The shun feature of the PIX Security Appliance allows a PIX, when
combined with a Cisco IDS Sensor, to dynamically respond to an attacking host
by preventing new connections and disallowing packets from any existing
connection. A Cisco IDS device instructs the PIX to shun sources of traffic
when those sources of traffic are determined to be malicious.
The
shun command, intended for use primarily by a Cisco IDS
device, applies a blocking function to an interface receiving an attack. The
shun command is not interface specific. Traffic from the
specified source address is dropped no matter which interface it arrives on.
Packets containing the IP source address of the attacking host are dropped and
logged until the blocking function is removed manually or by the Cisco IDS
master unit. No traffic from the IP source address is allowed to traverse the
PIX Security Appliance, and any remaining connections time out as part of the
normal architecture. The blocking function of the shun
command is applied whether or not a connection with the specified host address
is currently active.
The offending host can be inside or outside of a
network protected by the PIX Security Appliance. If the
shun command is used only with the source IP address of the
host, no further traffic from the offending host is allowed.
The
show shun command displays all shuns currently enabled in
the exact format specified. The no form of the
shun command disables a shun based on the IP source
address.