Table Of Contents
Managing Zone Policies
Viewing Zone Policies
Modifying Policy Parameters
Configuring IP Addresses and Thresholds
Adding an IP Address and Threshold
Deleting an IP Address and Threshold
Adding or Deleting a Service
Adding a Service
Deleting a Service
Backing Up the Zone Policies
Managing Zone Policies
This chapter describes how to modify the policies and manually tune the protection capabilities of the zone configuration on the Cisco Traffic Anomaly Detector Module (Detector module).
This chapter refers to the Cisco Guard (Guard), the companion product of the Detector module. The Guard is a Distributed Denial of Service (DDoS) attack detection and mitigation device that cleans the zone traffic as the traffic flows through it, dropping the attack traffic and injecting the legitimate traffic back into the network. When the Detector module determines that the zone is under attack, it can activate the Guard attack mitigation services. The Detector module can also synchronize zone configurations with the Guard. For more information about the Guard, see the Cisco Anomaly Guard Module Configuration Guide or the Cisco Guard Configuration Guide.
This chapter contains the following sections:
•
Viewing Zone Policies
•Modifying Policy Parameters
•Configuring IP Addresses and Thresholds
•Adding or Deleting a Service
•Backing Up the Zone Policies
Viewing Zone Policies
To view the policies of a zone configuration, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > Policies > View. The Policies screen appears.
Step 3 (Optional) Set a screen filter to display only the policies that you want to view or configure as follows:
a. Click Set screen filter. The Policy Filter window opens.
b. Configure the screen filters to use, and then click OK. Table 8-1 describes the screen filter parameters listed in the Policy Filter window. Choose the desired display parameters from the corresponding drop-down lists.
To change multiple filter parameters, begin from the top and work your way down the parameters of the Policy Filter window. You must start from the top because when you change one of the filtering parameters, all the parameters listed below it are automatically reset to their default setting.
Table 8-1 Policy Filter Parameters
Parameter
|
Restricts the display to . . .
|
Policy template
|
Policies that were created from the selected policy template.
|
Service
|
Policies that were created for the selected service.
|
Protection level
|
Policies of the selected protection level.
|
Type
|
Policies of the selected packet type.
|
Policy
|
Policies of the selected key.
|
State
|
Policies of the selected operating state.
|
Action
|
Policies configured with the selected action.
|
Policies
|
Policies of the current configuration or of a snapshot (if available).
|
A partial list of the policies, meeting the criteria that you specified, is displayed. Details of the selected path, state, and action are displayed in the Screen Filter frame.
Table 8-2 describes the fields in the Policy Table.
Table 8-2 Field Descriptions for Policy Table
Field
|
Description
|
Policy Template
|
Policy template that the Detector module used to construct the policy. Each policy template relates to specific traffic characteristics that the Detector module requires to detect a specific DDoS threat.
|
Service
|
Service in the traffic flow that the policy monitors. A service is either a port number or a protocol number. See the "Adding or Deleting a Service" section for more information.
The Detector module displays a service value of any for all traffic that does not specifically match other services created from the same policy template.
|
Level
|
Level of anomaly detection that the policy applies to the traffic flow, which for the Detector module is always Analysis.
|
Type
|
Packet types that the Detector module monitors. Packet type values are as follows:
•auth_pkts—Packets for which either a TCP handshake or UDP authentication was performed.
•auth_tcp_pkts—Packets for which a TCP handshake was performed.
•auth_udp_pkts—Packets for which UDP authentication was performed.
•in_nodata_conns—Zone incoming connections that have no data transfer on the connection (packets without a data payload).
•in_conns—Zone incoming connections.
•in_pkts—Zone incoming DNS query packets.
•in_unauth_pkts—Zone incoming unauthenticated DNS queries.
|
Type
(continued)
|
•non_estb_conns—Nonestablished connections. Zone incoming failed connections. TCP connection requests (SYN packets) for which no reply was received.
•num_sources—Packets that have TCP source IP addresses that are destined to the zone and that have been authenticated by the Detector module anti-spoofing functions.
•out_pkts—Zone incoming DNS reply packets.
•reqs—Request packets with a data payload.
•syns—Synchronization packets (TCP SYN flagged packets).
•syn_by_fin—SYN and FIN flagged packets. The Detector module verifies the ratio between the number of SYN flagged packets and the number of FIN flagged packets.
•unauth_pkts—Packets that did not undergo a TCP handshake.
•pkts—All packet types that do not fall under any other category in the same protection level.
|
Key
|
Traffic characteristic that was used to aggregate the policies. Click the key name to view the details. Key name values are as follows:
•dst_ip—Traffic destined to a zone IP address.
•dst_ip_ratio—Ratio of SYN and FIN flagged packets destined to a specific IP address.
•dst_port_ratio—Ratio of SYN and FIN flagged packets destined to a specific port.
•global—Summation of all traffic flow as defined by the other policy sections.
•src_ip—Traffic destined to the zone aggregated according to the source IP address.
•dst_port—Traffic destined to a specific zone port.
•protocol—Traffic destined to the zone aggregated based on the protocol.
•src_ip_many_dst_ips—Traffic from a single IP address that probes a large number of zone IP addresses on the same port. This key is used for IP scanning.
•src_ip_many_ports—Traffic from a single IP address that probes a large number of ports on a zone destination IP address. This key is used for port scanning.
•scanners—Histogram of the number of source IP addresses that scan zone destination IP addresses on a specific destination port.
|
State
|
Operating state of the policy. The policy operates in one of the following states:
Active—The Detector module applies the policy to the traffic flow. The policy executes an action when the traffic flow exceeds the policy threshold.
Inactive—The Detector module applies the policy to the traffic flow. The policy does not execute an action when the traffic flow exceeds the policy threshold.
Disabled—The Detector module does not apply the policy to the traffic flow.
|
Action
|
Action assigned to the policy. The policy executes the action when the traffic flow exceeds the policy threshold. See the "Modifying Policy Parameters" section for more information.
|
Threshold
|
Policy threshold traffic rate. When the traffic flow exceeds the policy threshold, the policy executes its assigned action. You can configure the policy threshold manually or allow the Detector module to configure it during the threshold tuning phase of the learning process.
By default, the threshold is set to a value appropriate for on-demand protection.
|
Timeout
|
Minimum amount of time that the policy applies its assigned action to the traffic flow.
|
Fixed
|
Policy threshold operating status. A check mark indicates the threshold is a fixed value that cannot be modified during the threshold tuning phase of the learning process. An x indicates that the threshold value is not fixed, which means that the Detector module can modify the policy threshold during the threshold tuning process.
|
Learning Multiplier
|
Factor by which the Detector module multiplies the threshold when it accepts the results of the threshold tuning phase.
|
Modifying Policy Parameters
This section describes how to modify policy parameters. You can modify a zone policy only when the Detector module is not learning the zone traffic or detecting anomalies in the zone traffic. You can modify the parameters of a single policy or modify the parameters of several policies simultaneously.
Note Changes that you make to a policy parameter may be lost if you perform the policy construction phase after changing the parameter because when you accept the results of the policy construction phase, the Detector module replaces the current zone policies with the new policies.
To modify the policy parameters, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > Policies > View. The Policies screen appears.
Step 3 Choose the policies to configure as follows:
•To configure a single policy, click the Key type of the policy that you want to configure (the Policy Details screen appears) and then click Config (which is located under the Learning Parameters table). The Zone Policy Form appears.
•To configure a group of policies, check the check box next to the policies that you want to reconfigure and then click Config Selection. The Zone Policy Parameter Form appears.
A value of Multiple for a policy section specifies that the policy section does not have the same value in all the policies that you selected.
Step 4 Reconfigure the policy parameters and then click OK.
If you leave the field of a policy parameter blank, the Detector module does not change the value of the parameter in the policies that you selected.
Table 8-3 describes the policy parameters in the Zone Policy form and the Zone Policy Parameter form.
Table 8-3 Zone Policy Parameter Form and Zone Policy Form
Parameter
|
Description
|
State
|
State of the policy. Possible values are as follows:
•active—The Detector module applies the policy to the traffic and the policy executes its assigned action when the traffic exceeds the policy threshold.
•inactive—The Detector module applies the policy to the traffic, but the policy does not execute its assigned action when the traffic exceeds the policy threshold.
•disabled—The Detector module does not apply the policy to the traffic.
Caution Setting the policy state to inactive or disabled may compromise the ability of the Detector module to detect anomalies in the zone traffic. When you set the policy state to disable, the enabled zone policies assume responsibility for the traffic that was managed by the disabled policy. After you disable a policy and before the Detector module performs zone protection, you must perform the threshold tuning phase to update the thresholds of the enabled policies.
|
Action
|
Action that the policy executes when the traffic exceeds the policy threshold. Choose a policy action from the drop-down list:
•notify—Notifies you when the traffic exceeds the policy threshold.
•remote_activation—Activates a Guard, which diverts the zone traffic to itself and manages the zone protection process. You define the Guard that the Detector module activates by using the CLI to configure the remote Guard list.
|
Threshold
|
Threshold traffic rate for the policy. When the traffic exceeds the threshold, the policy executes an action to protect the zone.
You can configure the threshold for a single policy only.
The threshold is measured in packets per second except for policies that are constructed from the following policy templates:
•num_sources—The threshold is measured in the number of IP addresses or ports.
•tcp_connections—The threshold is measured in the number of connections.
•tcp_ratio—The threshold is measured as the ratio number.
|
Threshold multiplier
|
Factor by which the thresholds of the policies are increased or decreased.
You can configure a threshold multiplier for a group of policies only.
Enter a factor to increase or decrease the thresholds of the policies when the thresholds are not appropriate for the zone traffic.
Note The new value may change in subsequent threshold tuning phases if you do not set it as fixed.
|
Timeout
|
Minimum time for dynamic filters that are produced by the policy to apply their action. Enter the timeout value in seconds.
|
Learning parameters
|
Manner in which the Detector module accepts the results of a threshold tuning phase and modifies the policy threshold.
To configure the learning parameters, check the Learning parameters check box. You can configure the following learning parameters:
•Set as fixed—Defines the current threshold of the policy as a fixed value. When the Detector module accepts the results of a threshold tuning phase, it does not modify this policy threshold.
•Learning multiplier—Calculates a new policy threshold by multiplying the learned threshold by the specified multiplier before accepting the result of subsequent threshold tuning phases. The Detector module accepts the results of the threshold tuning phase using the configured threshold selection method. Enter a real positive number (a floating point number with 2 decimal places) by which the policy threshold is multiplied. Enter a number less than 1 to decrease the policy threshold.
|
Configuring IP Addresses and Thresholds
To avoid false attack detections by the Detector module when traffic increases on a known high traffic source or destination IP address, you can configure a policy with a threshold for traffic that is associated with that IP address. Add an IP address and threshold to a policy for the following network applications:
•High volume source IP address—When the zone normally receives a high volume of traffic from a specific source IP address, you can configure a policy with a threshold that the Detector module applies to traffic originating from the source IP address.
•High volume destination IP address—When you define a zone with two or more IP addresses and sections of the zone normally receive a high volume of traffic, you can configure a policy with a threshold that the Detector module applies to traffic targeting the destination IP address within the zone.
You can configure IP thresholds for the following policies only:
•Policies with traffic characteristic of destination IP address (dst_ip).
•Policies with traffic characteristics of source IP address (src_ip) where the default policy action is drop. The default policy action is the action that the Detector module applies to the policy when you create a new zone. You can configure the threshold list for such policies even if you change the policy action.
You can configure a maximum of 10 IP addresses and thresholds for each policy.
This sections contains the following topics:
•Adding an IP Address and Threshold
•Deleting an IP Address and Threshold
Adding an IP Address and Threshold
To add an IP address and threshold to a policy, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > Policies > View. The Policies screen appears.
Step 3 Click the Key type (located under the Key column) of the policy that you want to configure. The Policy Details screen appears.
Step 4 Click Add (located under the Threshold list table). The Add Threshold IP Entry screen appears.
Step 5 Define the source or destination IP address and the threshold value. Table 8-4 describes the parameters in the Threshold IP Entry form.
Table 8-4 Threshold IP Entry Form
Parameter
|
Description
|
IP
|
IP address. Enter the source or destination IP address.
|
Threshold
|
IP address traffic threshold. When the traffic exceeds the threshold, the policy executes its configured action. Enter the threshold value in packets per second (pps) except for the following policy types:
•tcp_connections—Unit of measurement that is the number of connections.
•tcp_ratio—Unit of measurement that is the ratio number.
|
Step 6 Choose one of the following options:
•OK—Saves the policy IP address information to the zone configuration. The Threshold IP Entry form closes and the Policy details screen appears, displaying any policy configuration changes.
•Clear—Clears any information that you added to the Threshold IP Entry form.
•Cancel—Exits the Threshold IP Entry form without making any changes to the policy configuration.
Deleting an IP Address and Threshold
To delete a policy IP address and threshold, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > Policies > View. The Policies screen appears.
Step 3 Click the Key type of the policy from which you want to delete the policy IP address and threshold. The Policy Details screen appears.
Step 4 From the Threshold list table, check the check box of the IP listings that you want to delete.
Step 5 Click Delete. The Detector module saves the modified policy configuration information.
Adding or Deleting a Service
You can manually add a service (application port or protocol) to the zone configuration that the Detector module did not discover during the policy construction phase. We recommend that you define specific policies for the zone main services to obtain the anomaly detection operation that is best suited for the zone.
Caution Do not add the same service (port number) to more than one policy because it may decrease your network performance.
When you add or delete a service from the zone policies, the Detector module marks the zone policies as untuned. Because the zone is untuned, the Detector module cannot detect anomalies in the zone traffic when you activate Detect and Learn until you perform one of the following actions:
•Perform the threshold tuning phase of the learning process and accept the results (see the "Starting the Threshold Tuning Phase" section)
•Mark the zone policies tuned (see the "Marking the Zone Policies as Tuned or Untuned" section)
This section contains the following topics:
•Adding a Service
•Deleting a Service
Adding a Service
You can add services to all policies that were created from a specific policy template. The Detector module adds the new service to the services that it discovered during the policy construction phase and configures the new service with a default threshold value. You can define the threshold manually, but we recommend that you run the threshold tuning phase of the learning process to tune the policies to the zone traffic.
You can add a new service to policies that were created from the following policy templates:
•tcp_services, udp_services, tcp_services_ns, worm_tcp
The service designates a port number.
•other_protocols
The service designates a protocol number.
Note If you activate the policy construction phase after adding a service, new services may override the service that you added manually.
You may need to manually add a service for the following reasons:
•A new application or service was added to the zone network, but you do not want to activate the policy construction phase to add the service to the zone configuration.
•You did not allow the policy construction phase to run long enough to detect all of the network services. For example, you may know of applications or services that are active only once a week or during the night when you do not have the policy construction phase activated.
To add a service to a policy type, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > Policy Templates > Add Service. The Add Service Step 1 screen appears.
You can also navigate to the Add Service Step 1 screen by performing one of the following actions:
•From the zone main menu, choose Configuration > Policies > View, and then click Add service in the Policies screen.
•From the zone main menu, choose Configuration > Policy templates > View, and then click Add service in the Policies Templates screen.
Step 3 From the Policy Template list, choose a policy template and then click Next. The Add Service Step 2 screen appears.
See the "Understanding Policy Templates" section for information about policy template types.
Step 4 Enter the new service in the Add Service Form.
Step 5 Choose one of the following options:
•OK—Adds the new policies for the service to the zone configuration. The Detector module marks the zone policies as untuned. The policies of the new service are configured with default threshold values.
•Clear—Clears the Add Service Form information.
•Cancel—Exits the Add Service Form without adding any new service to the zone configuration.
Step 6 (Optional) Define the thresholds of the new policies. You can define the threshold manually, but we recommend that you run the threshold tuning phase of the learning process to tune the policies to the zone traffic. See the"Starting the Threshold Tuning Phase" section for more information.
You can mark the zone policies as tuned even if you do not run the threshold tuning phase of the learning process. See the "Marking the Zone Policies as Tuned or Untuned" section for more information.
Deleting a Service
You can delete a specific service for any policy template. The Detector module deletes the service from all policies that were created from the specific policy template.
Caution If you delete a service, the zone policies cannot monitor the traffic of that service, which may compromise zone anomaly detection.
You can remove services from the following policy templates:
•tcp_services, udp_services, tcp_services_ns, worm_tcp
The service designates a port number.
•other_protocols
The service is a protocol number.
If you do not activate the policy construction phase of the learning process, you may need to manually remove a service for the following reasons:
•An application or service was removed from the network.
•An application or service was identified during the policy construction phase but you do not want to enable it because it is uncommon for the network environment.
Note If you activate the policy construction phase after removing a service, the Detector module may add the same service back again.
To delete a service from a policy, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > Policy Templates > Remove service. The Remove Service screen appears.
You can also navigate to the Remove Service screen by performing one of the following actions:
•From the zone main menu, choose Configuration > Policies > View, and then click Remove service in the Policies screen.
•From the zone main menu, choose Configuration > Policy templates > View, and then click Remove service in the Policies Templates screen.
Step 3 Choose the service that you want to remove from the list, and then click Delete. The delete verification screen appears.
Step 4 Choose one of the following options:
•OK—Removes the selected service from the zone configuration. The Detector module marks the zone as untuned.
•Cancel—Exits the Remove Service form without removing any new service from the zone configuration.
Step 5 (Optional) Change the zone configuration from untuned to tuned after deleting a service by performing one of the following actions:
•Perform the threshold tuning phase of the learning process and accept the phase results (see the "Starting the Threshold Tuning Phase" section).
•Mark the zone as tuned (see the "Marking the Zone Policies as Tuned or Untuned" section).
Backing Up the Zone Policies
You can use the snapshot feature to create a backup of the current zone policies.
To back up the zone policies, perform the following steps:
Step 1 From the navigation pane, choose a zone that is not currently in a learning phase. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Snapshot. The Create Snapshot screen appears.
Step 3 Enter a name for the snapshot in the Snapshot name filed, and then click OK. The Detector module saves the zone policies and assigns a consecutive ID number to the snapshot.
