perform the blocking for another. In a nutshell, one sensor learns of a triggered alarm and updates the triggering router with a new ACL. After the ACL has been updated, the sensor will communicate with any other sensors on the network that are configured for master blocking. The communication will take the form of a Telnet session request. At this point, the initializing sensor becomes the blocking forwarding sensor.

The contacted master blocking sensor(s) will accept the Telnet connection and update any of their respective network devices with the same ACL to keep the intruding data from entering the network via another path.

In Figure 8.4, we see how this process works.

Click To expand
Figure 8.4: A Master Blocking Sensor

Let's follow the steps taken when a malicious user attempts to access resources on a private network.

  1. The malicious user connects through the Internet to ISP ABC. From this point, he has somehow (perhaps by brute force attack) accessed the internal network.

  2. The Cisco Secure IDS Sensor1 has noticed the strange traffic on the network and just so happens to match one of the signatures it has been configured to monitor. This could possibly be a brute force attack on an internal system.

  3. Sensor1 creates and sends a new ACL to the perimeter router, Router1. This action stops the attack in its place.

  4. Now, with master blocking configured, Sensor1 requests all sensors listed within its Master Blocking Sensors panel, in this case Sensor2, to block for this same attack. Meanwhile, the attacker now tries to reroute his traffic to any other available interface to the network. If the attacker is prepared, the entry point via ISP XYZ will already be known.

    Therefore, the attack is attempted to continue through this other interface.

  5. Sensor2 sends the ACL it received from Sensor1 to Router2 and blocks the traffic at this entry point as well.

In a nutshell, Sensor2 was completely unaware of the attack on Router1 until Sensor1 contacted it. This saves our sensor's resources from having to detect the same traffic over and over again and, most importantly, stops the traffic from entering again.


196 times read

Related news
» Using the Master Blocking Sensor
by admin posted on Nov 26,2008
» Configuring the Sensor to Block
by admin posted on Nov 26,2008
» Configuring Cisco IDS Blocking
by admin posted on Nov 26,2008
» IDS MC and Signatures
by admin posted on Nov 26,2008
» Configuring the Sensor
by admin posted on Nov 26,2008
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.