TippingPoint recommends configuring the management port on the IPS to use a non-routed IP address from the RFC 1918 Private Address space. This helps to prevent direct attacks on the management port from the Internet. Additionally, the management port IP Address filter feature should be used to limit access to the management port. Only addresses defined by the command will be allowed to access the IPS. Host IP filters are essentially Access Control Lists (ACLs) on the management port of the IPS.
When the IPS is initially configured, the default security policy is "permit any". Once you establish a host IP filter, whether it is a permit or deny, then the default IP filter becomes "deny any". (The old legal idea of the inclusion of one is to the exclusion of all others.) If you are doing this via SSH (not the console), the first thing you must do is a permit rule for the IP address you are on or you will deny your IP access to the management port inadvertently.
They are set using the CLI command:
conf t host ip-filter (permit | deny) ip
Note: The IPS must not be under SMS control when doing this. If the device is currently managed, you may use the command "conf t no sms" to temporarily un-manage the IPS. To resume SMS management use the command "conf t sms".
For example, issue the following command to limit management port access to one host:
conf t host ip-filter permit ip 192.168.10.45/32
If you require more than one address, then create a host ip-filter for all IP addresses or the subnet that is allowed to access the device.
For example, if the legal machines are on the 192.168.10.X subnet, enter the following CLI command:conf t host ip-filter permit ip 192.168.10.0/24
In order to reverse the effect of the previous command, issue the following command:
conf t host no ip-filter permit ip 192.168.10.0/24
To change the default action back to "permit any" enter the following command:
conf t host ip-filter permit any ip
To view current ip-filters, use the "show host -details" command:
#show host -details
IP Address Action # Hits
================= ====== ======
192.168.10.45 permit 38