[c-nsp] ASA/PIX shun "feature"

[Jeff Kell]

Here's some food for thought, especially for anyone using "shun" as a perimeter defense.

If you're being attacked by an IP, you apply a "shun" and no more traffic traverses a PIX/ASA with that source IP.  Or so  I thought.

In the process of moving our ASA boxes into production, I have discovered this is not the case.  Last night one of our IDS sensors picked up a traffic between some inside hosts and a botnet C&C host.  A specific signature was triggered and fired off a "shun" of the C&C host to the ASAs.

Nothing happened.

Well, not as expected.  No "new" connections were allowed from that host, but the existing connections were unscathed.  I am 99.9% certain that our PIX (6.3) blocked ALL subsequent traffic with the shunned IP as a source, as the sensors would abruptly stop capturing traffic in the middle of the session, which was good for security, a bit of a pain when trying to collect enough intel to track down the botnet.  This was not the case with the ASA (7.1(1)).  The sensor continued to log traffic for hours, the ASA clearly showed the shun in place but with a zero hit count.  

CCO says (case 603337375) this is a "feature".  I say this is a "bug" if not an outright security threat.  What do you think?

Jeff