IPS blocking and shunning are not the same. When we set up a signature for IPS blocking, the device sends a series of TCP-reset packets to the source and destination hosts to attempt to disrupt the TCP connection.
On the other hand, when we shun, we are issuing a temporary block at the firewall based strictly on the IP address. We typically issue shuns for the duration of 24 hours. This is based on our system’s time and will expire after 24 hours have passed.
While we do have the ability to shun for up to a year, firewall permanent blocks are best put into actual ACL’s on the firewall by your team due to the following reasons:
The shun is kept in running memory, and therefor uses more system resource than an actual ACL. If we were to accrue multiple shuns all with year-long durations, this could cause a slowdown in system performance.
If the firewall were to crash or reboot for any reason, any shuns in running memory would be lost.
Overall, “shuns” are actually designed not to be permanent, so again we would recommend adding these as permanent ACLs. If you still would like us to add those IP’s as year-long shuns however, please confirm that request and we will add those in.
IPS blocking is an active response that provides our system with the capability to respond to an attack when it has been detected. Whenever a hostile signature alert is triggered and set for active response, the Masergy Unified Enterprise Security intrusion detection/intrusion prevention system (IDS/IPS) sends a series of packets to both source and destination IPs in an attempt to disrupt the current session.
If an attacker uses TCP sessions, they are reset by RST packets that are sent to reset both hosts. In the case of UDP, ICMP packets are sent to a host initiating a UDP connection to inform the sender that a requested port/host is unavailable. We would only set up IPS Blocking on traffic with a very low rate of false positives such as specific malware communication, APT exploit kit traffic, etc.
It is important to note that while effective, this method is not foolproof. Session sniping can be bypassed due to the time it takes for an intrusion detection system (IDS) to generate the RESET packets and drop the RESET packets onto the wire. The attacker can take advantage of this lag time by launching the next packet in the TCP session to arrive before the RESET packet.
Even though session disruption has limitations, it is a necessary feature in a defense-in-depth framework to prevent an attack in progress. In addition to IPS blocking, we also suggest integration with your firewall (if possible), as it allows us to issue shun/block commands upon seeing suspicious activity, ensuring the traffic is completely prevented for a specific period of time. This is especially useful for situations such as persistent scanning or attacks from the outside.
Overall, we recommend additional defense-in-depth security mechanism in order to remediate attacks and address weaknesses from multiple angles.