Cisco Traffic Anomaly Detector Module Web-Based Management Configuration Guide (Software Version 4.0)
Operating and Monitoring Events on the Detector Module
Download this chapter
Operating and Monitoring Events on the Detector ModuleOperating and Monitoring Events on the Detector Module
Download the complete book
Cisco Traffic Anomaly Detector Module Web-Based Management Configuration Guide (Software Version 4.0)Cisco Traffic Anomaly Detector Module Web-Based Management Configuration Guide (Software Version 4.0) (PDF - 1 MB)
give_us_feedback

Table Of Contents

Operating and Monitoring Events on the Detector Module

Detector Module Summary (Home) Page

Viewing Detector Module Diagnostics

Counters

Event Log

Configuring Access Control

Managing User Authentication

Creating Users

Users List

Changing a Password

Configuring Authorization

Assigning Privilege Levels


Operating and Monitoring Events on the Detector Module

This chapter describes how to use Web-Based Management (WBM) to operate and monitor events on the Cisco Traffic Anomaly Detector Module.

This chapter includes the following sections:

Detector Module Summary (Home) Page

Viewing Detector Module Diagnostics

Configuring Access Control

For information on managing and creating zones, see "Creating and Configuring Zones."

Note You can only configure the switch to capture the traffic sent to the zone and pass a copy of it to the Detector module using the CLI. You can only configure the Detector, remote Guard list and network using CLI. Refer to the Cisco Traffic Anomaly Detector Module Configuration Guide for further details.

Detector Module Summary (Home) Page

The Detector module Summary (Home) page (Figure 3-1) provides a summary of the current Detector module activity. It appears automatically after connecting to the Detector module WBM.

You can also reach the Detector module Summary Home page from a number of locations on the interface (Figure 1-1):

Select Detector Module Summary from the navigation pane.

Select Home from the information area.

Select Home from the navigation path displayed in the zone pages.

Figure 3-1 Detector Module Summary (Home) Page

The Detector Module Summary includes two sections:

Detector Summary—Provides a graphical summary of received traffic rate, that was handled by the Detector over the last two hours in bits per second (bps).

Table 3-1 describes the information that appears below the graph.

Table 3-1 Field Descriptions for Detector Module Summary Graph 

Field
Description

Min

The minimum traffic rate measured during the last two hours in bits per second (bps).

Max

The maximum traffic rate measured during the last two hours in bits per second (bps).

Avg

The average traffic rate measured during the last two hours in bits per second (bps).

Cur

The current traffic rate in bits per second (bps).


Zones Under Detection—Provides a list of the current zones under detection and a short summary of the status of each one of them. The zones appear in the attack order. The most recently attacked zone appears at the top of the list.

Table 3-2 describes the fields for zones under detection.

Table 3-2 Field Descriptions for Zones Under Detection

Fields
Description

Zone

The zone name. The zone name also provides a link to the home page of the specific zone.

Activation Time

The date and time that zone protection was activated.

Attack Start Time

The date and time the most recent attack on the zone was detected.

Receive Rate

Indicates the current rate of traffic destined to the zone, measured in bps.

Thumbnail of the Zone traffic summary

A graph displaying a summary of the traffic to the zone in the last half hour. The traffic rate appears in bits per second (bps). Legitimate traffic rate appears in green. Malicious traffic rate appears in red.


Viewing Detector Module Diagnostics

The Detector module provides diagnostic information to assist with troubleshooting and monitoring events.

To view the Detector module diagnostics, select Diagnostics from the main menu.

The following diagnostics are available:

Counters

Event Log

Counters

The Detector module Global Current Counters report (Figure 3-2) provides additional information to information that is displayed in the Detector module summary.

To display the Detector module global counters, select Diagnostics > Counters from the main menu.

Figure 3-2 Detector Module Global Counters/Rates

The Received packets counter provides information on the total number of packets received and analyzed by the Detector.

Table 3-3 describes the fields for the received packets counter.

Table 3-3 Field Descriptions for Received Packets Counter 

Field
Description

Packets

Indicates the total amount of packets since the Detector was reloaded.

Bits

Indicates the total amount of bits since the Detector was reloaded.

pps

Indicates the current traffic rate measured in packets per second.

bps

Indicates the current traffic rate measured in bits per second.


Event Log

The Event log (Figure 3-3) displays monitoring and troubleshooting information for events that relate to the protected zones and to Detector module operation.

To display the event log, select Diagnostics > Event log from the Detector module's main menu.

Figure 3-3 Event Log

Table 3-4 shows the possible severity levels for events.

Table 3-4 Event Severity Levels 

Event Level
Description

Emergencies

System is unusable

Alerts

Immediate action required

Critical

Critical condition

Errors

Error condition

Warnings

Warning condition

Notifications

Normal but significant condition

Informational

Informational messages

Debugging

Debugging messages


To filter events according to their severity level, check the boxes next to the severity levels and click Filter Events.

Note The event logs only display zone related events with a severity level of Emergency, Alert, Critical, Error, Warning and Notification. See "Zone Statistics and Diagnostics," for further details on zone event logs.

Configuring Access Control

Access control is the way you control who is allowed access to the network server and what services they are allowed to use once they have access. Authentication and Authorization network security services provide the primary framework through which you set up access.

Authentication—The way a user is identified prior to being allowed access the system and system services.

Authorization—The process of determining what a user is allowed to perform once access to a system is obtained. This is usually done once the user is authenticated and begins to manipulate the system.

Managing User Authentication

The Detector module initially has a preconfigured user name with administration privileges, which enables you to create new users. User definition enables you to divide the Detector module user community into domains, and to assign passwords as required for secure management access.

The Administrator can set which authentication method the Detector module uses when a user tries to log into the Detector module. Local authentication uses locally configured login passwords for authentication. This is the default authentication method.

Creating Users

A user with Administration privileges can configure local users.

To create a new user, select Users > Create user from the main menu.

Define the parameters in Table 3-5 for each user.

Table 3-5 User Parameter Description 

Parameter
Description

User name

The user name. An alphanumeric string from 1 to 63 characters that starts with a letter. The string cannot hold spaces but can contain underscores.

Initial password

From 6 to 24 characters long with no spaces.

Type

The user's privilege level. Choose a value from the drop-down list to assign a privilege level. See Table 3-6 for further details.


You can also create a new user by clicking Add on the Users List page.

Users List

To view the list of users defined on the Detector module, select Users > Users list from the main menu.

The list of users is divided into two categories:

System users—Users defined by the system. System users cannot be deleted. The system users are admin and riverhead.

Users—Users defined by the operator.

To delete a user, check the box next to the user name and click Delete.

To add a user click Add.

The privilege level is displayed for each user (see Table 3-6).

To reconfigure a user, click on the user name and change the parameters.

Changing a Password

To change the password, perform the following steps:

Step 1 From the Detector module main menu select Users > Change password. The Change Password window appears.

Step 2 Enter the existing password in the Old Password dialog box.

Step 3 Enter a new password in the New Password dialog box, re-enter the new password to verify your choice and click OK.

Step 4 If you enter an invalid password or the new password is not verified correctly, an error message appears. Click Go Back to try again.

Users that have Administration privileges can configure and change the password for all users defined on the Detector module.

To reconfigure or change the passwords of users, other than the current user, perform the following steps:

Step 1 From the main menu select Users > Users list and click on the user name.

Step 2 Click Config.

Step 3 Enter the new password and click OK.

Configuring Authorization

Access to Detector module services depends on the user privilege level. You can limit the services available to a user. The Detector module checks the user's profile, which is located in the local user database, to verify the user's access rights. Once authorized, the user is granted access to the requested service only if the information in the user's profile allows it.

Local authorization uses locally configured user profiles for command group access control. Authorization is defined for all commands at the specific privilege level. This is the default authorization method.

Assigning Privilege Levels

The Detector module is pre-configured with an Administration privilege level, enabling you to define the different user types. Defining users enables you to divide the Detector module user community into groups with different access privileges.

Table 3-6 shows the privilege levels and the corresponding operations.

Table 3-6 User Privilege Levels 

User Privilege Level
Description

Administration (admin)

Full access to all operations.

Configuration (config.)

Full access to all operations except the operations relating to user definition, deletion, and modification.

Dynamic

Access to monitoring and diagnostics operations, detection, and learning related operations. Users with Dynamic privileges can also configure the Flex and Dynamic filters (see the note below).

Show

Access to monitoring and diagnostics operations.


We recommend that only users with a privilege level of Administration or Configuration configure filters. Users with lower privileges can add and remove Dynamic filters.

The user name admin grants Administration privileges. The user name riverhead grants Dynamic privileges.

The privilege level is assigned to the user when it is initially created. See the "Creating Users" section for more details.

To change the user privilege level delete the user from the Users List and add the user again.