I have shunning configured but I am confused about how to configure blocking on the signatures. What is the difference between block host and block connection?
A. Block host blocks all packets from that source address. Block connection only blocks the one connection based on source and destination IP/port. The PIX works in a slightly different manner. For automatic shuns, the Sensor sends the source IP, destination IP, source port, and destination port. The PIX blocks all packets that originate from that IP address. The additional information is used by the PIX to remove that one connection from its connection tables. If the connection has not been removed from the connection table, then it is theoretically possible that if the shun is removed shortly after it is applied, then the original connection might not have timed out yet. This allows the attacker to continue the attack on the original connection. The removal of the connection from the table ensures that the original connection cannot be used to continue the attack after the shun is removed. The Sensor cannot shun a single connection on the PIX because the PIX does not support the use
Related Questions
- I have shunning configured but I am confused about how to configure blocking on the signatures. What is the difference between block host and block connection?
- How do I configure a single RAID array so that more than one computer (host) can be connected to it?
- Im confused. Whats the difference between "blocking", "non-blocking" and "full-fanout"?
