Specifications

ManualsBrandsADTRAN ManualsComputer equipmentBlueSecure Controller

171

172

173

174

175

176

177

178

179

180

Chapter 10: General BSC Operational Settings

10-6

Normal State By default, a user host will start in the Normal State unless or otherwise blocked. The

administrator-configurable parameter

Maximum Number of Firewall Sessions per user

used to define the bounds of normal traffic. If a user host exceeds this maximum, i.e., if it

tries to make too many connections to the BSC, the IDS records a violation for the host. If

the host’s violation count exceeds the

Violation Threshold

setting, the IDS transitions the

host’s state to Pre-monitoring.

Pre-monitoring

State

In this state the IDS tracks the host’s violations of the

Violation Threshold

setting. If the host

accrues more violations than specified in the

Max Number of Violations

setting, the IDS

transitions the host to the Monitoring State. If the host does not exceed the

Max Number

of Violations

within the period of time specified by the

Pre-monitoring Timeout

setting, the

IDS returns the host to the Normal State.

Monitoring State If a host progresses all the way from the Normal to the Monitoring state, there is a high

probability that it may be involved in some abnormal activity. While a host is in this state,

the IDS blocks all problematic host ports immediately, identifies the type of attack, and

takes additional actions as necessary. The possible necessary actions include blocking

traffic on one or more additional host ports, or blocking all traffic from the host. A user

accessing the BSC via a host in the Monitoring state will be redirected to the URL

specified by the

URL to redirect detected devices

setting. If the BSC IDS does not detect

any further abnormal activity from the host, the IDS will transition the host back to the Pre-

monitoring State.

A host in the Monitoring state is able to send normal traffic on all ports with the exception

of those ports that have been blocked. All dropped packets are tallied.

The BSC IDS will transition the host from the Monitoring State to the Blocked State once

the number of ports specified in the

Ports to block before entering Blocked State

setting

are blocked, or if the host continues to make too many connection attempts. If the

Ports to

block before entering Blocked State

setting is set to zero, the IDS will immediately

transition the host from the Monitoring state to the Blocked state.

Blocked State Once a user host enters into this state, the MAC of the host is noted and the blocked user

is placed into the Administrator-selected IDS role. You may select only a single IDS role for

users in the Blocked State. There are two default IDS roles from which to select—

Monitoring Mode (allow all traffic) or Quarantined (deny all traffic). You may customize

Figure 10-2: BSC IDS Host State Model

Pre-monitoringBlocked

Normal

Monitoring