According to "Hank Nussbacher" <hank@att.net.il>:
> If I understand correctly, shunning is basically setting up an
ACL on the
> adjacent router to block the bad traffic. The IDS box doesn't
telnet into
> the cisco router every time it needs to do a change. The IDS
box sets up a
> permanent telnet session that doesn't timeout and sits logged
in to the
> router 24x7! Then it automatically sets up the ACL.
>
> Does anyone actually do this?!
It will also establish connectivity with a PIX via telnet or ssh
and do the same thing ... as to actually implementing it, I would
hope not. The potential for DoSing yourself with false
positives, whether naturally occuring or done maliciously with
spoofed headers, just seems too high to let your NIDS start
writing ACLs on the fly.
cheers.
-travis
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:08 EDT