Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 5.1) - Detecting Zone Traffic Anomalies [Cisco Services Modules]

Table Of Contents

Detecting Zone Traffic Anomalies

Overview

Configuring How the Detector Module Performs Zone Anomaly Detection

Configuring Guard-Protection Activation Methods

Activating Zone Anomaly Detection

Deactivating Zone Anomaly Detection

Activating Remote Guards to Protect a Zone

Activating Remote Guards Using Remote Guard Lists

Activating a Remote Guard and Synchronizing Zone Configuration

Configuring the Default Remote Guard List

Configuring the Zone Remote Guard Lists

Activating Remote Guards Offline

Activating Remote Guards Manually

Detecting Zone Traffic Anomalies

This chapter describes how to configure the Cisco Traffic Anomaly Detector Module (Detector module) to detect traffic anomalies and to activate Cisco Anomaly Guard Modules to protect the zone.

This chapter contains the following sections:

•Overview

•Configuring How the Detector Module Performs Zone Anomaly Detection

•Configuring Guard-Protection Activation Methods

•Activating Zone Anomaly Detection

•Deactivating Zone Anomaly Detection

•Activating Remote Guards to Protect a Zone

Overview

When you activate zone anomaly detection, the Detector module monitors the copy of the zone traffic it receives. When a traffic anomaly triggers a policy action by exceeding the policy threshold (indicating an attack), the Detector either activates a Guard module to protect the zone, if a Guard module is defined, or sends you a notification.

Before you activate zone anomaly detection, allow the Detector module to study the zone traffic patterns using the learning process, which allows the Detector module to learn the traffic patterns of the zone and to create sets of recommended thresholds according to statistical analysis of the zone traffic.

If the zone is not under attack, we recommend that you allow the Detector module to construct the zone policies by entering the learning policy-construction command, and then enable the detect and learn function. The Detector module learns the zone traffic and at the same time monitors the last accepted policy thresholds for traffic anomalies. If the Detector module detects an attack on the zone, it stops the threshold tuning phase but continues to detect anomalies in the zone traffic to prevent the Detector module from learning thresholds of malicious traffic. See the "Tuning Zone Policy Thresholds and Enabling Zone Anomaly Detection Simultaneously" section on page 8-17.

You can synchronize the zone configuration on the Detector module with the zone configuration on a Guard module before activating the Guard module to protect the zone. See the "Synchronizing a Detector with Cisco Guard Zone Configuration" section on page 5-13 and the "Activating Remote Guards to Protect a Zone" section for more information.

Before you activate zone anomaly detection, you must configure the switch to capture the traffic sent to the zone and pass a copy of it to the Detector module. See the "Configuring Traffic Sources for Capturing Traffic" section for more information.

Tip Check that the Detector module is receiving a copy of the zone traffic. Wait at least 10 seconds after initiating the policy construction phase and enter the show rates command. Verify that the value of the Received traffic rate is greater than zero. A value of zero indicates that the Detector module is not receiving a copy of the zone traffic. Check the configuration of traffic sources for capturing traffic. See the "Configuring Traffic Sources for Capturing Traffic" section for more information.

You can define the following anomaly detection characteristics:

•Operation mode—Define how the Detector module performs zone anomaly detection (defines whether the Detector module detects anomalies in the zone traffic automatically, or in an interactive manner).

•Guard-Protection activation methods—Define the method that the Detector module uses to activate a remote Guard to protect the zone. The Detector module can activate the remote Guard to protect a partial zone that is a part of the entire zone (for example, a specific server that is part of a protected network environment), or activate the remote Guard to protect the entire zone.

Configuring How the Detector Module Performs Zone Anomaly Detection

The operation mode defines how the Detector module activates dynamic filters when you enable zone anomaly detection.

You can activate zone anomaly detection in two operation modes:

•Automatic detect mode—Dynamic filters are activated without user intervention. This is the default operation mode.

•Interactive detect mode—Dynamic filters are activated manually in an interactive mode. The dynamic filters are grouped as recommendations, which you can review and decide which of them to accept, ignore, or direct to automatic activation.

See Chapter 10, "Using Interactive Detect Mode," for more information.

Configuring Guard-Protection Activation Methods

Guard-protection activation methods define how a Cisco Anomaly Guard Module (Guard module) that is defined as a remote Guard activates zone protection and are designed to better focus on the zone protection requirements and save Guard module resources. The activation methods range from activating zone protection for a partial zone that is a part of the entire zone (for example, a specific server that is part of a protected network environment) to activating zone protection for the entire zone.

The Detector module supports the following Guard-protection activation methods:

•entire-zone—Activates a Guard module to protect the entire zone when it detects an anomaly in the zone traffic. This method saves Guard module resources because it reduces the number of active zones that the Guard module protects. We recommend this strategy when the zone consists of related subzones.

•dst-ip-by-name—Activates a Guard module to protect a particular IP address when it detects an anomaly in the zone traffic that is destined to that IP address. You can activate a Guard module to protect the attacked IP address, but avoid diverting the traffic of the entire zone to the Guard module. If the Detector module cannot associate the traffic anomaly with a particular IP address, it does not activate a Guard module to protect the zone. We recommend this strategy when the zone consists of unrelated subzones.

•dst-ip-by-ip—Activates a Guard module to protect a particular IP address, when it detects an anomaly in the zone traffic that is destined to that IP address. The IP address must be in the address range of one of the zones that is defined on the Guard module. However, the name of the zone on the Detector module does not have to be identical to the name of the zone name on the Guard module. The dst-ip-by-ip Guard-protection activation method is equivalent to using the protect ip-address command on the Guard module. We recommend this strategy when the zone names on the Detector module are not identical to the zone names on the Guard module, or when the zone consists of unrelated subzones.

Note To ensure that the Guard module activates zone protection for the attacked IP address only and avoids diverting the traffic of the entire zone to itself, make sure that the zone is defined on the Guard module with an activation-extent of ip-address-only.

•policy-type—Activates the Guard module to protect the entire zone, or to protect a particular IP address within the zone address range, according to the policy that caused the Detector module to activate the Guard module. The Detector module activates the Guard module to protect a particular IP address if it detects an anomaly in the zone traffic that is destined to that IP address (for example, if the policy that caused the remote activation has traffic characteristics of dst_ip). If the Detector module cannot associate the traffic anomaly with a particular IP address, it activates the Guard module to protect the entire zone (for example, if the policy that caused the remote activation has traffic characteristics of global).

We recommend this strategy when the zone consists of related subzones so that you can avoid a situation in which a targeted zone may cause damage to the entire zone.

To activate the Guard-protection activation methods, use the following command in zone configuration mode:

protect-ip-state {entire-zone | dst-ip-by-name | dst-ip-by-ip | policy-type}
The following example shows how to configure the Guard-protection activation method:
user@DETECTOR-conf-zone-scannet# protect-ip-state entire-zone
Activating Zone Anomaly Detection

To activate zone anomaly detection, use the following command in zone configuration mode:

detect [learning]
The learning keyword sets the Detector module to detect anomalies in the zone traffic and at the same time tune the zone policy thresholds. See the "Tuning Zone Policy Thresholds and Enabling Zone Anomaly Detection Simultaneously" section on page 8-17 for more information.

The following example shows how to activate anomaly detection for the zone scannet:
user@DETECTOR-conf-zone-scannet# detect
Deactivating Zone Anomaly Detection

To deactivate zone anomaly detection, use one of the following commands in zone configuration mode:

•no detect—Ends zone anomaly detection. If the Detector module is detecting anomalies and learning the zone traffic, it continues to learn the zone policy thresholds.

•deactivate—Ends both zone anomaly detection and the threshold tuning phase of the learning process.

Activating Remote Guards to Protect a Zone

When the Detector module detects a zone traffic anomaly, it creates new filters called dynamic filters that activate Cisco Anomaly Guard Modules that initialize actions to protect the zone or log the event if no remote Guard is defined.

You can activate a remote Guard in one of the following ways:

•Using a remote Guard list—Use SSL to enable remote activation and zone synchronization, or use SSH to enable remote activation only.

•Activating offline—Configure the Detector module to issue a notification when an attack on the zone occurs.

•Activating manually—Create a dynamic filter to activate remote Guards.

The Detector module is placed logically downstream from the Cisco Anomaly Guard Module. When no attack is in progress, the Detector module sees all inbound traffic destined for the protected zone. During an attack when the Cisco Anomaly Guard Module diverts traffic from the targeted zone for mitigation, the Detector module sees the legitimate traffic that the Guard forwards to the zone.

This section contains the following topics:

•Activating Remote Guards Using Remote Guard Lists

•Activating Remote Guards Offline

•Activating Remote Guards Manually

Activating Remote Guards Using Remote Guard Lists

The Detector module maintains a list of Guard modules that it activates to protect a zone that are called remote Guard lists. You can configure a Guard module in more than one remote Guard list. The Detector module maintains two types of lists of remote Guards:

•Zone-specific remote Guard lists—The Detector module activates the Guard modules to protect the zone and may synchronize the zone configuration with the Guard module.

•A Default remote Guard list—The Detector searches the default list only if the zone remote Guard list is empty or does not contain both communication methods.

Note If you add a Cisco Anomaly Guard Module to the remote Guard lists, you must establish a communication channel with that remote Guard. See the "Establishing Communication with the Cisco Guard" section for more information.

Each remote Guard list supports two communication methods:

•SSL—The Detector module communicates with Guard modules using SSL. The Detector can activate the remote Guard to protect the zone and to synchronize zone configuration with the remote Guard.

The Detector module can synchronize the zone configuration with the Guard modules on the remote Guard lists before activating the Guard module to protect the zone. See the "Synchronizing a Detector with Cisco Guard Zone Configuration" section on page 5-13 for more information.

•SSH—The Detector module communicates with Guard modules using SSH. The Detector can activate the remote Guard to protect the zone but cannot synchronize zone configuration with the remote Guard.

The Detector module activates a Guard module in the default remote Guard list only if a Guard module with the same communication method was not defined in the zone remote Guard list.

Caution If you change the remote Guard lists, you must regenerate the SSL certificates that the Detector module uses for the communication channel with the remote Guards or the communication fails. See the "Regenerating SSL Certificates" section for more information.

Verify that the Detector module has at least one Cisco Anomaly Guard Module defined in one of remote Guard lists (the default remote Guard list or the zone remote Guard list). If no remote Guard is defined in any one of the remote Guard lists, the Detector module records the event in its log file.

This section contains the following topics:

•Activating a Remote Guard and Synchronizing Zone Configuration

•Configuring the Default Remote Guard List

•Configuring the Zone Remote Guard Lists

Activating a Remote Guard and Synchronizing Zone Configuration

To activate a remote Guard and synchronize zone configuration, perform the following steps:

Step 1 Create and configure a new zone using one of the Guard zone templates.

See the "Creating a New Zone" section on page 5-6.

Step 2 Add the remote Guard IP address to either of the following lists:

•Zone remote Guard list—A list of remote Guards that the Detector module activates to protect the zone.

See the "Configuring the Zone Remote Guard Lists" section for more information.

•Detector default remote Guard list—The default list of remote Guards. The Detector module activates these remote Guards if the zone remote Guard list is empty.

See the "Configuring the Default Remote Guard List" section for more information.

Step 3 Configure the communication channel with the remote Guard.

See the "Establishing Communication with the Cisco Guard" section for more information.

Step 4 Configure the zone Guard-protection forms (protect-ip-state) to determine the method the Detector module uses to activate a remote Guard.

See the "Configuring Guard-Protection Activation Methods" section for more information.

Step 5 Create a new zone on the remote Guard using one of the following methods:

•Synchronize the zone configuration from the Detector module to the Guard module using SSL.

See the "Synchronizing a Detector with Cisco Guard Zone Configuration" section on page 5-13 for more information.

•Create a new zone on the remote Guard. The zone name on the Guard module must be identical to the zone name on the Detector module unless you configure the Detector module to activate protection on the Guard module based on the attacked IP address only by using the protect-ip-state dst-ip-by-ip command.

See the "Configuring Guard-Protection Activation Methods" section for more information on the protect-ip-state command.

Step 6 Configure the timer that the remote Guard uses to terminate zone protection by using the protection-end-timer command in the remote Guard. If the value of the protection-end-timer is forever, the remote Guard does not terminate zone protection when the attack ends.

Configuring the Default Remote Guard List

The Detector module activates a remote Guard in the default remote Guard list if both the following conditions apply:

•A zone-specific remote Guard list is empty or does not contain Guard modules with both SSL and SSH communication methods.

•The remote Guard in the default list is configured with the communication method that is not defined in the zone-specific remote Guard list.

The Detector module activates all remote Guards with the same communication method.

To add a Guard to the default remote Guard list, use the following command in configuration mode:

remote-guard [ssh | ssl] remote-guard-address [description]
Table 9-1 provides the arguments and keywords for the remote-guard command.

Table 9-1 Arguments and Keywords for the remote-guard Command

Parameter

Description

ssh

Sets the communication method with the remote Guard to SSH.

ssl

Sets the communication method with the remote Guard to SSL.

remote-guard-address

The remote Guard IP address.

description

(Optional) The remote Guard description. The description can have a maximum of 63 characters.

The following example shows how to add a remote Guard to the default remote Guard list using an SSL communication method:
user@DETECTOR-conf# remote-guard ssl 192.168.100.33
To display the default lists of remote Guards, use the show remote-guards command in global or configuration mode.

Configuring the Zone Remote Guard Lists

The Detector module activates all the remote Guards that are listed in the zone remote Guard lists.

To add a Guard to a zone remote Guard list, use the following command in zone configuration mode:

remote-guard [ssh | ssl] remote-guard-address [description]
Table 9-2 provides the arguments for the remote-guard command.

Table 9-2 Arguments for the remote-guard Command

Parameter

Description

ssh

Sets the communication method with the remote Guard to SSH.

ssl

Sets the communication method with the remote Guard to SSL.

remote-guard-address

The IP address of the remote Guard.

description

(Optional) A description of the remote Guard. The description can have a maximum of 63 characters.

The following example shows how to add a Guard to the zone remote Guard list using an SSL communication method:
user@DETECTOR-conf-zone-scannet# remote-guard ssl 192.168.100.33
To display the zone remote Guard lists, use the show remote-guards command in zone configuration mode.

Activating Remote Guards Offline

When the Detector module detects an anomaly in the zone traffic it logs the event and may generate an SNMP trap. You can then manually activate a Cisco Anomaly Guard Module to protect the zone. See the "Enabling SNMP Traps" section for more information.

To activate a Cisco Anomaly Guard Module offline, perform the following steps:

Step 1 Configure the zone on both the Detector module and the Cisco Anomaly Guard Module or synchronize the zone configuration offline.

See the "Configuring Zones for Synchronization" section on page 5-15 for more information.

Step 2 (Optional) Configure the timer that the remote Guard uses to terminate zone protection by using the protection-end-timer command in the remote Guard. If you configure the value of the protection-end-timer to forever, the remote Guard does not terminate zone protection when the attack ends.

Step 3 Activate the zone on the Cisco Anomaly Guard Module by using the protect command.

Activating Remote Guards Manually

You can activate a remote Guard manually to protect the zone even before the Detector module detects an anomaly in the zone traffic.

To activate a remote Guard manually, perform the following steps:

Step 1 Add the remote Guard to the zone remote Guard list or to the default remote Guard list.

See the "Activating Remote Guards Using Remote Guard Lists" section for more information.

Step 2 Create a dynamic filter by entering the dynamic-filter remote-activate command.

See the "Adding Dynamic Filters" section for more information.