Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 5.0)
Managing Zone Policies
Download this chapter
Managing Zone PoliciesManaging Zone Policies
Download the complete book
Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 5.0), Book-Length PDFOL-Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 5.0), Book-Length PDFOL- (PDF - 3 MB)
give_us_feedback

Table Of Contents

Managing Zone Policies

Viewing Zone Policies

Modifying Policy Parameters

Modifying a Single Policy

Modifying Multiple Policies Simultaneously

Adding or Deleting an IP Address and Threshold

Adding an IP Address and Threshold

Deleting an IP Address and Threshold

Adding or Deleting a Service

Adding a Service

Deleting a Service


Managing Zone Policies

In addition to using the learning process to create policies tuned to the characteristics of the zone traffic, the Detector module allows you to modify the policies of a zone configuration. This chapter describes how to manually fine-tune the anomaly detection capabilities of the zone configuration.

This chapter includes the following sections:

Viewing Zone Policies

Modifying Policy Parameters

Adding or Deleting an IP Address and Threshold

Adding or Deleting a Service

Viewing Zone Policies

To view the policies of a zone configuration:

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Configuration > Policy from the zone main menu. The Policies screen appears (see Figure 8-1 and Table 8-1).

Step 3 If you created the zone using a GUARD_ zone template, the View Detector/View Guard toggle button appears above the policy list. Select the policy view to use:

Click View Detector to view the policies for use by the Detector module

Click View Guard to view the policies for use by the Cisco Anomaly Guard Module

Step 4 (Optional) To set a screen filter, click Set screen filter in the Policies screen. The Policy Filter window opens.

Step 5 Configure the screen filters to use. Table 8-1 describes the screen filter parameters listed in the Policy Filter window. Select the desired display parameters from the corresponding drop-down lists. When changing multiple filter parameters, begin from the top and work your way down the parameters of the Policy Filter window. When you change one of the filtering parameters, all the parameters listed below it are automatically reset to their default setting.

Table 8-1 Policy Filter Parameters 

Parameter
Restricts the display to . . .

Policy template

Policies created from the selected policy template.

Service

Policies created for the selected service.

Protection level

Policies of the selected protection level.

Type

Policies of the selected packet type.

Policy

Policies of the selected name.

State

Policies of selected operating state.

Action

Policies configured with the selected action.

Policies

Policies of the current running configuration or of a snapshot (if available)


Figure 8-1 contains a sample of the Policy screen.

Figure 8-1 Policy Table

Table 8-1Table 8-2 describes the fields in the Policy Table.

Table 8-2 Field Descriptions for Policy Table 

Field
Description

Policy Template

Policy template the Detector module used to construct the policy.

Service

Service in the traffic flow that the policy monitors. A service is either an application port or a protocol. You can add services to better tailor the policy configuration the Detector module created for the zone during the learning process. See the "Adding or Deleting a Service" section.

The Detector module displays a service value of any for all traffic that does not specifically match other services created from the same policy template.

Level

Level of anomaly detection the policy applies to the traffic flow, which is always analysis for the Detector module.

Type

Type of traffic flow packet or connection.

Packet type values:

auth_pkts—Packets that underwent either TCP handshake or UDP authentication.

auth_tcp_pkts—Packets that underwent TCP handshake.

auth_udp_pkts—Packets that underwent UDP authentication.

in_nodata_conns—Zone incoming connections that have no data transfer on the connection (packets without a data payload).

in_conns—Zone incoming connections.

in_pkts—Zone incoming DNS query packets.

in_unauth_pkts—Zone incoming unauthenticated DNS queries.

out_pkts—Zone incoming DNS reply packets.

reqs—Request packets with data payload.

syns—Synchronization packets—TCP SYN flagged packets.

syn_by_fin—SYN and FIN flagged packets. Verifies the ratio between the number of SYN flagged packets and the number of FIN flagged packets.

unauth_pkts—Packets that did not undergo TCP handshake.

pkts—All packet types that do not fall under any other category in the same detection level.

non_estb_conns—Non established connections. Zone incoming failed connections. TCP connection requests (SYN packets) for which no reply was received.

Key

Traffic characteristic that was used to aggregate the policies. Double-click the key name to view details.

Key name values:

dst_ip—Traffic destined to a zone IP address.

dst_ip_ratio—Ratio of SYN and FIN flagged packets destined to a specific IP address.

dst_port_ratio—Ratio of SYN and FIN flagged packets destined to a specific port.

global—Summation of all traffic flow as defined by the other policy sections.

src_ip—Traffic destined to the zone aggregated according to source IP address.

dst_port—Traffic destined to a specific zone port.

protocol—Traffic destined to the zone aggregated according to protocol.

src_ip_many_dst_ips—Key used for IP scanning. Traffic from a single IP destined to many zone IP addresses.

src_ip_many_ports—Key used for port scanning. Traffic from one IP destined to many zone ports.

scanners—A histogram of the number of source IP addresses that scan zone destination IP addresses on a specific destination port.

State

Operating state of the policy. The policy operates in one of the following states:

Active—The Detector module applies the policy to the traffic flow. The policy executes an action when the traffic flow exceeds the policy threshold.

Inactive—The Detector module applies the policy to the traffic flow. The policy does not execute an action when the traffic flow exceeds the policy threshold.

Disabled—The Detector module does not apply the policy to the traffic flow.

Action

Action assigned to the policy. The policy executes the action in the event the traffic flow exceeds the policy threshold. See the "Modifying Policy Parameters" section for further details.

Threshold

Policy threshold traffic rate. When the traffic flow exceeds the policy threshold, the policy executes its assigned action. You can configure the policy threshold manually or let the Detector module configure it during the threshold tuning phase of the learning process.

Timeout

Minimum amount of time the policy applies its assigned action to the traffic flow. The timeout value can be set to never.

Fixed

Policy threshold operating status. A check mark indicates the threshold is a fixed value that cannot be modified during the threshold tuning phase of the learning process. An x indicates the threshold value is not fixed, which means the Detector module can modify the policy threshold during the threshold tuning process.

Learning Multiplier

Factor the Detector module multiplies the threshold by when it accepts the results of the threshold tuning phase.


Modifying Policy Parameters

The procedures in this section describe how to modify policy parameters. You can only modify a zone policy when the Detector module is not learning zone traffic or analyzing zone traffic for anomalies. The WBM provides you with two different procedures for modifying policy parameters: one procedure to modify a single policy and another procedure to modify multiple policies with the same parameter change simultaneously. Table 8-3 lists the policy parameters you can modify with each procedure type.

Table 8-3 Policy Modification Procedures 

Policy Parameter
Procedure
Modifying a Single Policy
Modifying Multiple Policies Simultaneously

(Operating) State

X

X

Action

X

X

Threshold

X

 

Threshold multiplier

 

X

Timeout

X

X

Learning parameters:

Set as fixed

Learning multiplier

X

X


Note Changes you make to a policy parameter may be lost if you perform the policy construction phase after making the parameter change. When you accept the results of the policy construction phase, the Detector module deletes the current policies of the zone configuration and replaces them with the new policies.

Caution Setting the policy state to inactive or disabled may compromise the Detector module's ability to detect a traffic anomaly in the zone. When you disable a policy, the enabled policies assume responsibility for the traffic that was managed by the disabled policy. After you disable a policy and before activating zone anomaly detection, you must perform the threshold tuning phase to update the thresholds of the enabled policies.

This section contains the following procures:

Modifying a Single Policy

Modifying Multiple Policies Simultaneously

Modifying a Single Policy

To modify the parameters of a single policy:

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Configuration > Policy from the zone main menu. The Policies screen appears.

Step 3 If you created the zone using a GUARD zone template, the View Detector/View Guard toggle button appears above the policy list. Select the policy view to use:

Click View Detector to modify a policy for use by the Detector module

Click View Guard to modify a policy for use by the Cisco Anomaly Guard Module

Step 4 Click the Key of the desire policy. The Policy details screen appears.

Step 5 Click Configure (located under the Learning parameters table). The Config Policy screen appears with the current parameter values listed.

Step 6 Reconfigure the desired policy parameters. Table 8-4 describes the configured policy parameters in the Zone Policies Parameter Form.

Table 8-4 Zone Policy Parameter Form 

Parameter
Description

State

The state of the policy. Possible values are:

active—The Detector module applies the policy to the traffic and the policy executes its assigned action when the traffic exceeds the policy threshold.

inactive—The Detector module applies the policy to the traffic, but the policy does not execute its assigned action when the traffic exceeds the policy threshold.

disabled—The Detector module does not apply the policy to the traffic.

Action

Action that the policy executes when the traffic exceeds the policy threshold. Choose a policy action from the drop-down list:

notify—The policy notifies the user.

remote_activation—The policy activates a Cisco Anomaly Guard Module, which diverts zone traffic to itself and manages the zone protection process. You define the Cisco Anomaly Guard Module the Detector module activates using the CLI to configure the remote-guard list.

Threshold

Threshold traffic rate for the policy. When the traffic exceeds the threshold, the policy executes an action to protect the zone. The threshold is measured in packets per second (pps) except for the following policies:

tcp_connections—measured in number of connections

tcp_ratio—measured as the ratio number

Timeout

Minimum time span for the policy to apply its action. Enter the timeout value in seconds.

Learning parameters

Manner in which the Detector module accepts the results of a threshold tuning phase that pertain to the policy. To have the Detector module accept the results of a threshold tuning phase without any modifications, leave the Learning Parameters check box unchecked.

Click the Learning parameters check box to choose one of the following options:

Set as fixed—The Detector module defines the current threshold of the policy as a fixed value. When the Detector module accepts the results of a threshold tuning phase, it does not modify this policy threshold.

Learning multiplier—The Detector module multiplies the current threshold value of the policy by the value you enter here. The Detector module also applies the multiplier to the results of subsequent threshold tuning phases. Enter a factor to raise or lower the threshold of the policy.


Modifying Multiple Policies Simultaneously

To modify multiple zone policies with the same parameter change:

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Configuration > Policy from the zone main menu. The Policies screen appears.

Step 3 If you created the zone using a GUARD zone template, the View Detector/View Guard toggle button appears above the policy list. Select the policy view to use:

Click View Detector to modify the policies for use by the Detector module

Click View Guard to modify the policies for use by the Cisco Anomaly Guard Module

Step 4 Click the check box next to the desired policy or policies to reconfigure, then click Config Selection. The Zone Policies Parameter Form appears. If you have selected two or more policies, the policy parameters with different values will display a value of multiple.

Step 5 Modify the desired policy parameters. Table 8-5 describes the configurable policy parameters in the Zone Policies Parameter Form.

Table 8-5 Zone Policies Parameter Form 

Parameter
Description

State

Operating state of the policies. Choose an operating state from the drop-down list:

active—The Detector module applies the policies to the traffic. Each policy executes its assigned action when the traffic flow exceeds the threshold of the policy.

inactive—The Detector module applies the policies to the traffic, but the policies do not execute their assigned actions when the traffic flow exceeds their thresholds.

disabled—The Detector module does not apply the policies to the traffic.

Action

Action the policies execute when the traffic flow exceeds the policy threshold. Choose a policy action from the drop-down list:

notify—The policies notify the user when the traffic exceeds the policy threshold.

remote_activation—The policies activate a Cisco Anomaly Guard Module, which diverts zone traffic to itself and manages the zone protection process. You define the Cisco Anomaly Guard Module the Detector module activates using the CLI to configure the remote-guard list.

Threshold multiplier

Factor by which the thresholds of the policies are increased or decreased. Enter a factor to increase or decrease the thresholds of the policies when the thresholds are not appropriate for the zone traffic.

Timeout

Minimum amount of time the policy applies its action to the traffic flow. Enter a timeout value in seconds.

Learning parameters

Manner in which the Detector module accepts the results of a threshold tuning phase that pertain to the selected policies. To have the Detector module accept the results of a threshold tuning phase without any modifications, leave the Learning Parameters check box unchecked.

Click the Learning parameters check box to choose one of the following options:

Set as fixed—The Detector module configures the current thresholds of the selected policies as fixed values. When the Detector module accepts the results of a threshold tuning phase, it does not modify the thresholds of the policies.

Learning multiplier—The Detector module multiplies the current threshold values of the polices by the value you enter here. The Detector module also applies the multiplier to the results of subsequent threshold tuning phases. Enter a factor to raise or lower the thresholds of the policies.


Step 6 Choose one of the following options:

OK—Saves the configuration information. The Zone Policies Parameter Form closes and the Policies screen appears, displaying any policy configuration changes.

Clear—Reverts the Zone Policies Parameter Form information back to the default values.

Cancel—Exits the Zone Policies Parameter Form without making any changes to the policy parameters.

Adding or Deleting an IP Address and Threshold

To avoid false attack detections by theDetector module when traffic increases on a known high traffic source or destination IP address, you can configure a policy with a threshold for traffic associated with the IP address. Add an IP address and threshold to a policy for the following network applications:

High volume source IP address—When the zone normally receives a high volume of traffic from a specific source IP address, you can configure a policy with a threshold that the Detector module applies to traffic originating from the source IP address.

High volume destination IP address—When you define a zone with two or more IP addresses and sections of the zone normally receive a high volume of traffic, you can configure a policy with a threshold that the Detector module applies to traffic targeting the destination IP address within the zone.

The WBM only allows you to configure IP thresholds for policies with the following characteristics:

Policies with a Key type of src_ip (source IP address) and an Action type of drop

Policies with a Key type of dst_ip (destination IP address) with an Action type of to-user, strong, notify, or drop

Each policy accepts up to five IP addresses and thresholds.

This sections contains the following procedures:

Adding an IP Address and Threshold

Deleting an IP Address and Threshold

Adding an IP Address and Threshold

To configure a policy with an IP address and threshold:

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Configuration > Policy from the zone main menu. The Policies screen appears.

Step 3 If you created the zone using a GUARD zone template, the View Detector/View Guard toggle button appears above the policy list. Select the policy view to use:

Click View Detector to configure a policy for use by the Detector module with an IP address and threshold

Click View Guard to configure a policy for use by the Cisco Anomaly Guard Module with an IP address and threshold

Step 4 Click the Key type (located under the Key column) of the desired policy. The Policy details screen appears.

Step 5 Click Add (located under the Threshold list table). The Add threshold entry screen appears.

Step 6 Define the source or destination IP address and threshold value. Table 8-6 describes the parameters in the Threshold IP Entry Form.

Table 8-6 Threshold IP Entry Form 

Parameter
Description

IP

IP address. Enter the source or destination IP address.

Threshold

IP address threshold. When the traffic exceeds the threshold, the policy executes its configured action. Enter the threshold value in packets per second (pps) except for the following policy types:

tcp_connections—Unit of measurement is number of connections

tcp_ratio—Unit of measurement is the ratio number


Step 7 Choose one of the following options:

OK—Saves the policy IP address information to the policy configuration and zone configuration. The Threshold IP Entry Form closes and the Policy details screen appears, displaying any policy configuration changes.

Clear—Clears any information you added to the Threshold IP Entry Form.

Cancel—Exits the Threshold IP Entry Form without making any changes to the policy configuration.

Deleting an IP Address and Threshold

To delete a policy IP address and threshold:

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Configuration > Policy from the zone main menu. The Policies screen appears.

Step 3 If you created the zone using a GUARD zone template, the View Detector/View Guard toggle button appears above the policy list. Select the policy view to use:

Click View Detector to delete an IP address and threshold from a policy for use by the Detector module

Click View Guard to delete an IP address and threshold from a policy for use by the Cisco Anomaly Guard Module

Step 4 Click the Key parameter of the desired policy. The Policy details screen appears.

Step 5 Check the check box of the IP listing or listings to delete from the Threshold list table.

Step 6 Click Delete (located under the Threshold list table). The modified policy configuration information is saved to the policy configuration and zone configuration.

Adding or Deleting a Service

You can manually add a service to the zone configuration that the Detector module did not discover during the policy construction phase.When you add a service, the Detector module creates new policies for the service based on the policy template you select for the service. You can add a new service to the following policy templates:

http

other protocols

tcp_services

udp_services

For http, tcp_services, and udp_services, the added service designates a port number. For other_protocols, the added service designates a protocol number.

When you add or delete a service from a zone configuration you created with a GUARD_ zone template, the Detector module makes the service modification to the policy configurations of the Detector module and Cisco Anomaly Guard Module.

When you add or delete a service from the zone configuration, the Detector module marks the zone untuned. Because the zone is untuned, the Detector module cannot detect zone anomalies when you activate Detect and Learn until you perform one of the following actions:

Perform the threshold tuning phase of the learning process and accept the results (see the "Starting the Threshold Tuning Phase" section in "Learning Zone Traffic")

Mark the zone tuned (see the "Marking the Zone Policies as Tuned or Untuned" section in "Learning Zone Traffic")

This section contains the following procedures:

Adding a Service

Deleting a Service

Adding a Service

To add a service to a policy type:

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Use one of the following methods to initiate the Add Service process:

Choose Configuration > Add Service from the zone main menu.

Choose Configuration > Policy from the zone main menu, then click Add service from the Policies screen. If you created the zone using a GUARD zone template, the Detector module makes the service modification to the policy configurations of the Detector module and Cisco Anomaly Guard Module regardless of which policy configuration is currently displayed.

Choose Configuration > Policy templates from the zone main menu, then click Add service from the Policies Templates screen.

The Add service step 1 screen appears.

Step 3 Select a policy template from the Policy Template list and click Next.(Refer to the "Policy Template Types"section in "Configuring Policy Templates" for details on policy template types.) The Add service step 2, Add Service Form appears.

Step 4 Enter the new service in the Add Service Form.

Step 5 Choose one of the following options:

OK—Adds the new policies for service to the zone configuration. The Policies screen appears, displaying the policies of the added service, and the Detector module marks the zone untuned.

Clear—Clears the Add Service Form information.

Cancel—Exits the Add Service Form without adding any new service to the zone configuration.

Step 6 (Optional) To change the zone configuration from untuned to tuned after adding a service, perform one of the following actions:

Perform the threshold tuning phase of the learning process and accept the phase results (see the "Starting the Threshold Tuning Phase" section in "Learning Zone Traffic")

Mark the zone tuned (see the "Marking the Zone Policies as Tuned or Untuned" section in "Learning Zone Traffic")

The policies of the new service are configured with default threshold values. You can define the thresholds of each policy manually; however, we recommend that you run the threshold tuning phase to tune the policies to the zone traffic (see the "Starting the Threshold Tuning Phase" section in "Learning Zone Traffic").

Deleting a Service

You can delete a specific service related to a policy type. The Detector module removes all of the policies that were created from the policy template you select.

Caution When you delete a service, zone protection may be compromised as the Detector module policies can no longer relate to the traffic service that was removed.

To delete a service from a policy:

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Use one of the following methods to initiate the Remove Service process:

Choose Configuration > Add Service from the zone main menu.

Choose Configuration > Policy from the zone main menu, then click Remove service from the Policies screen. If you created the zone using a GUARD_ zone template, the Detector module makes the service modification to the policy configurations of the Detector module and Cisco Anomaly Guard Module regardless of which policy configuration is currently displayed.

Choose Configuration > Policy templates from the zone main menu, then click Remove service from the Policies Templates screen.

The Remove service screen appears.

Step 3 Select the service you want to remove from the list, then click Delete. The delete verification screen appears.

Step 4 Choose one of the following options:

OK—Removes the selected service from the zone configuration. The Policies screen appears the Detector module marks the zone untuned.

Cancel—Exits the Remove Service Form without removing any new service to the zone configuration.

Step 5 (Optional) To change the zone configuration from untuned to tuned after deleting a service, perform one of the following actions:

Perform the threshold tuning phase of the learning process and accept the phase results (see the "Starting the Threshold Tuning Phase" section in "Learning Zone Traffic")

Mark the zone tuned (see the "Marking the Zone Policies as Tuned or Untuned" section in "Learning Zone Traffic")