An Intrusion Detection system as we know can either work in Inline Mode (IPS) or in promiscuous mode (IDS). In inline mode, the IPS sensor can detect and block attacks by itself since all traffic passes through the sensor. However, in promiscuous mode, the IDS sensor can not block attacks by itself, but has to instruct the firewall to block the attack. This is depicted in the diagram below.
The IDS sensor in our example is connected in “parallel” (not inline) with the ASA firewall. The “Sensing Interface” of the IDS appliance is connected on the outside (Internet) network zone and is continuously monitoring traffic to detect attacks. The “Control Interface” of the IDS appliance is connected on the inside network zone and is used to communicate with the ASA firewall. If an attack is detected (e.g Attacker at address 100.100.100.1 is sending malicious traffic to Victim address 220.127.116.11), the IDS sensor instructs the ASA firewall (using the “Control Interface”) to block the attacking connection. This is done by the IDS sensor by asking the firewall to use the “shun” command to block the connection.
What is a “shun” command:
The shun command on the ASA Firewall appliance is used to block connections from an attacking host. Packets matching the values in the command are dropped and logged until the blocking function is removed manually or by the Cisco IDS sensor.
The format of the command is as following:
ASA# shun [source IP] [destination IP]
In our example scenario above, the IDS sensor will instruct the firewall to apply the following shun command:
shun 100.100.100.1 18.104.22.168
The above will block all communication from the attacker to the victim. Cisco IPS/IDS sensors have a timer with which you define how long the command will be active. After that time, the command is removed.