Table Of Contents
Introduction
Client Requirements
Minimum Requirements
Installing Java 2 Runtime Environment
Detector Module Requirements for WBM Operation
What is a DDoS Attack
Cisco Traffic Anomaly Detector Module
WBM Interface
WBM Browser Window
Zone Status Icons
WBM Navigation Maps
Introduction
This chapter provides an overview of the Cisco Traffic Anomaly Detector Module Web-based Manager (WBM) interface and includes the following sections:
•
Client Requirements
•Detector Module Requirements for WBM Operation
•What is a DDoS Attack
•Cisco Traffic Anomaly Detector Module
•WBM Interface
Client Requirements
This section describes the minimum requirements for the WBM client and includes the following information and procedure:
•Minimum Requirements
•Installing Java 2 Runtime Environment
Minimum Requirements
The minimum client requirements to access and use the WBM on the Detector module are:
•MS Internet Explorer 5.0 (or higher)—Must support HTML, tables, cookies, Javascript, and frames
•Sun Microsystems Java 2 Runtime Environment (JRE) Standard Edition version 1.4.2_04—JRE is required to view the real time counters only (see the "Installing Java 2 Runtime Environment" section)
•Monitor resolution—Recommend 1024 x 768 pixels minimum
Installing Java 2 Runtime Environment
You must install Java 2 Runtime Environment (JRE) to view the real time counters. To download and install JRE from the Sun Microsystems web site, perform the following steps:
Step 1 Open the following URL in your Web browser: www.sun.com. The Sun Microsystems home page appears.
Step 2 Navigate to the downloads page by selecting Downloads > Java 2 Standard Edition. Select the version number to open the version download site.
Step 3 Download J2SE JRE.
Scroll down to the J2SE v <version number> JRE category and select Download J2SE JRE.
Note Do NOT select J2SE SDK.
Step 4 Run the file you just downloaded and follow the online installation instructions provided by Sun Microsystems.
Step 5 Verify that JRE supports your browser. Perform the following actions:
1. Open the Windows Control Panel on your machine by choosing Start > Settings > Control Panel. The Control Panel appears.
2. Locate and double-click Java Plug-in. The Java(TM) Plug-in Control Panel appears.
3. Click the Advanced tab. Open the <APPLET> tag support section and check the check box next to your browser.
Note If you have a previous version of JRE installed, the supported browsers are located in a different tab. Click the Browser tab and under Settings, select the check box next to your browser.
4. Click Apply to save your settings.
5. Restart the browser.
Detector Module Requirements for WBM Operation
Before using the WBM, ensure that the Detector module is properly installed as described in the Cisco Traffic Anomaly Detector Module Configuration Guide. You must perform the initial configuration process using the CLI. Verify that the following items are configured on the Detector module for proper operation of the WBM:
•Copy zone traffic—(CLI function) Allows the network switch to capture the traffic sent to the zone and pass a copy of it to the Detector module for analysis.
•Remote Guard list—(CLI function) Provides the Detector module with a list of Guard devices to activate when the Detector module detects a traffic anomaly.
•SSL connection—(CLI function) Provides a secure channel connection between the Detector and the Cisco Anomaly Guard Module.
•Enable WBM service and permit access—(CLI function) Activates the WBM service and permits access to it from a WBM workstation. The CLI procedures to configure this operation are also included in this guide (see the "Configuring Network Access to the WBM" section in "Enabling and Launching the WBM").
What is a DDoS Attack
Distributed Denial of Service (DDoS) attacks are attacks in which computer hackers cause thousands of compromised computers (zombies) to run automated scripts that cripple network resources with spurious requests for service. For example, DDoS attacks can be a flood of bogus home page requests to a Web server that shut out legitimate consumers, or efforts that compromise the availability and accuracy of Domain Name System (DNS) servers. Although often launched by an individual, the zombies actually executing the attack code may number in the hundreds of thousands, and are distributed over multiple autonomous systems, administered by multiple organizations.
DDoS attacks continuously evolve as sophisticated hackers create damaging new exploits. In addition, their attack scripts are made widely available on the Internet and are routinely executed by individuals with minimal technical knowledge of networking. Thus, DDoS defense technology must be flexible and adaptive. It must be capable of detecting an upcoming DDoS attack, differentiate between malicious and legitimate traffic, and perform those tasks without hindering the legitimate traffic flow of the attacked network element.
Cisco Traffic Anomaly Detector Module
The Cisco Traffic Anomaly Detector Module is an anomaly detection and protection activation device. The Detector module is best suited to work with the Cisco Anomaly Guard Module, but it can also operate as an independent DDoS detection and alarm component.
Then the Detector module constantly monitors the traffic and remains closely tuned to zone traffic characteristics for evolving attack patterns.
To accomplish these tasks, the Detector module employs the following features:
•An algorithm-based learning system that learns the zone traffic, modifies the zone configuration to the particular traffic characteristics, and supports the Detector attack detection features with references and instructions in the form of zone traffic policies and policy threshold rates.
•An attack notification system that either remotely activates a Cisco Anomaly Guard Module to assume protection over the zone, or records the traffic anomalies in the Detector syslog.
Integrating these features enables the Detector to assume its role of detecting DDoS attacks while unobtrusively staying in the background.
WBM Interface
Providing a subset of the CLI functionality, the WBM allows you to create and modify zone configurations, manage detection of zone traffic anomalies, and monitor Detector module and zone operations. Configuration parameters relating to procedures such as the initial Detector module setup procedures and network-level setup of the Detector module are only accessible through the CLI and cannot be performed using the WBM. Refer to the Cisco Traffic Anomaly Detector Configuration Guide for details on using the CLI.
WBM Browser Window
Figure 1-1 provides a sample screen shot of the WBM window. Table 1-1 describes each of the sections called out in the figure.
Figure 1-1 Sample WBM Screen Shot
Table 1-1 WBM Window Overview
Section
|
Function
|
1
|
Main Menu Bar—Displays the main menu for the link that is selected in the navigation pane. The WBM displays one of two menu bars in this section:
•Detector module summary menu—Provides access to the following Detector module statistical and configuration options:
–Detector module status and diagnostic tools
–List of defined zones
–User profile manager
To view the Detector module summary menu, click Detector module Summary in the navigation pane (3).
•Zone main menu—Provides access to detailed zone information and configuration options.
To view the zone-specific menu, click on the desired zone listed in the navigation area (3).
|
2
|
Navigation Path—Displays the path to the location of the screen displayed in the work area (5). To navigate to a specific section of the path, click the desired section of the path.
|
3
|
Navigation Area—Displays the list of links to the Detector module summary screen and the zone status screens. Click a link from the list to display the relevant status information in the work area (5). The selected navigation area link is highlighted with a white frame.
To resize the navigation area, drag the frame bar between the navigation and the work areas.
|
4
|
Information Area—Provides the following links and information:
•Home—Returns you to the Detector module summary screen.
•Logout—Closes your WBM session. The System Login screen appears.
•About—Displays WBM software information, including software version number, system serial number, and software licensing agreement.
•Current user—Lists the name of the current user and their assigned user privilege level.
|
5
|
Work Area—Displays the information that you select. From the work area, you define the various zone configuration parameters, enable learning and detection, and display statistical information. To resize the work area, drag the frame bar between the navigation and work areas.
|
Zone Status Icons
The WBM uses icons to represent the current zone status. The status icons appear in the navigation area and in the zone status bar. Table 1-2 describes the different zone status icons.
Table 1-2 Zone Status Icons
Icon
|
Status
|
|
Zone is inactive (not learning zone traffic or detecting anomalies in the zone traffic).
|
|
Zone is active and in a phase of the learning process, either the policy construction phase or the threshold tuning phase.
|
|
Zone is active and in the anomaly detection mode or the detect and learn mode.
|
|
Zone is active, operating in the interactive detect mode, and there are new zone detection recommendations available.
|
WBM Navigation Maps
The tables in this section map the various links available from the two WBM menu bars:
•Detector Module Summary menu—Provides access to general Detector module statistical and configuration tools. To view the Detector module Summary menu, click Detector module Summary in the navigation area or Home in the information area. Table 1-2 provides a map of the the various Detector Summary menu levels.
Table 1-2 Detector Summary Menu
Level 1
|
Level 2
|
Level 3
|
Detector Summary
|
Main
|
Summary
|
Diagnostics
|
Counters
|
Event log
|
Real time counters
|
Zones
|
Zone list
|
Create zone
|
Template list
|
Compare zone policies
|
Users
|
User list
|
Create user
|
Change password
|
•Zone menu—Provides access to zone-specific statistical and configuration tools. To view the Zone menu, click on the desired zone listed in the navigation area. Table 1-3 provides a map of the the various Zone menu levels.
Table 1-3 Zone Menu
Level 1
|
Level 2
|
Level 3
|
Zone
|
Main
|
Summary
|
Create zone
|
Save as . . .
|
Zone
(continued)
|
Diagnostics
|
Counters
|
Event log
|
Attack reports
|
HTTP Zombies
|
Policy statistics
|
Real time counters
|
Start Packet-Dump
|
Stop Packet-Dump
|
Packet-Dump List
|
Detection
|
Detect
|
Deactivate
|
Dynamic Filters
|
Recommendations
|
Learning
|
Construct Policies
|
Tune Threshold
|
Deactivate
|
Stop Learning
|
Accept
|
Snapshot
|
Snapshot List
|
Zone
(continued)
|
Configuration
|
General
|
User Filters
|
Bypass Filters
|
Flex-Content Filters
|
Policy Templates
|
Add Service
|
Remove Service
|
Policy
|
Compare Policies
|
Learning Parameters
|
