What is the difference between IPS blocking, shunning, and permanent ACL block?
IPS blocking and shunning are not the same. When we set up a signature for IPS blocking, the device sends a series of TCP-reset packets to the source and destination hosts to attempt to disrupt the TCP connection.
On the other hand, when we shun, we are issuing a temporary block at the firewall based strictly on the IP address. We typically issue shuns for the duration of 24 hours. This is based on our system’s time and will expire after 24 hours have passed.
While we do have the ability to shun for up to a year, firewall permanent blocks are best put into actual ACL’s on the firewall by your team due to the following reasons:
- The shun is kept in running memory, and therefor uses more system resource than an actual ACL. If we were to accrue multiple shuns all with year-long durations, this could cause a slowdown in system performance.
- If the firewall were to crash or reboot for any reason, any shuns in running memory would be lost.
Overall, “shuns” are actually designed not to be permanent, so again we would recommend adding these as permanent ACLs. If you still would like us to add those IP’s as year-long shuns however, please confirm that request and we will add those in.