Table Of Contents
Configuring Policy Templates
Policy Template Types
Modifying a Policy Template Configuration
Configuring Policy Templates
A policy template is a collection of rules and guidelines the Detector module uses during the policy construction phase of the learning process to construct new zone policies for services it detects in the zone traffic flow. The output of each policy template is a set of zone policies the Detector module uses to detect DDoS attacks in the zone traffic. When you create a new zone, the Detector module includes a set of policy templates in the new zone configuration.
This chapter describes how to perform advanced policy template configuration tasks. Changes you make to a zone policy template configuration affect the policy generation phase of the learning process. Using the WBM, you can enable, disable, or modify the zone policy templates to control the policies the Detector module creates during the policy generation phase.
This chapter includes the following sections:
•
Policy Template Types
•Modifying a Policy Template Configuration
Policy Template Types
To match the services of a traffic flow, there are several types of policy templates the Detector module can use during the policy construction phase. The name of the policy template is derived from the characteristics that are common to all the policies the Detector module creates from the template. The characteristics can be a protocol such as DNS, an application such as HTTP, or the objective such as ip_scan. For example, the policy template tcp_connections produces policies that relate to connections such as the number of concurrent connections.
Table 6-1 describes each of the Detector module policy template types.
Table 6-1 Policy Templates
Policy template
|
Produces a set of policies relating to . . .
|
dns_tcp
|
DNS-TCP protocol traffic.
|
dns_udp
|
DNS-UDP protocol traffic.
|
fragments
|
Fragmented traffic.
|
http
|
HTTP traffic flowing (by default) through port 80 or other user-configured ports.
|
ip_scan
|
IP scanning traffic (a situation in which a source IP address attempts to access several destination IP addresses within the zone). This policy template is designed primarily for applications in which the defined zone is a subnet. By default, this policy template is disabled. The default action configured for this policy template is notify.
Caution Policies created by the ip_scan policy template are resource consuming and may affect performance.
|
other_protocols
|
Non TCP or UDP protocols.
|
port_scan
|
Port scanning. The port_scan policy template produces policies that manage attacks in which a remote client from a specific source IP address attempts to access several ports within the zone. By default, this policy template is disabled. The default action for this policy template is notify.
Caution Policies created by the port_scan policy template are resource-consuming and may affect performance.
|
tcp_connections
|
TCP connection characteristics.
|
tcp_not_auth
|
TCP connections that the Detector module anti-spoofing feature have not authenticated.
|
tcp_outgoing
|
TCP connections initiated by a zone.
|
tcp_ratio
|
Ratios between different types of TCP packets, such as SYN packets versus FIN/RST packets.
|
tcp_services
|
TCP services on ports other than HTTP-related ports, such as ports 80 and 8080.
|
udp_services
|
UDP services.
|
The Detector module includes an additional policy template when you define a zone using the DETECTOR_WORM zone template.
Table 6-2 details the Detector module policy templates for DETECTOR_WORM.
Table 6-2 DETECTOR_WORM Policy Templates
Policy Template
|
Constructs a group of policies relating to
|
worm_tcp
|
TCP worms. These policies manage worm attacks, in which one or more source IP addresses create many non-established connections on the same port to many zone destination IP addresses. This policy template is designed primarily for zones in which the IP address definition is a subnet.
Note This policy template is available for zones that were created from the DETECTOR_WORM zone template only.
The Detector module adds services to the policies created from the worm_tcp policy template during the threshold tuning phase rather than during the policy construction phase. The policy template parameters max_services and min_threshold do not apply to the worm_tcp policy template.
|
If you create a zone from a GUARD_ zone template, you can configure the parameters of additional policy templates that can be synchronized to a Cisco Anomaly Guard Module. The Cisco Anomaly Guard Module supports the following additional policy templates:
•tcp_services_ns—TCP services. By default, the policies created by the tcp_services_ns template relate to IRC ports (666X), SSH, and Telnet. This policy template does not create policies with actions that apply the Strong protection level to the traffic flow.
•tcp_connections_ns, tcp_outgoing_ns, and http_ns—The Cisco Anomaly Guard Module includes additional policy templates that are designed for protecting zones for which you do not want to use the TCP proxy anti-spoofing mechanism. You can use these policy templates if the zone is moderated according to IP addresses such as an Internet Relay Chat (IRC) server-type zone or if you do not know what type of services are running on the zone.
If you define a zone with the GUARD_TCP_NO_PROXY zone template, the Cisco Anomaly Guard Module replaces the policy templates http, tcp_connections and tcp_outgoing with the policy templates http_ns, tcp_connections_ns and tcp_outgoing_ns policies respectively. The http_ns, tcp_connections_ns and tcp_outgoing_ns policy templates do not create policies with actions that require the Cisco Anomaly Guard Module to use the Strong protection level.
Modifying a Policy Template Configuration
To manage the policy construction phase, you can modify certain policy template parameters in the following ways to manage the policy generation phase:
•Enable or disable the policy template. Only enabled policy templates produce policies based on services the Detector module detects during the policy generation phase. Some of the policy templates create an additional policy to handle all traffic flows for which a specific policy was not added. These policies are added with a service of any.
•Control when the policy template creates policies during the learning process (based on the volume of traffic for a service).
•Define the maximum number of policies that the Detector module can produce using the policy template during the learning process.
To modify the configuration of a policy template:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Configuration > Policy templates from the zone main menu. The Policy Templates screen appears.
Step 3 Select a policy template. The Config policy template screen appears.
Step 4 Modify the desired parameters of the policy template. Table 6-3 describes the policy template parameters listed in the Policy Template Form. Depending on the type of policy template selected, some or all of the parameters listed in the table display for editing.
Table 6-3 Policy Template Parameters
Parameter
|
Description
|
State
|
Operating state of the policy template. Choose one of the following options:
•enable—Policy template is applied to the traffic flow during the policy construction phase of the learning process. When the Detector module detects a service, it creates a new policy based on the rules of the policy template designed for the detected service.
•disable—The Detector module does not apply the policy template to the traffic flow during the policy construction phase of the learning process. If the Detector module detects a service associated with the disabled policy template, it does not create a new policy.
Caution Disabling a policy template may seriously compromise zone protection. When you disable a policy template, the Detector module does not produce policies to manage the type of malicious traffic the policy template is designed to manage.
|
Min Threshold
|
Minimum traffic volume threshold for a service. Enter an integer that defines the minimum threshold rate in packets-per-second (pps). When you are measuring the concurrent connection and syn/fin ratio, the threshold value is the total number of connections. When a service traffic flow exceeds the threshold, the Guard produces policies for the service based on the particular traffic flow that exceeded the threshold. You cannot configure this parameter for policy templates that are essential for proper zone detection and therefore always construct a policy: tcp_services, udp_services, other_protocols, http and fragments.
|
| |
Max Services
|
The maximum number of services (protocol numbers or port numbers) that the policy template picks up and creates policies for. Enter an integer that defines the maximum number of services.
The Detector module ranks the services that the policy template applies to by their level of traffic volume. The Detector module selects the services that have exceeded the defined minimum threshold (as defined by the Min Threshold parameter) with the highest traffic volume and creates policies for each service. The Guard may add an additional policy to handle all other traffic flows with the characteristics of the policy template may be added with a service parameter setting of any. The higher the maximum number of services you configure, the more Detector module memory the zone requires.
You can define this parameter for policy templates that detect services, such as the tcp_services policy template. You cannot configure this parameter for:
•Policy templates that relate to a specific service, such as the dns_tcp policy template, which relates to service 53
•Policy templates that relate to a specific traffic characteristic, such as the fragments policy template
|
Step 5 Choose one of the following options:
•OK—Saves the new policy template configuration. The Policy Template screen appears.
•Clear—Reverts the form information back to the default values and clears any information you added.
•Cancel—Exits the Config policy template screen without saving any information. The Policy Template screen appears.
To add or remove services from all policies that were created from a specific policy template, refer to the "Adding or Deleting a Service" section in "Managing Zone Policies."
