Table Of Contents

Configuring Zone Filters and Policy Templates

Zone Filters

Configuring Bypass Filters

Configuring the Flex Filter

Policy Templates

Configuring Policy Templates

Configuring Zone Filters and Policy Templates

---

This chapter describes how to use the Web-Based Management (WBM) to perform advanced configuration tasks for zones on the Cisco Traffic Anomaly Module and includes the following sections:

•Zone Filters

•Policy Templates

Zone Filters

The zone filters are the mechanism that directs the zone's mirrored traffic to the relevant detection modules. The Detector module enables you to set filter configurations to design a variety of possibilities for customized traffic direction and DDoS attack detection mechanisms. The Detector module uses three types of filters:

•Bypass filter—Bypass filters are used to prevent specific traffic flows from being handled by the Detector module protection mechanisms. See the "Configuring Bypass Filters" section for further details.

•Flex filter—A Flex filter is used to count a specified packet flow. It is a Berkley Packet filter that provides extremely flexible filtering capabilities such as filtering according to fields in the IP and TCP headers and filtering according to content bytes. You can use complex Boolean expressions, but you can only configure one flex filter per zone. See the "Configuring the Flex Filter" section for further details.

•Dynamic filter—The Detector module creates dynamic filters as the result of the analysis of traffic flow. The Dynamic filters either record the event in the Detector module syslog, or activate remote Guards. See the "Dynamic Filters" section for further details.

---

Note Changes in the filter configuration of a zone take effect immediately.

---

For detailed information on the Detector module filters, refer to the Cisco Traffic Anomaly Detector Module Configuration Guide.

Configuring Bypass Filters

A Bypass filter is used to prevent the Detector from handling specific traffic flows. You can configure a Bypass filter to direct trusted traffic away from the Detector detection mechanisms, and drop the traffic directly.

To create a Bypass filter, select Configuration > Bypass filters from the zone main menu, click Add and enter the parameters in the Bypass Filter Form. There are no default Bypass filters defined. Table 5-1 describes the bypass filter parameters.

Table 5-1 Bypass Filter Parameters 

Parameter	Description
Source IP	Directs traffic coming from a specific IP address to bypass the Detector module filter system. Leave blank or enter * for any.
Source subnet	Directs traffic coming from a specific subnet to bypass the Detector module filter system. Choose the subnet from the drop-down list.
Protocol	Directs traffic from a specific protocol to bypass the Detector module filter system. The protocol is denoted by the its well known number. Leave blank or enter * for any.
Dst Port	Directs traffic destined to a specific destination port to bypass the Detector module filter system. Leave blank or enter * for any.
Fragments	Specifies the traffic type to be handled by the filter. Possible values are: •without—The Bypass filter acts on non-fragmented traffic. •with—The Bypass filter acts on fragmented traffic. •*—The Bypass filter acts on fragmented and non-fragmented traffic.

In the Bypass filter table, the counter denotes the current Bypass filter traffic rate measured in packets per second (pps) that was filtered by the Bypass filter.

To delete a Bypass filter, check the box next to the relevant Bypass filter description and click Delete.

For a comprehensive explanation on the Bypass filter parameters, and examples, refer to the Cisco Traffic Anomaly Detector Module Configuration Guide.

Configuring the Flex Filter

The Flex filter is a Berkley Packet filter with very selective filtering capabilities. Use the Flex filter to count a desired packet flow and to identify a minutely defined malicious source of traffic. This filter has many parameters and is very flexible and easily tailored to a specific traffic flow. However, you can only configure a single flex filter and it is resource consuming. We recommend that you use the Flex filter cautiously as it might effect performance.

To configure the Flex filter, choose Configuration > General from the zone menu (if the zone is already defined), click the Config button below the second table with the Flex filter information and enter the parameters in the Zone Form.

You can also configure the Flex filter while creating a new zone. See the "Managing Zones" section for further details.

For a detailed explanation on the Berkley Packet filter configuration options see: http://www.freesoft.org/CIE/Topics/56.htm.

For a comprehensive explanation on Flex filter parameters, and examples, refer to the Cisco Traffic Anomaly Detector Module Configuration Guide.

Policy Templates

Detector module policies measure particular traffic flows. Once the Detector module senses suspicious threshold violations, the policies take action and can either remotely activate a Guard, or record the event in the Detector syslog. The Detector module policies enable the Detector module to keep up-to-date with the zone traffic, detect traffic anomalies, and take action accordingly. The policies are constructed from policy templates.

A policy template is a collection of rules and guidelines that are used during the learning process to construct the zone policies. the output of each template is a group of policies. The name of the policy template is derived from the characteristics that are common to all the policies it creates. This can be a protocol (such as DNS), an application (such as HTTP) or the objective (such as ip_scan). For example, the policy template tcp_connections produces policies that relate to connection such as the number of concurrent connections. See "Learning Zone Traffic and Constructing Policies," for further details on the Detector module policies.

Table 5-2 shows a list of the Detector module policy templates.

Table 5-2 Policy Templates 

Policy Template	Produces a group of policies relating to
dns_tcp	DNS-TCP protocol traffic.
dns_udp	DNS-UDP protocol traffic.
fragments	Fragmented traffic.
http	HTTP traffic flowing (by default) through port 80 (or other user-configured ports).
ip_scan	IP scanning (a situation in which a source IP tries to access many destination IPs on the zone). This policy template is relevant when the zone is defined as a subnet. By default, this policy template is disabled. The default action for this policy template is notify. Caution The policies created by the ip_scan policy template are resource consuming and can affect performance.
other_protocols	Non TCP or UDP protocols.
port_scan	Port scanning (a situation in which a remote client from a specific source IP address tries to access many ports on the zone). By default, this policy template is disabled. The default action for this policy template is notify. Caution The policies created by the port_scan policy template are resource consuming and can affect performance.
tcp_connections	TCP connection characteristics.
tcp_not_auth	TCP connections that have not been authenticated by the Detector module anti-spoofing mechanisms.
tcp_outgoing	TCP connections initiated by the zone.
tcp_ratio	Ratios between different types of TCP packets. For example, SYN packets versus FIN/RST packets.
tcp_services	TCP services on ports other than HTTP-related (such as ports 80 and 8080).
udp_services	UDP services.

Configuring Policy Templates

To configure policy templates, choose Configuration > Policy templates from the zone main menu, choose a policy template from the list (Figure 5-1), click on the name and enter the parameters in the Policy Template Form.

Figure 5-1 Policy Templates

To add or remove services from all policies that were created from a specific policy template, see the chapter on "Learning Zone Traffic and Constructing Policies".

During the learning process, the zone traffic flows transparently through the Detector module. Each active policy template produces a group of policies, according to the zone traffic characteristics. The Detector module enables you to define the maximum number of policies that the Detector module produces from a specific policy template, according to the Max Services parameter. The Detector module ranks the services by their level of traffic volume and then picks up the services that have exceeded the minimum threshold (as defined by the Min Threshold parameter) with the highest traffic volume and creates a policy for each one of them. Some of the policy templates create an additional policy to handle all traffic flows for which a specific policy was not added. These policies have a service of any.

Table 5-3 describes the parameters that can be configured for each of the policy templates:

Table 5-3 Policy Template Parameters 

Parameter	Description
State	The policy template state. Possible values are: •enabled—The policy template continues to produce policies once the Detector module undergoes the Policy Construction phase. •disabled—The policy template will not produce policies once the Detector module undergoes the Policy Construction phase.
Min Threshold	The minimum traffic volume threshold for a service. Once the threshold is exceeded, the Detector module produces policies that relate to the traffic of specific services according to the particular traffic flow that violated the threshold. This parameter cannot be configured for policy templates that are essential for proper zone protection and therefore always produce a policy, such as fragments.
Max Services	The maximum number of services that the Detector module picks up and creates policies for, from the specific policy template.The greater the number, the more memory the zone uses. The Detector module ranks the services the policy relates to by their level of traffic volume. It then picks up the services that have exceeded the defined minimum threshold (as defined by the Min Threshold parameter) with the highest traffic volume and creates a policy for each one of them. You can only configure this parameter for policy templates that detect services, such as tcp_services. You cannot configure maximum services for policy templates that relate to a specific service (such as dns_tcp that relates to service 53), or for policy templates that relate to a specific traffic characteristic (such as fragments).

---

Caution If you disable a policy template, the Detector module can no longer protect the zone from traffic of the kind the policy template relates to. This may seriously compromise protection.

---