-
Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 5.0)
-
Index
-
Preface
-
Product Overview
-
Configuring the Detector Module on the Supervisor Engine
-
Initializing the Detector Module
-
Configuring the Detector Module
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Using Interactive Detect Mode
-
Understanding Attack Reports
-
Using the Detector Module Diagnostics Tools
-
Performing Maintenance Tasks
-
Table Of Contents
Learning the Zone Traffic Characteristics
Understanding the Learning Process
Understanding the Detect and Learn Function
Synchronizing the Zone Learning Process Results with a Cisco Anomaly Guard Module
Configuring Learning Parameters
Configuring the Threshold Selection Method
Tuning Zone Policy Thresholds and Enabling Zone Anomaly Detection Simultaneously
Synchronizing the Zone Configuration in the Detector Module with the Cisco Anomaly Guard Module
Configuring Zones for Synchronization
Configuring the Automatic Zone Synchronization and Export Parameters
Synchronizing the Zone Configuration Automatically
Synchronizing the Zone Configuration to the Detector Module
Synchronizing the Zone Configuration from the Detector Module
Exporting the Zone Configuration Automatically
Exporting the Zone Configuration Manually
Synchronizing the Zone Configuration Offline
Configuring the Default Remote Guard Lists
Configuring the Zone Remote Guard Lists
Detecting Zone Traffic Anomalies
Activating Zone Anomaly Detection
Deactivating Zone Anomaly Detection
Configuring How the Detector Module Performs Zone Anomaly Detection
Configuring Guard-Protection Activation Methods
Configuring Zones
This chapter describes how to create and manage zones on the Cisco Traffic Anomaly Detector Module (Detector module). These procedures are required to enable zone detection.
This chapter contains the following sections:
•
Learning the Zone Traffic Characteristics
•
•
•
Overview
A zone is a network element, which the Detector module monitors for DDoS attacks. A zone can be a network server, client, or router; a network link, subnet, or an entire network; an individual Internet user, or a company; an Internet Service Provider (ISP); or any combination of the above. When the Detector module identifies a DDoS attack, it can activate a Cisco Anomaly Guard Module automatically to protect the zone against the attack, or it can notify the user to activate the Cisco Anomaly Guard Module manually. The Detector module can analyze the traffic for different zones simultaneously, as long as their network address ranges do not overlap.
You assign a name to the zone and use this name to refer to it.
The zone configuration process consists of the following tasks:
•
•
•
•
Creating a Zone
You can create a zone and configure the zone name, description, network address, operation definitions, and networking definitions.
When you create a new zone, you can use an existing zone as a template or you can create a zone from system-defined zone templates. The zone template defines the initial policy and filter configuration of the zone.
You can create a new zone in two ways:
•
After you create a new zone, you must configure the zone attributes.
•
See the "Configuring Zone Attributes" section for information on how to modify the zone configuration settings.
Creating a New Zone
To create a new zone from system-defined zone templates, enter one of the following commands:
•
•
When using a system-defined zone template, the Detector module applies the default settings to all zone attributes.
If the command is performed successfully, the Detector module enters the configuration mode of the new zone.
If you enter the name of an existing zone without specifying a zone template, the Detector module enters the configuration mode of the specified zone.
Table 5-1 provides the arguments and keywords for the zone command.
Table 5-1 Arguments and Keywords for the zone Command
new-zone-name
The name of a new zone. The name is an alphanumeric string from 1 to 63 characters. The string must start with an alphabetic letter, can contain underscores, but cannot contain any spaces.
zone-name
The name of an existing zone.
template-name
(Optional) A zone template that defines the zone configuration. The default is to create the zone using the DETECTOR_DEFAULT zone template.
See Table 5-2 for more information.
interactive
(Optional) Sets the Detector module to perform zone anomaly detection in an interactive manner. The dynamic filters that the policies create appear as recommendations. You must decide whether or not to activate each dynamic filter. See Chapter 8, "Using Interactive Detect Mode," for more information.
The Detector module contains two sets of zone templates with the following prefixes:
•
•
See the "Configuring Zones for Synchronization" section for more information on how to configure zones that were created from these templates.
Table 5-2 displays the zone templates.
Table 5-2 Zone Templates
DETECTOR_DEFAULT
The default zone template. If you create a zone using this zone template you cannot detect TCP worm attacks on the zone.
DETECTOR_WORM
A zone template that enables to detect TCP worm attacks on the zone.
Bandwidth-limited Link Templates
Zone templates designed for detection of large subnets segmented according to zones with known bandwidth. You can activate zone detection for zones defined by these zone templates without undergoing the learning process. We recommend that you define such a zone with a Guard protection activation method of dst-ip-by-name (the Detector module activates a Cisco Anomaly Guard Module to protect a particular IP address when it detects an anomaly in the zone traffic that is destined to that IP address) by using the protect-ip-state command. See the "Configuring Guard-Protection Activation Methods" section for more information.
The policy thresholds are tuned so that the Detector module identifies an attack on the zone once the traffic rate to the zone exceeds the specified rate.
The following bandwidth-limited link zone templates are available for 128 Kb, 1 Mb, 4 Mb, and 512 Kb links:
DETECTOR_LINK_128K
DETECTOR_LINK_1M
DETECTOR_LINK_4M
DETECTOR_LINK_512K
Bandwidth-limited Link Templates (continued)
You cannot perform the policy construction phase of the learning process for zones that were created from these templates.
Guard zone templates
Zone templates designed to enable synchronization of zone configuration with the Guard module. You can configure both Detector module and Guard module attributes for zones that were created from these templates, and copy the zone configuration to the Guard module. The Guard zone templates are as follows:
•
•
You cannot perform policy construction for zones that were created from these templates. You can activate zone detection for zones that were created from the GUARD_LINK zone templates without undergoing the threshold tuning phase. We recommend that you define such a zone with a Guard protection activation method of dst-ip-by-name (the Detector module activates a Cisco Anomaly Guard Module to protect a particular IP address when it detects an anomaly in the zone traffic that is destined to that IP address) by using the protect-ip-state command. See the "Configuring Guard-Protection Activation Methods" section for more information.
Guard zone templates (continued)
•
This example shows how to create a new zone:
user@DETECTOR-conf# zone scannet interactiveuser@DETECTOR-conf-zone-scannet#To delete a zone, use the no zone command. When deleting a zone, you can use an asterisk (*) as a wildcard character at the end of the zone name. The wildcard allows you to remove several zones with the same prefix in one command.
To display the zone templates, use the show templates command in global or configuration mode. To display the zone template default policies, use the show templates template-name policies command in global or configuration mode.
Duplicating a Zone
You can create a new zone based on an existing zone. When using an existing zone as a template for the new zone, all properties of the existing zone are copied to the newly defined zone. If you specify a snapshot, the zone policies are copied from the snapshot.
To duplicate a zone, enter one of the following commands:
•
•
Table 5-3 provides the arguments for the zone command.
Table 5-3 Arguments for the zone Command
new-zone-name
The name of a new zone. The name is an alphanumeric string from 1 to 63 characters. The string must start with an alphabetic letter and can contain underscores, but cannot contain any spaces.
copy-from-this
Creates a new zone with the configuration of the current zone.
copy-from
Creates a new zone with the configuration of the specified zone.
zone-name
The name of an existing zone.
snapshot-id
The ID of an existing snapshot. See the "Displaying Snapshots" section on page 7-41 for more information.
The following example shows how to create a new zone from the current zone:
user@DETECTOR-conf-zone-scannet# zone mailserver copy-from-thisuser@DETECTOR-conf-zone-mailserver#If the command is performed successfully, the Detector module enters the configuration mode of the new zone.
The policies of the new zone are marked as untuned. We recommend that you perform the threshold tuning phase of the learning process to tune the policy thresholds to the zone traffic. If the traffic characteristics of the new zone are identical or very similar to the traffic characteristics of the originating zone, you can mark the policy thresholds as tuned. See the "Marking the Policies as Tuned" section for more information.
Configuring Zone Attributes
After you create the zone, you can configure the zone attributes.
To configure the zone attributes, perform the following steps:
Step 1
To enter zone configuration mode, enter one of the following commands:
•
•
The zone-name argument specifies the name of an existing zone.
Step 2
To configure the zone IP address, enter the following command:
ip address ip-addr [ip-mask]Table 5-4 provides the arguments for the ip address command.
You must define at least one IP address before you can activate zone anomaly detection. You can add additional zone IP addresses and subnets at any time.
If you modify the zone IP address or subnet, perform one of the following tasks:
•
•
•
Step 3
description stringThe maximum string length is 80 characters.
To modify a zone description, reenter the zone description. The new description overrides the previous description.
Step 4
The configuration information consists of CLI commands that are executed to configure the Detector module with the current settings. Refer to the specific command entries for more information.
The following example shows how to create a new zone and configure the zone attributes:
user@DETECTOR-conf# zone scannetuser@DETECTOR-conf-zone-scannet# ip address 192.168.100.34 255.255.255.252user@DETECTOR-conf-zone-scannet# description Demonstration zoneLearning the Zone Traffic Characteristics
This section describes how to use the Detector module learning process to analyze zone traffic characteristics to create and fine-tune the policies that the Detector uses for zone anomaly detection.
This section contains the following topics:
•
•
•
•
Understanding the Learning Process
During the learning process, the Detector learns the normal zone traffic characteristics. The Detector module uses the learning process results to create policies for zone anomaly detection. These policies instruct the Detector on how to handle the zone traffic flows.
After an initial learning process of constructing policies, you can activate the learning process and zone anomaly detection simultaneously. At the same time, the Detector module tunes the policy thresholds and monitors the policy thresholds for traffic anomalies. This process enables the Detector module to detect anomalies in the zone traffic, while constantly updating the policy thresholds according to the zone traffic characteristics, and prevents the Detector module from learning malicious traffic thresholds.
For the learning process to take place, you must configure the switch to capture the traffic sent to the zone and pass a copy of it to the Detector module. See the "Configuring Traffic Sources for Capturing Traffic" section on page 2-4 for more information.
The learning process consists of these two phases:
1.
The policy templates are the Detector module tools for constructing the policies. These templates define the types of zone policies that the Detector module creates. The policy templates also define the maximum number of services that the Detector module monitors closely and the minimum threshold that triggers the Detector module to create new policies. To change the rules for constructing zone policies, change the policy template parameters before you initiate the policy construction phase. See Chapter 7, "Configuring Policy Templates and Policies," for more information.
2.
You can activate the threshold tuning phase and activate zone anomaly detection simultaneously (the detect and learn function) to prevent the Detector module from learning malicious traffic thresholds. You can set the Detector module to constantly tune the zone policies and define the intervals in which the Detector module updates the policy thresholds.
The Detector module learns the zone traffic characteristics to acquire a basis on which to compare zone traffic and trace any anomalies that might become malicious. The Detector module does not modify the current zone policies during the learning process and updates the policies when you decide to accept the results of one of the learning phases only. After the policies are created, you can add and delete policies or change policy parameters such as thresholds, services, timeouts, and actions.
You can back up the current zone policies at all times by using the snapshot threshold-selection cur-thresholds command. See the "Creating Snapshots" section on page 7-38 for more information.
The Detector module learns new services for worm policies during the threshold tuning phase, rather than during the policy construction phase. Therefore, you may see new services (ports) added to worm policies during the threshold tuning phase.
You can enter learning-related commands for several zones at the same time. Enter the command in global mode and use an asterisk (*) as a wildcard. For example, to initiate the policy construction phase for all zones, enter the learning policy-construction * command in global mode. To accept the results of the policy construction phase for all Detector module zones with names that begin with scan (such as scannet and scanserver), enter the no learning scan* accept command in global mode.
Understanding the Detect and Learn Function
After an initial learning process of constructing policies, you can activate the learning process and enable zone anomaly detection simultaneously using the detect and learn function. The Detector module tunes the policy thresholds and at the same time monitors the policy thresholds for traffic anomalies. The detect and learn function enables the Detector module to detect anomalies in the zone traffic, constantly update the policy thresholds according to the zone traffic characteristics, and prevents the Detector module from learning malicious traffic thresholds.
Before you activate the protect and learn function, you can configure when and how the Detector module accepts the results of the learning process by configuring the learning parameters.
See the "Tuning Zone Policy Thresholds and Enabling Zone Anomaly Detection Simultaneously" section for more information.
Synchronizing the Zone Learning Process Results with a Cisco Anomaly Guard Module
You can configure the Detector module to constantly learn the zone traffic and update a Cisco Anomaly Guard Module (Guard module) with the zone policies.
When the Detector module detects an attack on the zone, it stops the learning process, and activates the Guard module to protect the zone, and resumes learning the zone traffic when the attack ends. This process enables you to tune the zone policy thresholds continuously, but refrain from constantly diverting the zone traffic to the Guard module.
To synchronize the learning process results with a Guard module, you must perform the following tasks:
1.
2.
3.
4.
You can synchronize the zone configuration with the Guard module or configure the Detector module to synchronize the zone configuration with the Guard module automatically. See the "Synchronizing the Zone Configuration in the Detector Module with the Cisco Anomaly Guard Module" section for more information.
Constructing Policies
In the policy construction phase, the Detector creates the zone policies using the policy templates. The traffic flows transparently through the Detector enabling it to discover the main services (ports and protocols) that the zone uses. You can configure the policy construction rules. For example, you can prevent the Detector from creating policies of a certain type by disabling the relevant policy template. To change the rules for constructing zone policies, change the policy template parameters before you initiate the policy construction phase. See the "Understanding Policy Templates" section on page 7-4 for more information.
The Detector module sets default values for the policy parameters (timeout, action and threshold). See Chapter 7, "Configuring Policy Templates and Policies," for information on how to configure the default values for the operational parameters.
The new policies that the Detector module creates in this phase replace the existing ones.
Note
To construct the zone policies, perform the following steps:
Step 1
learning policy-construction
Tip
Step 2
You can save a snapshot of the learning parameters (services, thresholds, and other policy related data) by using the snapshot command at any stage during the policy construction phase, and review it later. You can save a single snapshot or save a periodic snapshot at specified intervals.
For more information, see the "Using Snapshots to Verify the Results of the Learning Process" section on page 7-37.
Step 3
To accept the policies that the Detector module suggested and continue the policy construction phase, enter the following command:
learning acceptTo automatically accept the policies that the Detector module suggests at specified intervals, enter the following command:
learning-params periodic-action auto-accept learn_params_days learn_params_hours learn_params_minutesSee the "Configuring Learning Parameters" section for more information.
Use the no learning-params periodic-action command to terminate the periodic action.
Step 4
We recommend letting the policy construction phase continue for at least 2 hours before terminating it.
You can perform one of the following actions:
•
no learning acceptThe Detector module erases previously learned policies and thresholds.
After accepting the newly constructed policies, you can manually add or remove policies. See Chapter 7, "Configuring Policy Templates and Policies." for more information.
•
no learning rejectThe Detector module stops the process and does not save the new policies that it has just learned. The policies of the zone are the policies that the Detector module had prior to initiating the learning process or prior to the last time that you accepted the results of the policy construction phase.
The following example shows how to initiate the policy construction phase and accept the suggested policies at 12 hour intervals. It then stops the policy construction phase and accepts the suggested policies.
user@DETECTOR-conf-zone-scannet# learning policy-constructionuser@DETECTOR-conf-zone-scannet# learning-params periodic-action auto-accept 0 12 0user@DETECTOR-conf-zone-scannet# no learning acceptTuning Thresholds
In the threshold tuning phase, the Detector module analyzes the zone traffic and defines thresholds for the policies that were constructed during the policy construction phase.
You can set the Detector module to learn the zone traffic while monitoring the last accepted policy thresholds for traffic anomalies. After the Detector module detects an attack on the zone, it stops the threshold tuning phase but continues zone anomaly detection to prevent the Detector module from learning malicious traffic thresholds.
The Detector module resumes the learning process after the attack ends.
To tune the policy thresholds, perform the following steps:
Step 1
detect learningWe recommend that you enable the detect and learn function, that is, activate the threshold tuning phase and set the Detector module to perform zone anomaly detection at the same time.
You can alternatively, enter both the learning threshold-tuning command and the detect command (the order is not important).
Tip
If the Detector module detects an attack on the zone, it stops the threshold tuning phase but continues zone detection.
Note
•
•
To deactivate zone anomaly detection and the threshold tuning phase simultaneously, enter the deactivate command in zone configuration mode.
To activate the threshold tuning phase only, use the learning threshold-tuning command.
Step 2
You can save a snapshot of the learning parameters (services, thresholds, and other policy-related data) by using the snapshot command at any time during the threshold tuning phase. You can review the snapshot later or compare the learning parameters with another snapshot. You can save a single snapshot or save a periodic snapshot at specified intervals.
For more information, see the "Using Snapshots to Verify the Results of the Learning Process" section on page 7-37.
Step 3
You can accept the zone policies that the Detector module suggested and continue the threshold tuning phase once, or define that the Detector module automatically accept the suggested policies at specified intervals to ensure that the zone has the most updated policies and continues to learn the zone traffic.
To accept the policies that the Detector suggested and continue the threshold tuning phase, enter the following command:
learning accept [threshold-selection {new-thresholds | max-thresholds | weighted weight}]See Table 5-6 for a description of the threshold-selection arguments and keywords.
To automatically accept the policies that the Detector suggests at specified intervals, enter the following command:
learning-params periodic-action auto-accept learn_params_days learn_params_hours learn_params_minutesSee the "Configuring Learning Parameters" section for more information.
Use the no learning-params periodic-action command to terminate the periodic action.
Step 4
Note
We recommend that you enable the detect and learn function and do not terminate the threshold tuning phase.
You can perform one of the following actions:
•
no learning accept [threshold-selection {new-thresholds | max-thresholds | weighted weight}]See Table 5-6 for a description of the threshold-selection arguments and keywords.
The Detector module erases previously learned thresholds.
After accepting the newly tuned policies, you can manually change the policy parameters. See Chapter 7, "Configuring Policy Templates and Policies," for more information.
•
no learning rejectThe Detector module stops tuning the thresholds and reverts to prior thresholds. This process may result in a situation in which new zone policies have thresholds that were obtained according to past traffic characteristics. We recommend that you enable the threshold tuning phase at a later time or that you configure the thresholds manually.
The following example shows how to initiate the threshold tuning phase and accept the suggested policies at 1 hour intervals. It then stops the threshold tuning phase and accepts the suggested policies if the threshold values are higher than the current values (the max-thresholds method).
user@DETECTOR-conf-zone-scannet# learning threshold-tuninguser@DETECTOR-conf-zone-scannet# learning-params periodic-action auto-accept 0 1 0user@DETECTOR-conf-zone-scannet# no learning accept threshold-selection max-thresholdsTo display the learning results, use the show policies statistics command. See the "Displaying Policies" section on page 7-33 for more information.
After reviewing the learned thresholds, you may choose to modify some of the results. To avoid overriding these changes by future threshold tuning phases, perform one of the following tasks:
•
•
Configuring Learning Parameters
The learning parameters allow you to configure the learning-related actions that the Detector module can perform and how the Detector module handles specified policies. You can define the following parameters:
•
•
•
•
•
To display the configuration of the learning parameters, use the show learning-params command in zone configuration mode.
Configuring Periodic Actions
You can set the Detector module to perform one of the following actions at specified intervals:
•
•
See the "Monitoring Policies" section on page 7-33 for more information on snapshots.
To set the periodic action the Detector module performs, enter the following command in zone configuration mode:
learning-params periodic-action {auto-accept | snapshot-only} learn_params_days learn_params_hours learn_params_minutes
Table 5-5 provides the arguments and keywords for the learning-params command.
The value of the interval is the sum of the learn_params_days value, the learn_params_hours value, and the learn_params_minutes value.
The following example shows how set the Detector module to accept the policies at 1 hour intervals.
user@DETECTOR-conf-zone-scannet# learning-params periodic-action auto-accept 0 1 0Configuring the Threshold Selection Method
You can set the default method that the Detector module uses to generate new thresholds after new policy thresholds are accepted during the threshold tuning phase. You can accept the results of the threshold tuning phase manually, or configure the Detector module to automatically accept the results of the threshold tuning phase at specified intervals.
To configure the threshold selection method, enter the following command in zone configuration mode:
learning-params threshold-selection {new-thresholds | max-thresholds | weighted weight}
Table 5-6 provides the arguments and keywords for the learning-params threshold-selection command.
This example shows how to configure the Detector module to accept the suggested policies if the learned threshold values are higher than the current policy threshold values:
user@DETECTOR-conf-zone-scannet# learning-params threshold-selection max-thresholdsMarking the Policies as Tuned
The Detector module marks the policy threshold status that defines if the policy thresholds are tuned or not, and relates to this status when you enable the protect and learn function. The policy threshold status specifies if the Detector module identifies an attack on the zone when the policy threshold is exceeded.
When a new zone is created, or after you accept the policy construction phase results for a zone, the Detector module marks the zone policy thresholds as untuned. The default thresholds of the zone templates are tuned so that the Detector module activates the anti-spoofing functions quickly if it identifies traffic anomalies in the zone traffic. When you enable the protect and learn function, the learning process might stop if the current zone traffic is higher than the current policy threshold values. To avoid such situations, the Detector module does not detect attacks in the zone traffic when you enable the detect and learn function if the zone policies are not tuned, until the zone policy thresholds are accepted one time.
If the zone policies are untuned, the Detector module activates only a threshold selection method of accept-new and ignores previous threshold values when accepting the new policies. If the Detector module accepts the threshold tuning phase results of the learning process for a zone with a threshold selection method other than accept-new, bad policy threshold values may result. See the "Configuring the Threshold Selection Method" section for more information on the threshold selection method.
The Detector module marks the zone policies as untuned in the following circumstances:
•
•
•
The Detector module marks the zone policies as tuned after accepting the threshold tuning phase results.
You can modify the settings of the zone policies. To mark the zone policies as tuned, enter the following command in zone configuration mode:
learning-params threshold-tuned
To mark the zone policies as untuned, use the no form of this command.
You might change the status of the zone policies to tuned when one of the following applies:
•
•
You might change the status of the zone policies to untuned when one of the following applies:
•
•
•
When the zone policies are marked as untuned, the Detector module does not monitor the current policy thresholds and does not detect attacks on the zone if the policy thresholds are exceeded.
Note
The following example shows how to mark the status of the zone policies as tuned:
user@DETECTOR-conf-zone-scannet# learning-params threshold-tunedTuning Zone Policy Thresholds and Enabling Zone Anomaly Detection Simultaneously
After an initial learning process of constructing policies, you can activate the learning process and enable zone anomaly detection simultaneously using the detect and learn function. The Detector module tunes the policy thresholds and at the same time monitors the policy thresholds for traffic anomalies. The detect and learn function enables the Detector module to detect anomalies in the zone traffic, constantly update the policy thresholds according to the zone traffic characteristics, and prevents the Detector module from learning malicious traffic thresholds.
When you create a new zone, when you add or remove a service from the zone policies, or after you accept the policy construction phase results, the Detector module marks the zone policies as untuned. The Detector module marks the zone policies as tuned only after you accept the results of the threshold tuning phase of the learning process.
If you enable the learning process and zone detection simultaneously and the zone policies are not tuned, the Detector module functions in the following ways:
•
•
When the Detector module identifies an attack on the zone, it stops the learning process. If the Detector module has activated a Cisco Anomaly Guard Module (Guard module) to protect the zone, it polls the Guard module constantly. Once it identifies that the Guard module has deactivated zone protection, it verifies that additional traffic anomalies do not exist and then reactivates the detect and learn function. This option is available if you have configured an SSL communication channel only.
Before you activate the protect and learn function, you can configure when and how the Detector module accepts the results of the learning process. See the "Configuring Learning Parameters" section for more information.
To activate the learning process and zone anomaly detection simultaneously, use the detect learning command or enter both the learning threshold-tuning command and the detect command (the order is not important).
See the "Tuning Thresholds" section and the "Detecting Zone Traffic Anomalies" section for more information.
Synchronizing the Zone Configuration in the Detector Module with the Cisco Anomaly Guard Module
You can synchronize the zone configuration and policies with the zone on the Cisco Anomaly Guard Module (Guard module). The Detector module copies the complete zone configuration to the Guard module. This process allows you to configure the zone once, but maintain the same configuration and policies on both the Detector module and the Guard module.
Communication between the Detector module and the Guard module requires the Secure Sockets Layer (SSL) protocol, which provides authentication and encryption. You must configure the SSL communication connection channel before you synchronize the zone. See the "Establishing Communication with the Cisco Anomaly Guard Module" section on page 4-22 for more information.
You can set the Detector module to continuously learn the zone traffic characteristics to keep the zone policies updated, and avoid constantly diverting the zone traffic to the Guard module.
This section contains the following topics:
•
•
•
•
•
•
•
•
Configuration Guidelines
To synchronize zones between a Guard module and a Detector module, use the following guidelines:
•
See the Table 5-2 for more information.
•
•
•
•
Configuring Zones for Synchronization
To synchronize zones between the Guard module and the Detector module, you must create the new zone on the Detector module using GUARD zone templates because a zone that is created from a GUARD zone template has two sets of definitions, one for the Guard module, and one for the Detector module. See Table 5-2 for more information on the zone templates.
You can configure the zone in the following configuration modes:
•
user@DETECTOR-conf-zone-scannet#•
user@DETECTOR-conf-zone-scannet(guard)#•
If you modify a configuration that is common to both the Guard module and the Detector module, the change applies to both sets of definitions. For example, if you modify the zone IP address in zone configuration mode, the new IP address is also modified in the zone definition for the Guard module. You can display the new zone definition for the Guard module in guard configuration mode. If you change the operation state of a policy in guard configuration mode, the operation state is also modified in the zone definition of the Detector module.
To create and configure a zone for synchronization, perform the following steps:
Step 1
The Detector module identifies such zones by displaying (Guard/Detector) next to the zone ID field in the show command output.
See the "Creating a New Zone" section.
Step 2
See the "Configuring Zone Attributes" section.
Step 3
•
•
•
The zone-name argument specifies the name of an existing zone.The Detector module enters the guard configuration mode. The CLI prompt indicates the mode by adding the word guard in parenthesis (guard) to the prompt.
The following example shows how to enter guard configuration mode:
user@DETECTOR-conf-zone-scannet# guard-confuser@DETECTOR-conf-zone-scannet(guard)#The guard configuration mode allows you to configure all zone attributes that are unique to the Guard module, such as user filters, filter-termination, and a policy or a filter action of drop. See the Cisco Anomaly Guard Module Configuration Guide for more information.
Configuring the Automatic Zone Synchronization and Export Parameters
You can configure the Detector module to synchronize the zone configuration with remote Guards automatically, or export the zone configuration automatically to an FTP or an SFTP server.
The Detector module performs the following actions:
•
If both the zone remote Guard list and the Detector module default remote Guard list are empty, the Detector module does not synchronize the zone configuration.
If a zone with the same name exists on the Guard module, the new configuration replaces the existing one.
•
If both the zone FTP server list and the Detector module default FTP server list are empty, the Detector module does not export the zone configuration.
To enable automatic synchronization and export of zone configuration, enter the following command in zone configuration mode:
learning-params sync {accept | remote-activate}
Table 5-7 provides the keywords for the learning-params sync command.
The following example shows how to automatically synchronize and export the zone configuration each time the results of the threshold-tuning phase of the learning process are accepted:
user@DETECTOR-conf-zone-scannet# learning-params sync accept
To disable automatic synchronization and export, use the no learning-params sync command.
Synchronizing the Zone Configuration Automatically
You can configure the Detector module to synchronize the zone configuration with remote Guards automatically. The Detector module copies the zone configuration to the Guard module. If a zone with the same name exists on the Guard module, the new configuration replaces the existing one.
The Detector module synchronizes the zone configuration with all remote Guards in the zone remote Guard lists. If a zone remote Guard list is empty, The Detector module synchronizes the zone configuration with the remote Guards that are defined in the Detector module default remote Guard list. If synchronization with one of the remote Guards fails, the Detector module continues to the next remote Guard in the list.
If both the zone remote Guard list and the Detector module default remote Guard list are empty, the Detector module does not synchronize the zone configuration.
Use the learning-params sync command to define when the Detector module synchronizes the zone configuration. See the "Configuring the Automatic Zone Synchronization and Export Parameters" section for more information.
Synchronizing the Zone Configuration to the Detector Module
You can copy the zone configuration from the Guard module to the Detector module and in that way synchronize the zone configuration on the Guard module with that of the Detector module. This may be required if you have manually modified the zone policies on the Guard module to adjust the zone policies to attack characteristics, and would like to update the Detector module with the changes to ensure correct detection of future DDoS attacks, or to ensure that the zone configuration on the Guard module is maintained if you synchronize the zone configuration in the future from the Detector module to the Guard module. This is especially true if the zone traffic requires you to set certain policy thresholds as fixed (see the "Setting the Threshold as Fixed" section on page 7-22) or set a fixed multiplier for policy thresholds (see the "Configuring a Threshold Multiplier" section on page 7-23). This ensures that the Detector module relates to the policy thresholds correctly in future threshold tuning phases and updates the Guard module policies with the correct thresholds.
The Detector module copies the configuration of the zone from the Guard module. The new configuration overrides the existing one.
To synchronize the zone configuration and policies from the Detector module, perform the following steps:
Step 1
Step 2
sync zone zone-name remote-guard-address localTable 5-8 provides the arguments for the sync zone command.
Step 3
For more information, see the "Detecting Zone Traffic Anomalies" section and the "Learning the Zone Traffic Characteristics" section.
The following example shows how to deactivate the zone scannet and synchronize the zone configuration from a Guard module with an IP address of 192.168.55.10 to the Detector module. It then shows how to reactivate the zone.
user@DETECTOR-conf-zone-scannet# deactivateuser@DETECTOR-conf-zone-scannet# enduser@DETECTOR# sync zone scannet 192.168.55.10 localuser@DETECTOR# conf scannetuser@DETECTOR-conf-zone-scannet# detect learningSynchronizing the Zone Configuration from the Detector Module
You can synchronize the zone configuration and policies with the zone on the Guard module to ensure that the zone configuration and policies on the Guard module are updated when the Guard module activates zone protection. This process allows you to configure the zone once on the Detector module, continuously learn the zone traffic characteristics, and maintain the same zone configuration and policies on the Guard module without constantly diverting the zone traffic to the Guard module.
The Detector module copies the configuration of the zone to the Guard module. If a zone with the same name exists on the Guard module, the new configuration replaces the existing one.
Note
To synchronize the zone configuration and policies from the Detector module, enter the following command in global mode:
sync zone zone-name local {remote-guards | remote-guard-address}
Table 5-9 provides the arguments and keywords for the sync zone command.
The following example shows how to synchronize the zone configuration to all remote Guards in the zone remote Guard list:
user@DETECTOR# sync zone scannet local remote-guardsExporting the Zone Configuration Automatically
You can configure the Detector module to export the zone configuration automatically to an FTP or SFTP server. The Detector module exports the zone configuration each time the results of the threshold-tuning phase of the learning process are accepted.
To export the zone configuration automatically, you must configure the FTP or SFTP server. You can configure the FTP or SFTP server in the following lists:
•
•
To configure the Detector module to automatically export the zone configuration to an FTP or SFTP server, perform the following steps:
Step 1
•
•
You must configure the SSH key that the Detector module uses for SFTP communication. See the "Configuring the Key for SFTP Connections" section on page 4-34 for more information.
Table 5-10 provides the arguments for the ftp-server command.
The following example shows how to define an FTP server:
user@DETECTOR-conf# ftp-server MyFTP-Server Description ftp 10.0.0.191 /root/ConfigFiles <user> <password>
Note
Step 2
ftp-server ftp-server-nameThe ftp-server-name argument specifies the name of the FTP or SFTP server.
The following example shows how to add an FTP server to a zone FTP server list:
user@DETECTOR-conf-zone-scannet# ftp-server default MyFTP-ServerTo remove an FTP server from the list, use the no form of the command.
Step 3
The Detector module exports the zone configuration to the FTP servers that are listed in the zone FTP server list. If the list is empty, the Detector module turns to the default FTP list.
To add an FTP or SFTP server to the Detector module default FTP server list, enter the following command in configuration mode:
ftp-server default ftp-server-nameThe ftp-server-name argument specifies the name of the FTP or SFTP server.
The following example shows how to add an FTP server to the Detector module default FTP server list:
user@DETECTOR-conf# ftp-server default MyFTP-ServerTo remove an FTP server from the list, use the no form of the command.
Step 4
See the "Exporting the Zone Configuration Automatically" section for more information.
Exporting the Zone Configuration Manually
You can activate the Detector module to export the zone configuration to an FTP or SFTP server. The Detector module exports the portion of the zone configuration that is required to configure the zone on the Guard module.
Enter the one of the following commands in global mode:
•
•
You must configure the SSH key that the Detector module uses for SFTP communication. See the "Configuring the Key for SFTP Connections" section on page 4-34 for more information.
Table 5-11 provides the arguments for the copy guard-running-config command.
The following example shows how to export the zone configuration to an FTP server:
user@DETECTOR-conf# copy zone scannet guard-running-config ftp 10.0.0.191 /root/ConfigFiles/scannet.txt <user> <password>Synchronizing the Zone Configuration Offline
You can synchronize a zone configuration even if you cannot establish a secure communication channel between the Detector module and a Guard module. You may need to synchronize a zone configuration offline if one of the following conditions applies:
•
•
•
To synchronize a zone configuration offline, you must first export the zone configuration from the Detector module to an FTP or a Secure FTP (SFTP) server, and then manually import the zone configuration to the Guard module. Because there is no secure communication channel between the Guard module and the Detector module, you must manually activate the Guard module to protect the zone when the Detector module detects anomalies in the zone traffic.
To enable the Detector module to synchronize the zone configuration, you must perform the following tasks:
•
•
To synchronize the zone configuration offline, perform the following steps:
Step 1
•
•
–
–
See the "Exporting the Zone Configuration Manually" section for more information.
Step 2
•
•
See the "Importing and Updating Configuration" section on page 11-3 for more information.
Note
Example Scenario
This example scenario shows how to make use of synchronization to ensure proper zone protection according to current traffic characteristics:
1.
The Detector module identifies such zones by displaying (Guard/Detector) next to the zone ID field in the output of the show command in zone configuration mode.
For more information, see the "Creating a New Zone" section.
2.
For more information, see the "Configuring the Default Remote Guard Lists" section and the "Configuring the Zone Remote Guard Lists" section.
3.
4.
For more information, see the "Detecting Zone Traffic Anomalies" section.
5.
For more information, see the "Configuring Periodic Actions" section.
6.
Use the learning-params sync command to configure the Detector module to synchronize the zone configuration with the Guard module. For more information, see the "Configuring the Automatic Zone Synchronization and Export Parameters" section.
7.
Use the learning-params sync command.
For more information, see the "Configuring the Automatic Zone Synchronization and Export Parameters" section.
8.
–
–
–
You can modify the zone policies on the Guard when the attack is in progress.
The Detector module polls the Guard module constantly and when it identifies that the Guard has deactivated zone protection (the Guard module deactivates zone protection when the attack ends) and additional traffic anomalies do not exist and then reactivates zone anomaly detection and the learning process.
9.
For more information, see the "Setting the Threshold as Fixed" section on page 7-22 and the "Configuring a Threshold Multiplier" section on page 7-23.
To synchronize the zone configuration and policies from the Guard module, perform the following actions:
–
–
–
For more information, see the "Synchronizing the Zone Configuration to the Detector Module" section and the "Detecting Zone Traffic Anomalies" section.
Activating Remote Guards
When the Detector module detects a zone traffic anomaly it logs the event (an action known as notify) or activates Guard modules (remote Guards) that initialize actions to protect the zone.
The Detector module keeps a list of Guard modules that is activates to protect a zone. These lists are called remote Guard lists. The Detector module can also synchronize the zone configuration the with Guard modules on the remote Guard lists. The Detector module keeps four types of lists of remote Guards:
1.
2.
3.
4.
You can configure a Guard module in more than one remote Guard list.
The following contains the following topics:
•
•
Configuration Guidelines
To enable activation of remote Guards and synchronization of zone information, you must perform the following steps:
Step 1
Note
See the "Creating a New Zone" section.
Step 2
•
See the "Configuring the Zone Remote Guard Lists" section for more information.
•
See the "Configuring the Default Remote Guard Lists" section for more information.
Step 3
See the "Establishing Communication with the Cisco Anomaly Guard Module" section on page 4-22 for more information.
Step 4
See the "Synchronizing the Zone Configuration in the Detector Module with the Cisco Anomaly Guard Module" section for more information.
Step 5
See the "Configuring Guard-Protection Activation Methods" section for more information.
Configuring the Default Remote Guard Lists
The Detector module activates a remote Guard in a default remote Guard list if the zone-specific remote Guard list is empty. The Detector module has two types of default remote Guard lists:
1.
2.
Verify that the Detector module has at least one Cisco Anomaly Guard Module defined in one of remote Guard lists (the default SSL remote Guard list, the default SSH remote Guard list, the zone SSL remote Guard list, or the zone SSH remote Guard list). If no remote Guard is defined in any one of the remote Guard lists, the Detector module records the event in its log file.
Caution
To add a Guard to a default remote Guard list, enter the following command in configuration mode:
remote-guard [ssh | ssl] remote-guard-address [description]
Table 5-12 provides the arguments for the remote-guard command.
The following example shows how to add a remote Guard to the default SSL remote Guard list:
user@DETECTOR-conf# remote-guard ssl 192.168.100.33To display the default lists of remote Guards, use the show detector |include remote-guard command.
Configuring the Zone Remote Guard Lists
The Detector module has two types of zone remote Guard lists:
1.
2.
The Detector module activates the remote Guards that are listed in both the zone remote Guard lists. If a list is empty, the Detector module turns to the corresponding default remote Guard list also.
Verify that the Detector module has at least one Cisco Anomaly Guard Module in one of remote Guard lists (the default SSL remote Guard list, the default SSH remote Guard list, the zone SSL remote Guard list, or the zone SSH remote Guard list). If no remote Guard is defined in any one of the remote Guard lists, the Detector module records the event in its log file.
Caution
To add a Guard to a zone remote Guard list, enter the following command in zone configuration mode:
remote-guard [ssh | ssl] remote-guard-address [description]
Table 5-13 provides the arguments for the remote-guard command.
The following example shows how to add a Guard to the zone SSL remote Guard list:
user@DETECTOR-conf-zone-scannet# remote-guard ssl 192.168.100.33
Note
Detecting Zone Traffic Anomalies
When you activate zone anomaly detection, the Detector module monitors the copy of the zone traffic it receives. When a traffic anomaly triggers a policy action by exceeding the policy threshold (indicating an attack), the Detector either sends you a notification, or activates a Cisco Anomaly Guard Module (Guard module) to protect the zone.
Before you activate zone anomaly detection, allow the Detector module to study the zone traffic patterns using the learning process, which allows the Detector module to learn the traffic patterns of the zone and to create sets of recommended thresholds according to statistical analysis of the zone traffic.
If the zone is not under attack, we recommend that you allow the Detector module to construct the zone policies by entering the learning policy-construction command, and then enable the detect and learn function. The Detector module learns the zone traffic and at the same time monitors the last accepted policy thresholds for traffic anomalies. If the Detector module detects an attack on the zone, it stops the threshold tuning phase but continues to detect anomalies in the zone traffic to prevent the Detector module from learning thresholds of malicious traffic. See the "Tuning Zone Policy Thresholds and Enabling Zone Anomaly Detection Simultaneously" section.
You can synchronize the zone configuration on the Detector module with the zone configuration on a Guard module before activating the Guard module to protect the zone. See the "Synchronizing the Zone Configuration in the Detector Module with the Cisco Anomaly Guard Module" section and the "Activating Remote Guards" section for more information.
Before you activate zone anomaly detection, you must configure the switch to capture the traffic sent to the zone and pass a copy of it to the Detector module. See the "Configuring Traffic Sources for Capturing Traffic" section on page 2-4 for more information.
Tip
You can define the following anomaly detection characteristics:
•
•
This section includes the following topics:
•
•
•
•
Activating Zone Anomaly Detection
To activate zone anomaly detection, enter the following command in zone configuration mode:
detect [learning]
The learning keyword sets the Detector module to detect anomalies in the zone traffic and at the same time tune the zone policy thresholds. See the "Tuning Zone Policy Thresholds and Enabling Zone Anomaly Detection Simultaneously" section for more information.
The following example shows how to activate anomaly detection for the zone scannet:
user@DETECTOR-conf-zone-scannet# detectDeactivating Zone Anomaly Detection
To deactivate zone anomaly detection, enter one of the following commands in zone configuration mode:
•
•
Configuring How the Detector Module Performs Zone Anomaly Detection
You can activate zone anomaly detection in two operation modes:
•
•
See Chapter 8, "Using Interactive Detect Mode," for more information.
Configuring Guard-Protection Activation Methods
Guard-protection activation methods define how a Cisco Anomaly Guard Module (Guard module) that is defined as a remote Guard activates zone protection and are designed to better focus on the zone protection requirements and save Guard module resources. The activation methods range from activating zone protection for a partial zone that is a part of the entire zone (for example, a specific server that is part of a protected network environment) to activating zone protection for the entire zone.
The Detector module supports the following Guard-protection activation methods:
•
•
•
Note
•
We recommend this strategy when the zone consists of related subzones so that you can avoid a situation in which a targeted zone may cause damage to the entire zone.
To activate the Guard-protection activation methods, enter the following command in zone configuration mode:
protect-ip-state {entire-zone | dst-ip-by-name | dst-ip-ip | policy-type}
The following example shows how to configure the Guard-protection activation method:
user@DETECTOR-conf-zone-scannet# protect-ip-state entire-zone
