Руководство По Обслуживанию для Cisco Cisco Expressway
Investigating Access Failures and Intrusions
If you need to investigate specific access failures or intrusion attempts, you can review all the relevant triggering log
messages associated with each category. To do this:
messages associated with each category. To do this:
1.
Go to System > Protection > Automated detection > Configuration.
2.
Click on the name of the category you want to investigate.
3.
Click View all matching intrusion protection triggers for this category.
The system will display all the relevant events for that category. You can then search through the list of
triggering events for the relevant event details such as a user name, address or alias.
triggering events for the relevant event details such as a user name, address or alias.
Automated Protection Service and Clustered Systems
When the automated protection service is enabled in a clustered system:
■
Each peer maintains its own count of connection failures and the trigger threshold must be reached on each
peer for the intruder's address to be blocked by that peer.
peer for the intruder's address to be blocked by that peer.
■
Addresses are blocked against only the peer on which the access failures occurred. This means that if an
address is blocked against one peer it may still be able to attempt to access another peer (from which it may
too become blocked).
address is blocked against one peer it may still be able to attempt to access another peer (from which it may
too become blocked).
■
A blocked address can only be unblocked for the current peer. If an address is blocked by another peer, you
must log in to that peer and then unblock it.
must log in to that peer and then unblock it.
■
Category settings and the exemption list are applied across the cluster.
■
The statistics displayed on the Automated detection overview page are for the current peer only.
Automated Protection in MRA Deployments
The Expressway-C receives a lot of inbound traffic from Unified CM and from the Expressway-E when it is used for
Mobile and Remote Access.
Mobile and Remote Access.
If you want to enable automated protection on the Expressway-C, you should add exemptions for all hosts that use
the automatically created neighbor zones and the Unified Communications secure traversal zone. The Expressway
does not automatically create exemptions for discovered Unified CM or related nodes.
the automatically created neighbor zones and the Unified Communications secure traversal zone. The Expressway
does not automatically create exemptions for discovered Unified CM or related nodes.
Additional Information
■
When a host address is blocked and tries to access the system, the request is dropped (the host receives no
response).
response).
■
A host address can be blocked simultaneously for multiple categories, but may not necessarily be blocked by
all categories. Those blocks may also expire at different times.
all categories. Those blocks may also expire at different times.
■
When an address is unblocked (either manually or after its block duration expires), it has to fail again for the
full number of times as specified by the category's trigger level before it will be blocked for a second time by
that category.
full number of times as specified by the category's trigger level before it will be blocked for a second time by
that category.
■
A category is reset whenever it is enabled. All categories are reset if the system is restarted or if the
automated protection service is enabled at the system level. When a category is reset:
automated protection service is enabled at the system level. When a category is reset:
—
Any currently blocked addresses are unblocked.
—
Its running totals of failures and blocks are reset to zero.
■
You can view all Event Log entries associated with the automated protection service by clicking View all
intrusion protection events on the Automated detection overview page.
intrusion protection events on the Automated detection overview page.
40
Cisco Expressway Administrator Guide
Network and System Settings