-
Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 5.1)
-
Index
-
Preface
-
Product Overview
-
Configuring the Detector Module on the Supervisor Engine
-
Initializing the Detector Module
-
Configuring the Detector Module
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Learning the Zone Traffic Characteristics
-
Detecting Zone Traffic Anomalies
-
Using Interactive Detect Mode
-
Understanding Attack Reports
-
Using Detector Module Diagnostics Tools
-
Performing Maintenance Tasks
-
Table Of Contents
Configuring Access Control Using AAA
Configuring Authentication Methods
Configuring Local Authentication
Configuring Local Authorization
Configuring Authorization Methods
Disabling Tab Completion of Zone Names
Configuring the TACACS+ Server Attributes
Configuring a TACACS+ Server IP Address
Configuring the TACACS+ Server Encryption Key
Configuring the TACACS+ Search Method
Configuring the TACACS+ Server Connection Timeout
Displaying TACACS+ Server Statistics
Establishing Communication with the Cisco Guard
Configuring SSL Communication Channels
Enabling SSL Communication Channels
Configuring SSH Communication Channels
Enabling an SSH2 Communication Channel
Regenerating SSH2 Communication Channel Keys
Establishing Communication Channels
Configuring the Keys for SFTP and SCP Connections
Configuring SNMP Community Strings
Configuring the Login Banner from the CLI
Configuring the Session Timeout
Configuring the Detector
This chapter describes how to configure the Cisco Traffic Anomaly Detector (Detector) services.
This chapter contains the following sections:
•
Configuring Access Control Using AAA
•
•
•
•
Activating Detector Services
You can define which Detector services are active. The service must be enabled, and access to the service must be permitted to enable proper functionality. You can control the activation of the Detector services and grant or deny permission from a specific IP address, which will limit the IP addresses from which the Detector is accessed and controlled.
Table 4-1 describes the Detector services.
Table 4-1 Detector Services
Inter-node communication service. The Detector uses this service when establishing a communication channel with the Cisco Guard.
See the "Establishing Communication with the Cisco Guard" section for more information.
SNMP server service. You can access the Detector using SNMP to retrieve information as defined by the Riverhead private MIB, MIB2, and UCDavis MIB.
See the MIB file that is released with the software version for information on the MIB definitions.
Note
SNMP trap service. When you activate the snmp-trap service, the Detector generates SNMP traps. See the "Enabling SNMP Traps" section for more information.
Secure Shell service. The SSH service is always active. See the "Accessing the Detector with SSH" section on page 3-16 and the "Managing SSH Keys" section for more information.
Web-based manager (WBM) service. You can control the Detector from the web using a web browser. See the "Managing the Detector with a Web-Based Manager" section on page 3-15 for more information.
To activate a Detector service, perform the following steps:
Step 1
service {internode-comm | snmp-server | snmp-trap | wbm}See Table 4-1 for a description of the Detector services. By default, all Detector services, except SSH, are disabled.
Step 2
permit {internode-comm | snmp-server | snmp-trap | ssh | wbm} ip-address-general [ip-mask]Table 4-2 provides the arguments for the permit command.
Table 4-2 Arguments for the permit Command
The service to be accessed and operated. See Table 4-1 for a description of the Detector services.
The IP address from which to permit access. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2). Use an asterisk (*) to permit access from all IP addresses.
(Optional) The IP subnet mask. Enter the subnet mask in dotted-decimal notation (for example, enter 255.255.255.0). The default subnet mask is 255.255.255.255.
Caution
The following example shows how to activate a service:
user@DETECTOR-conf# service wbmuser@DETECTOR-conf# permit wbm 192.168.10.35Configuring Access Control Using AAA
Authentication, Authorization, and Accounting (AAA) is a method for controlling who is allowed to access the Detector and what services are allowed after access. AAA provides the following features:
•
•
•
The Detector is preconfigured with the following system user accounts:
•
•
You cannot delete system user accounts.
User definition allows you to divide the Detector user community into domains and to assign passwords for secure management access. We recommend that you create new user accounts and avoid using the system user accounts after initial configuration so that you can monitor user actions.
The following sections describe how to configure access control:
•
Configuring Authentication
You can configure which authentication method that the Detector uses when a user tries to log into the Detector or requests a higher privilege level (using the enable command). The Detector offers the following authentication options:
•
•
If you configure a user only on a TACACS+ server, you must also configure authorization on the TACACS+ server for that user, or the user has access to show commands only.
You can configure a sequential authentication list. The authentication list defines the authentication methods used to authenticate a user, enables you to designate one or more methods to be used for authentication, and provides a backup if the initial method fails.
The Detector uses the first authentication method that is on the sequential authentication list to authenticate users; if that authentication method does not respond, the Detector selects the second authentication method on the list. Authentication fails only if both authentication methods do not succeed to authenticate the user.
You can configure a distributed authentication scheme and define users in several authentication databases. The Detector uses the first TACACS+ server to authenticate users. If the authentication returns a rejection, the Detector scans the TACACS+ server list and the alternative authentication method (local), if one exists. Authentication fails only if all the authentication methods on the list fail. This option is valid only if you do not configure the first-hit option.
Note
This section contains the following topics:
•
•
Configuring Authentication Methods
To configure the authentication method that the Detector uses, perform the following steps:
Step 1
Step 2
aaa authentication {enable | login} {local | tacacs+} [tacacs+ | local]Table 4-3 provides the keywords for the aaa authentication command.
If you access the Detector from a console session, it uses the local user database for authentication regardless of the defined authentication method.
To change the authentication method, reenter the command.
The following example shows how to configure authentication on entering a higher privilege level. The primary authentication method is configured to TACACS+, and the secondary authentication method is configured to the local user database.
user@DETECTOR-conf# aaa authentication enable tacacs+ localConfiguring Local Authentication
The Detector initially has a preconfigured username with administration privileges, which allows you to create new users. A user definition allows you to divide the Detector user community into domains and to assign passwords for secure management access.
To enable authentication of CLI users with a TACACS+ server, see the "Configuring Authentication" section.
This section contains the following topics:
•
•
Adding a User
To add a user to the Detector local database, use the following command in configuration mode:
username username {admin | config | dynamic | show} [password]
Table 4-4 provides the arguments and keywords for the username command.
The following example shows how to configure a new user and set the password:
user@DETECTOR-conf# username Robbin config 1234Users enter passwords in clear text but the Detector configuration file displays passwords in an encrypted manner. This example displays the Detector configuration file (running-config):
username Richard config encrypted 840xdMk3The encrypted keyword in the previous example indicates that the password is encrypted.
To display the list of users configured on the Detector, use the show running-config or show detector commands.
To display a list of the users currently logged into the CLI, use the show users command.
Changing Your Password
You can change your own password. Administrators can change their own password and the passwords of other users (see the "Changing the Passwords of Other Users" section).
To change your own password, perform the following steps:
Step 1
passwordStep 2
Step 3
The password must be an alphanumeric, 6 to 24 character string, with no spaces. The password is case sensitive. The system prompts you to confirm the new password by typing it again.
The following example shows how to change your password:
user@DETECTOR# passwordOld Password: <old-password>New Password: <new-password>Retype New Password: <new-password>Changing the Passwords of Other Users
You must have administration user privileges to change the password of other users.
To change the password of a user, perform the following steps:
Step 1
password username-passwordThe username-password argument is the user whose password you are changing.
Step 2
The password must be an alphanumeric, 6 to 24 character string, with no spaces. The password is case sensitive. The system prompts you to confirm the new password by typing it again.
The following example shows that the administrator changes the password of the user Jose:
user@DETECTOR# password JoseNew Password: <new-password>Retype New Password: <new-password>Deleting a User from the Local User Database
When you delete a user from the local user database, the associated user cannot access the Detector if authentication is performed using the local user database only.
To delete a user from the Detector local user database, use the no username username command.
The following example shows how to delete a user from the local user database:
user@DETECTOR-conf# no username RobbinConfiguring Authorization
You can limit the services available to a user. When you enable authorization, the Detector verifies the user profile, which is located either in the local user database or on a TACACS+ security server. The user is permitted access to the requested service only if the information in the user profile allows it.
You can configure which authorization method the Detector uses when a user tries to execute a command. The Detector offers the following authorization options:
•
Two types of TACACS+ authorization are supported:
–
–
TACACS+ authorization enables you to specify access rights for each command.
Caution
•
Detector local authorization can be performed when communication to the TACACS+ server fails.
You can configure a sequential authorization list that defines the methods for authorizing a user, allows you to designate one or more methods to be used for authorization, and provides a backup if communication to the initial method fails.
The Detector uses the first method listed to authorize users; if that method does not respond, the Detector selects the second authorization method. The authorization fails only if both authorization methods do not succeed.
To configure the Detector to consider an authentication rejection as final and stop further searching with other TACACS+ servers or the local user database, you can configure the TACACS+ server attributes. See the "Configuring the TACACS+ Server Attributes" section for more information.
This section contains the following topics:
•
•
•
Configuring Local Authorization
Access to Detector services depends on the user privilege level. You can limit the services available to a user. The Detector checks the user profile to verify the user access rights. Once authorized, the user is granted access to the requested service only if the information in the user profile allows it. See Table 3-1 for information on user privilege levels.
This section contains the following topics:
•
•
Assigning Privilege Levels with Passwords
You can set passwords that restrict access to user privilege levels. After you specify the privilege level and the password, you can give the password to the users who need to access this level. You cannot move to another user privilege level before you configure a password for that user privilege level.
To set a local password to control access to a privilege level, use the following command in configuration mode:
enable password [level level] [password]
Table 4-5 provides the arguments for the enable password command.
The following example shows how to assign a password to the user privilege level admin:
user@DETECTOR-conf# enable password level admin <password>Moving between User Privilege Levels
Authorized users can move between user privilege levels.
To move between user privilege levels, perform the following steps:
Step 1
enable [level]The level argument specifies the user privilege level. This level can be one of the following:
•
•
•
•
The default level is admin.
Step 2
The following example shows how to switch to the admin privilege level:
user@DETECTOR> enable adminEnter enable admin Password: <password>To return to the lower privilege level (show), use the disable command.
Configuring Authorization Methods
To configure the authorization method, perform the following steps:
Step 1
Step 2
•
•
You can configure a sequential list of authorization methods. Enter the aaa authorization command for each method. To remove an authorization method, use the no form of the command.
Table 4-6 provides the arguments and keywords for the aaa authorization command.
We recommend that you do not configure authorization for show privilege level commands because it may affect performance.
Note
The following example shows how to configure authorization for commands that require config privilege level. The primary authorization method is configured to TACACS+, and the secondary authorization method is configured to the local user database.
user@DETECTOR-conf# aaa authorization commands config tacacs+ local
Caution
TACACS+ Server Sample Configuration
You can specify authorization for each command in the TACACS+ server database.
The following example shows you how to configure authorization on a TACACS+ server for the user Zoe:
user=Zoe {cmd = detect {permit .*}cmd = "no detect" {permit .*}cmd = learning {deny policy*}cmd = "no learning" {deny .*}cmd = dynamic-filter {permit .*}cmd = "no dynamic-filter" {permit .*}}Disabling Tab Completion of Zone Names
To limit access to zone configuration to authorized users only, disable tab completion for the names of the zones. This setting applies to all commands in which you specify the zone name.
When you enter commands in global or configuration mode, such as the zone command, no zone command, show zone command, and deactivate command, the Detector no longer displays or completes the zone name. You must enter the complete zone name to configure a zone, change the zone operation mode, or display zone statistics.
The Detector sends the tab-complete zone-list command to the TACACS+ server when you disable tab completion of zone names. Configure authorization for the tab-complete zone-list command on the TACACS+ server to enable tab completion of zone names to authorized users.
The following example shows how to disable tab completion of zone names for all the zone commands:
user@DETECTOR-conf# aaa authorization commands zone-completion tacacs+To enable tab completion of zone names, use the no form of the command.
Configuring Accounting
Accounting management allows you to track the services that users are accessing and save the accounting information on a TACACS+ server. You can enable accounting of requested services for billing, reporting, or security purposes. By default, the Detector is configured with accounting management disabled.
To configure accounting, perform the following steps:
Step 1
Step 2
aaa accounting commands {show | dynamic | config | admin} stop-only {local | tacacs+}Table 4-7 provides the keywords for the aaa accounting command.
Table 4-7 Keywords for the aaa accounting Command
show | dynamic | config | admin
Defines accounting for the specified privilege level (see Table 3-1 for information on user privilege levels).
stop-only
Records the action when the command execution terminates.
tacacs+
Uses a TACACS+ server database to record accounting information.
local
Does not save accounting information.
To configure accounting for more than one privilege level, enter the aaa accounting command for each privilege level, as required.
We recommend that you enable accounting management only for the config user privilege level because it may affect performance.
Use the no form of the command to remove the accounting management for a privilege level.
The example shows how to configure accounting for commands that require config privilege level on a TACACS+ server.
user@DETECTOR-conf# aaa accounting commands config stop-only tacacs+Configuring the TACACS+ Server Attributes
You must configure the TACACS+ server attributes to enable authentication, authorization, or accounting with a TACACS+ server.
Caution
To configure the TACACS+ server attributes, perform the following steps:
Step 1
See the "Configuring a TACACS+ Server IP Address" section for more information.
Step 2
See the "Configuring the TACACS+ Server Encryption Key" section for more information.
Step 3
See the "Configuring the TACACS+ Search Method" section for more information.
Step 4
See the "Configuring the TACACS+ Server Connection Timeout" section for more information.
Step 5
See the "Displaying TACACS+ Server Statistics" section for more information.
The Detector user privilege levels relate to the TACACS+ privilege numeration as follows:
•
•
•
•
Configuring a TACACS+ Server IP Address
You can configure the Detector to use a sequential list of TACACS+ servers for authentication, authorization, and accounting. The Detector uses the TACACS+ server listed to authenticate or authorize users or send an accounting event; if that server does not respond, the Detector selects the second server. Authentication or authorization fails only if all servers listed do not respond.
Alternatively, you can configure the Detector to use only the first TACACS+ server on the list to authenticate users (see the "Configuring the TACACS+ Search Method" section for more information).
You must define the IP address of each TACACS+ server on the list. You can define a maximum of nine TACACS+ servers.
To add a TACACS+ server to the list and assign its IP address, use the following command in configuration mode:
tacacs-server host ip-address
The ip-address argument specifies the IP address of the TACACS+ server.
The TACACS+ servers are added to the list in the order in which you enter them. You can add a maximum of nine servers to the list.
The following example shows how to add a server to the TACACS+ server list:
user@DETECTOR-conf# tacacs-server host 192.168.33.45Configuring the TACACS+ Server Encryption Key
You must configure the encryption key to access a TACACS+ server. The key must match the key on the TACACS+ servers. The key cannot contain spaces.
To configure the server encryption access key, use the following command in configuration mode:
tacacs-server key tacacs-key
The argument tacacs-key is an alphanumeric string.
Note
The following example shows how to set the TACACS+ server encryption key to MyKey:
user@DETECTOR-conf# tacacs-server key MyKeyConfiguring the TACACS+ Search Method
To configure the Detector to consider an authentication rejection as final and stop further searching with other TACACS+ servers and the local user database, use the tacacs-server first-hit command. The Detector performs user authentication using only the first TACACS+ server on the server list to respond. If the first TACACS+ server does not respond, the Detector selects the next server on the list. The Detector regards the first user authentication approval or rejection received as final and stops attempting to authenticate the user with other TACACS+ servers or with the local user database.
If you do not configure the TACACS+ search method to regard an authentication rejection as final by entering the tacacs-server first-hit command, the Detector, by default, tries all TACACS+ servers in its list to authenticate a user. When you enable the first-hit search method for user authentication by entering the no tacacs-server first-hit command, the Detector uses the first TACACS+ server listed to authenticate the user. If the first server does not respond or fails to authenticate the user, the Detector selects the next server on the list. User authentication fails if all the TACACS+ servers on the list either do not respond or fail to authenticate the user and you have not configured a local authentication method. The TACACS+ search method is applicable for authentication only and does not affect authorization or accounting.
To configure the Detector to use only the first TACACS+ server on the list to authenticate users, use the tacacs-server first-hit command in configuration mode.
To disable the first-hit search method and enable the Detector to try all TACACS+ servers in its list to authenticate a user, use the no tacacs-server first-hit command in configuration mode.
The following example shows how to configure the TACACS+ search method so that the Detector uses only the first TACACS+ server on the list to authenticate users:
user@DETECTOR-conf# tacacs-server first-hitConfiguring the TACACS+ Server Connection Timeout
You can configure the amount of time that the Detector waits for a reply from the TACACS+ server. When the timeout ends, the Detector either attempts to establish a connection with the next TACACS+ server (if a server was configured) or falls back to local AAA (if a fallback was configured). Authentication and authorization fail if no fallback method is configured.
Note
To configure the TACACS+ server connection timeout, use the following command in configuration mode:
tacacs-server timeout timeout
The timeout argument specifies the amount of time (in seconds) that the Detector waits for a TACACS+ server to reply. The default timeout is 0.
The following example shows how to configure the TACACS+ server connection timeout to 600 seconds:
user@DETECTOR-conf# tacacs-server timeout 600
Tip
Displaying TACACS+ Server Statistics
You can display statistical information for the TACACS+ servers. The Detector provides statistical data for each server.
To display TACACS+ related statistics, use the show tacacs statistics command in configuration mode.
To clear the TACACS+ statistics, use the clear tacacs statistics command in configuration mode.
Table 4-8 displays the fields in the show tacacs statistics command output.
Establishing Communication with the Cisco Guard
You can establish a secure communication channel between the Detector and a Cisco Guard (Guard) to enable the following tasks:
•
•
The Detector establishes a connection with the Guard to exchange the keys and certificates that are required to secure the communication channel. The Detector then closes the connection and establishes the communication channel when it needs to activate the Guard, synchronize a zone configuration with the Guard, or poll the Guard.
The Detector supports two types of communication channels:
•
•
The Detector keeps a list (called remote Guard lists) of Guards that it activates to protect a zone and synchronize zone information with these Guards. The Detector establishes a communication channel with each of the Guards configured in the remote Guard lists. Before you establish a communication channel with a Guard, you must add the Guard to a remote Guard list. See the "Activating Remote Guards to Protect a Zone" section on page 9-6 for more information.
The Detector establishes an SSH2 communication channel with each Guard, before establishing an SSL communication channel. If you configure an SSL remote Guard list and an SSH remote Guard list, you do not need to establish the SSH2 communication channel.
This section contains the following topics:
•
•
•
Configuring SSL Communication Channels
The Guard and Detector use a Secure Sockets Layer (SSL) connection for the communication channel. SSL provides secure connections through a combination of authentication and data encryption and relies upon digital certificates, private-public key exchange pairs, and Diffie-Hellman key agreement parameters for this level of security. SSL encrypts the data so that only the intended recipient can decipher the data.
Each Guard and Detector authenticates the device attempting to communicate with it over the communication channel using a digital certificate and other device-specific information, such as the device IP address.
To ensure a secure connection, the Detector generates a private-public key pair and distributes its public key to the Guards listed in the remote Guard lists.
After you enable the communication channel service on the Guard, you establish the communication channel from the Detector. The Detector first establishes an SSH2 communication channel with the user riverhead on the Guard. The Detector then uses the secure SSH2 communication channel to exchange the SSL connection keys. See the "Establishing Communication Channels" section for more information.
This section contains the following topics:
•
•
Enabling SSL Communication Channels
To enable an SSL communication channel, perform the following steps on both the Detector and the Guard:
Caution
Step 1
The arguments ip-address-general and ip-mask define the IP address of the Guards that you want to permit access to the Detector.
Note
Step 2
Step 3
The arguments ip-address-general and ip-mask define the IP address of the Guards that you want to permit access to the Detector.
Note
Note
Regenerating SSL Certificates
The key that identifies the Guard and the Detector in the SSL certificates is associated with the IP addresses.
You must regenerate new SSL certificates for the Guard and the Detector on both ends of a communication channel when you:
•
•
Before you can generate new SSL certificates, you must delete the current certificates on both devices.
To display the current SSL certificates, use the show internode-comm certs command.
To regenerate the current SSL certificates, perform the following procedure:
Step 1
cert remove cert-host-ipThe cert-host-ip argument specifies the IP address of the Guard. Enter an asterisk (*) to delete the SSL certificates of all Guards.
The following example shows how to delete an SSL certificate:
user@DETECTOR-conf# cert remove 10.56.36.4Step 2
cert remove cert-host-ipThe cert-host-ip argument specifies the IP address of the Detector. Enter an asterisk (*) to delete the SSL certificates of all Detectors that have established communication channels with the Guard.
Step 3
From the Detector, use the following command in configuration mode to delete Guard SSH host keys:
no host-keys ip-address-generalThe ip-address-general argument specifies the IP address of the remote device.
The following example shows how to delete host keys:
user@DETECTOR-conf# no host-keys 10.56.36.4Step 4
Configuring SSH Communication Channels
When detecting traffic anomalies, the Detector either logs the event, or activates a Guard to protect the zone using an SSH communication channel. When using an SSH communication channel, the Detector cannot perform the following tasks:
•
•
•
To ensure a secure SSH2 communication channel, the Detector generates a private-public SSH key pair and distributes the public SSH key to the Guards listed in the remote Guard lists.
After you enable the SSH communication channel, you must establish the SSH communication channel from the Detector. See the "Establishing Communication Channels" section for more information.
This section contains the following topics:
•
•
Enabling an SSH2 Communication Channel
To enable an SSH2 communication channel between a Guard and a Detector, permit access to the SSH service on the Guard from the Detector IP address by entering the permit ssh command.
After you enable the SSH communication channel, you must establish the SSH communication channel from the Detector. See the "Establishing Communication Channels" section for more information.
If you replace (swap out) a Guard device, you must regenerate the SSH2 communication channel. See the "Regenerating SSH2 Communication Channel Keys" section.
Regenerating SSH2 Communication Channel Keys
If you replace a Guard device, perform the following steps to regenerate a communication channel:
Step 1
The ip-address-general argument specifies the IP address of the remote device.
To display the host keys listed on the Detector, use the show host-keys command.
Step 2
•
See the "Establishing Communication Channels" section.
•
To display the Detector public SSH key, use the show public-key command on the Detector.
To add the Detector public SSH key to the list of SSH keys that the Guard maintains, use the key add command on the Guard.
Establishing Communication Channels
Establish an SSH or SSL communication channel from the Detector to the Guard so that the Detector can activate the Guard, synchronize a zone configuration with the Guard, and poll the Guard. You must enable the communication channel on both the Detector and the Guard before you establish the communication channel. See the "Enabling SSL Communication Channels" section and the "Enabling an SSH2 Communication Channel" section for more information.
The Detector establishes a connection with the Guard to exchange the keys and certificates that are required to secure the communication channel. The Detector then closes the connection and establishes the communication channel when it needs to activate the Guard, synchronize a zone configuration with the Guard, or poll the Guard.
Caution
To establish a communication channel from the Detector to the Guard, perform the following steps on the Detector:
Step 1
key generateStep 2
/root/.ssh/id_rsa already exists.Overwrite (y/n)?Type the desired option by entering one of the following options:
•
•
Step 3
To publish the public SSH2 key, and generate and exchange the SSL certificate, use one of the following commands in configuration mode:
•
•
Table 4-9 provides the arguments and keywords for the key publish command.
Table 4-9 Arguments and Keywords for the key publish
CommandThe remote Guard IP address.
ssh
Publishes the SSH2 public key to the remote Guard that is defined by the remote-guard-address argument.
ssl
Publishes the SSH2 public key, and generates and exchanges an SSL certificate with the remote Guard that is defined by the remote-guard-address argument.
Publishes the SSH2 key, and generates and exchanges SSL certificates with all of the Guards that are configured in the remote Guard lists.
The Detector establishes an SSH communication channel with each of the Guards in the remote Guard lists. Repeat Step 4 and Step 5 for each remote Guard.
Step 4
The authenticity of host '<remote-hostname> (<remote-host IPaddress>)' can't be established.RSA key fingerprint is <RSA key fingerprint>Are you sure you want to continue connecting (yes/no)?Enter yes.
The following prompt appears:
riverhead@remote-Guard-IP-address's password:Step 5
The following example shows how to generate the private-public SSH2 key pair and establish an SSH2 communication channel between the Detector and a remote Guard that has an IP address of 192.168.100.33:
user@DETECTOR-conf# key generateuser@DETECTOR-conf# key publish 192.168.100.33 ssh/root/.ssh/id_rsa already exists.Overwrite (y/n)? yThe authenticity of host '192.168.100.33 (192.168.100.33)' can't beestablished.RSA key fingerprint isde:cb:ac:36:9a:fe:33:f9:6a:d8:7b:98:a9:51:75:54.Are you sure you want to continue connecting (yes/no)? yesriverhead@192.168.100.33's password: <password>user@DETECTOR-conf#The following example shows how to establish a communication channel with all the Guards that are listed in the remote Guard lists:
user@DETECTOR-conf# key publish *To display the Detector SSH2 public key, use the show public-key command.
To display the host keys listed on the Detector, use the show host-keys command.
Managing SSH Keys
The Detector supports SSH for secure remote login. You can add a list of SSH keys to enable secure communication from a remote device to the Detector without entering a login and password.
The following sections describe how you can manage the Detector SSH key list:
Adding SSH Keys
To enable an SSH connection without entering a login and password, add the remote connection SSH public key to the Detector SSH key list.
Enter the following command in configuration mode:
key add [user-name] {ssh-dsa | ssh-rsa} key-string comment
Table 4-10 provides the arguments and keywords for the key add command.
The following example shows how to add an SSH RSA key:
user@DETECTOR-conf# key add ssh-rsa 14513797528175730. . .user@Detector.comDeleting SSH Keys
You can remove an SSH key from the list. If you remove the SSH key, you must authenticate the next time that you establish an SSH session with the Detector.
To remove an SSH key from the Detector, use the following command in configuration mode:
key remove [user-name] key-string
Table 4-11 provides the arguments for the key remove command.
The following example shows how to view a user key so that it can be cut and pasted into the key remove command:
user@DETECTOR-conf# show keys Lilacssh-rsa 2352345234523456... user@Detector.comuser@DETECTOR-conf# key remove Lilac 2352345234523456...Configuring the Keys for SFTP and SCP Connections
Secure FTP (SFTP), which is layered on top of SSH2, and Secure Copy (SCP), which relies on SSH, provide a secure and authenticated method for copying files. SFTP and SCP use public key authentication and strong data encryption, which prevents login, data, and session information from being intercepted or modified in transit.
To configure the keys for SFTP and SCP connections, perform the following actions:
Step 1
If the key exists, skip Step 2 and proceed to Step 3.
If no key exists, proceed to Step 2.
Step 2
Caution
If an SSH2 key pair already exists, the following message appears:
/root/.ssh/id_rsa already exists.Overwrite (y/n)?Type y to regenerate the key.
The Detector creates the public-private key pair. To display the Detector public key, use the show public-key command in configuration mode.
Step 3
For example, if you are connecting to an network server that is installed on a Linux operating system with the username user account, add the Detector public key to the /home/username/.ssh/authorized_keys2 file.
Make sure that the key is copied as a single line. If the key is copied as two lines, delete the new line character at the end of the first line.
Note
Changing the Hostname
You can change the hostname of the Detector. The change takes effect immediately, and the new hostname is automatically integrated into the CLI prompt string.
To change the Detector hostname, use the following command in configuration mode:
hostname name
The name argument specifies the new hostname.
The following example shows how to change the hostname of the Detector:
user@DETECTOR-conf# hostname CiscoDetectoradmin@CiscoDetector-conf#Enabling SNMP Traps
You can enable the Detector to send SNMP traps and notify you of significant events that occur on the Detector. In addition, you can configure the Detector SNMP trap generator parameters and define the scope of the SNMP trap information that the Detector reports.
A trap is logged in the Detector event log and displayed in the event monitor when a trap condition occurs, regardless of whether the SNMP agent sends the trap.
To configure the Detector to send SNMP traps, perform the following steps:
Step 1
service snmp-trapStep 2
snmp trap-dest ip-address [community-string [min-severity]]Table 4-12 provides the arguments for the snmp trap-dest command.
To delete SNMP trap generator parameters, use the no snmp trap-dest command. Enter an asterisk (*) to remove all SNMP trap destination parameters.
The following example shows that traps with a severity level equal to or higher than errors are sent to the destination IP address 192.168.100.52 with the SNMP community string of tempo:
user@DETECTOR-conf# snmp trap-dest 192.168.100.52 tempo errorsTable 4-13 lists the SNMP traps that the Detector generates.
Table 4-13 SNMP Traps
rhExcessiveUtilizationTrap
EMERGENCY
The Detector cannot add new dynamic filters because more than 150,000 dynamic filters are active concurrently in all the Detector zones.
rhExcessiveUtilizationTrap
EMERGENCY
The anomaly detection engine memory limit was reached (higher than 90 percent).
rhGeneralTrap
ALERT
The disk space is 80 percent.
rhExcessiveUtilizationTrap
CRITICAL
The Gigabit interface link utilization in bps1 is above 85 percent.
rhExcessiveUtilizationTrap
CRITICAL
The memory utilization is above 85 percent.
rhExcessiveUtilizationTrap
CRITICAL
The accelerator card CPU utilization is above 85 percent.
rhDynamicFilterTrap
ERROR
The number of pending dynamic filters is 1000, and new pending dynamic filters will be discarded.
rhProtectionTrap
ERROR
The Detector failed to activate a remote Guard to protect the zone by using an SSL communication channel.
rhZoneGenericTrap
ERROR
The Detector failed to synchronize the zone configuration.
rhGeneralTrap
ERROR
The Detector failed to activate zone anomaly detection as follows:
•
•
The Detector deactivates zone anomaly detection and the learning process.
rhDynamicFilterTrap
WARNING
The Detector failed to add dynamic filters.
This error may occur in one of the following situations:
•
•
rhExcessiveUtilizationTrap
WARNING
The Detector has more than 135,000 dynamic filters that are active concurrently in all the zones. When the number of active dynamic filters reaches 150,00, the Detector cannot add new dynamic filters.
rhGeneralTrap
WARNING
The disk space is 75 percent.
rhPolicyConstructionTrap
WARNING
The policy construction phase of the learning process has failed.
rhDetectionTrap
WARNING
The Detector failed to start zone anomaly detection.
rhReloadTrap
WARNING
The Detector has restarted. The trap contains a MIB2 warm-start or cold-start trap and information on what caused the Detector to restart.
rhReloadTrap
WARNING
The Detector has shutdown. The trap contains a a MIB2 warm-start or cold-start trap and information on what caused the Detector to shutdown.
rhThresholdTuningTrap
WARNING
The threshold tuning phase of the learning process has failed.
rhAttackTrap
NOTIFICATIONS
An attack has started.
rhAttackTrap
NOTIFICATIONS
An attack has ended.
rhPolicyConstructionTrap
NOTIFICATIONS
The policy construction phase of the learning process has been started.
rhPolicyConstructionTrap
NOTIFICATIONS
The policy construction phase of the learning process has been accepted.
rhPolicyConstructionTrap
NOTIFICATIONS
The policy construction phase of the learning process has been stopped.
rhDetectionTrap
NOTIFICATIONS
The zone anomaly detection has started.
rhDetectionTrap
NOTIFICATIONS
The zone anomaly detection has ended.
rhProtectionTrap
NOTIFICATIONS
The Detector has failed to activated a remote Guard to protect the zone by using an SSL communication channel.
rhThresholdTuningTrap
NOTIFICATIONS
The threshold tuning phase of the learning process has been started.
rhThresholdTuningTrap
NOTIFICATIONS
The threshold tuning phase of the learning process has been accepted.
rhThresholdTuningTrap
NOTIFICATIONS
The threshold tuning phase of the learning process has been stopped.
rhZoneGenericTrap
NOTIFICATIONS
The Detector has started to synchronize the zone configuration.
rhZoneTrap
NOTIFICATIONS
A new zone has been created.
rhZoneTrap
NOTIFICATIONS
A zone has been deleted.
rhDynamicFilterControlTrap
INFO
The number of attack-detection events that the Detector did not send for a specific policy.
rhDynamicFilterControlTrap
INFO
The Detector has more than 1000 active dynamic filters, and will not send traps for dynamic filters that it deletes.
rhDynamicFilterTrap
INFO
A dynamic filter has been added.
rhDynamicFilterTrap
INFO
A dynamic filter has been deleted.
rhDynamicFilterTrap
INFO
A pending dynamic filter has been added.
1 bps = bits per second
Configuring SNMP Community Strings
You can access the Detector SNMP server and retrieve information as defined by the Management Information Base 2 (MIB2) and the Cisco Riverhead proprietary MIB. The community string acts like a password and permits read access from the Detector SNMP agent. You can configure the Detector SNMP community string and enable access to the SNMP agent from clients in different organizational units and with different community strings.
To add an SNMP community string, use the following command in configuration mode:
snmp community community-string
The community-string argument specifies the desired Detector community string. Enter an alphanumeric string from 1 to 15 characters. The string cannot contain spaces. The Detector default community string is riverhead. You can specify as many community names as you want. To delete a community string, use the no community string command. Enter an asterisk (*) to remove all SNMP community strings.
The following example shows how to configure the SNMP community string:
user@DETECTOR-conf# snmp community tempoConfiguring the Login Banner
The login banner is the text that appears on screen before user authentication when you open an SSH session, a console port connection, or a WBM session to the Detector.
You can configure a login banner to warn users against unauthorized access, to describe what is considered the proper use of the system, and to warn users that the system is being monitored to detect improper use and other illicit activity.
The Detector displays the login banner in the following locations:
•
•
This section contains the following topics:
•
Configuring the Login Banner from the CLI
You can create a single or multiple message banner by using the login-banner command. If you enter more than one login banner, the new login banner is appended to the existing login banner as a new line.
To configure the login banner, use the following command in configuration mode:
login-banner banner-str
The banner-str argument specifies the banner text. The maximum string length is 999 characters. If you use spaces in the expression, enclose the expression in quotation marks (" ").
To display the login banner, use the show login-banner command.
The following example shows how to configure and display the login banner:
user@DETECTOR-conf# login-banner "Welcome to the Cisco Traffic Anomaly Detector"user@DETECTOR-conf# login-banner "Unauthorized access is prohibited."user@DETECTOR-conf# login-banner "Contact sysadmin@corp.com for access."user@DETECTOR-conf# show login bannerWelcome to the Cisco Traffic Anomaly DetectorUnauthorized access is prohibited.Contact sysadmin@corp.com for access.Importing the Login Banner
You can import a text file from a network server to replace the existing login banner by entering one of the following commands in global mode or in configuration mode:
•
•
The maximum length of each line in the file that you import is 999 characters.
Because Secure FTP (SFTP) and Secure Copy (SCP) rely on SSH for secure communication, if you do not configure the key that the Detector uses before you enter the copy command with the sftp or scp option, the Detector prompts you for the password. See the "Configuring the Keys for SFTP and SCP Connections" section for more information on how to configure the key that the Detector uses for secure communication.
Table 4-14 provides the arguments and keywords for the copy login-banner command.
The following example shows how to import the login banner from an FTP server:
user@DETECTOR-conf# copy ftp login-banner 10.0.0.191 /root/login-banner <user> <password>Deleting the Login Banner
If you no longer want to display a message before user authentication, delete the login banner.
To delete the login banner, use the no login-banner command in configuration mode.
The following example shows how to delete the login banner:
user@DETECTOR-conf# no login-bannerConfiguring the WBM Logo
To customize your end-user interface, you can add a company logo (or any customized logo) to the WBM web pages.
The new logo appears in the following places:
•
•
The new logo must be in GIF format. We recommend that the size of the new logo is as follows: width = 87 and height = 41 pixels.
This section contains the following topics:
Importing the WBM Logo
To import a new logo from a network server, use the following command in global mode or in configuration mode:
•
•
Because Secure FTP (SFTP) and Secure Copy (SCP) rely on SSH for secure communication, if you do not configure the key that the Detector uses before you enter the copy command with the sftp or scp option, the Detector prompts you for a password. See the "Configuring the Keys for SFTP and SCP Connections" section for more information on how to configure the key that the Detector uses for secure communication.
Table 4-15 provides the arguments and keywords for the copy wbm-logo command.
The following example shows how to import the WBM logo file from an FTP server:
user@DETECTOR-conf# copy ftp wbm-logo 10.0.0.191 /root/WBMlogo.gif <user> <password>Deleting the WBM Logo
To delete the WBM logo, use the no wbm-logo command in configuration mode.
The following example shows how to delete the login banner:
user@DETECTOR-conf# no wbm-logoConfiguring the Session Timeout
The session timeout is the amount of time that a session remains active when there is no activity. If there is no activity for the configured time, a timeout occurs, and then you must log in again. The session timeout is disabled by default.
The session timeout applies to the CLI only and does not apply to the WBM.
You can configure the number of minutes until the Detector disconnects an idle session automatically by entering the following command in configuration mode:
session-timeout timeout-val
The timeout-val argument specifies the number of minutes until the Detector disconnects an idle session automatically. Valid values are from 1 to 1440 minutes (one day).
The following example shows how to configure the Detector to disconnect an idle session after 10 minutes:
user@DETECTOR-conf# session-timeout 10To prevent the Detector from disconnecting idle sessions automatically, use the no session-timeout command.
To display the value of the session timeout, use the show session-timeout command.
