Table Of Contents
Creating and Configuring Zones
Understanding Zones
Configuring Guard Zones
Displaying the Configuration of Guard Zones
Configuring Protection Characteristics
Protection Activation Methods
Extent of Zone Protection
Creating a New Zone
Creating a Zone from a Zone Template
Creating a Zone from an Existing Zone
Configuring the Zone Attributes
Configuring the Zone IP Address Range
Adding an IP Address to the Zone IP Address Range
Deleting an IP Address from the Zone IP Address Range
Updating the Zone Policies
Deleting a Zone
Creating and Configuring Zones
This chapter describes how to create and manage zones on the Cisco Traffic Anomaly Detector Module (Detector module).
This chapter refers to the Cisco Guard (Guard), the companion product of the Detector module. The Guard is a Distributed Denial of Service (DDoS) attack detection and mitigation device that cleans the zone traffic as the traffic flows through it, dropping the attack traffic and injecting the legitimate traffic back into the network. When the Detector module determines that the zone is under attack, it can activate the Guard attack mitigation services. The Detector module can also synchronize zone configurations with the Guard. For more information about the Guard, see the Cisco Anomaly Guard Module Configuration Guide or the Cisco Guard Configuration Guide.
This chapter contains the following sections:
•
Understanding Zones
•Configuring Guard Zones
•Creating a New Zone
•Configuring the Zone Attributes
•Configuring the Zone IP Address Range
•Deleting a Zone
Understanding Zones
A zone is a network element that you define and that the Detector module monitors for Distributed Denial of Service (DDoS) attacks. A zone can be any combination of the following elements:
•A network server, client, or router
•A network link, subnet, or an entire network
•An individual Internet user or a company
•An Internet Service Provider (ISP)
When the Detector module identifies a DDoS attack, it can activate a Guard automatically to protect the zone against the attack or it can notify you to activate the Guard manually. The Detector module can analyze the traffic of different zones simultaneously as long as their network address ranges do not overlap.
The zone configuration includes the following attributes:
•Zone description—Defines the zone name and description.
•Zone network definition—Defines the zone network attributes that include the zone network IP address and subnet mask.
•Policy templates—Define the types of policies that the Detector module creates when performing the learning process.
•Policies—Analyze zone traffic and execute an action when the Detector module identifies an anomaly in the zone traffic. The zone policies can be the default policies that came with the zone template or zone-specific policies that the Detector module created during the learning process.
•Zone Filters—Direct the zone traffic to the required protection level and define how the Detector module handles specific traffic flows.
You can create a zone by using one of the following methods:
•Use a predefined zone template—Create a new zone using one of the predefined zone templates, which configures the zone with a set of default policies and filters.
After you create a new zone, you must configure the zone attributes.
•Use an existing zone as a template—Create a zone by making a copy of an existing zone. Use this method if the new zone has traffic patterns that are similar to those of an existing zone.
Configuring Guard Zones
You can create a zone using a Guard zone template and synchronizing the zone configuration with a Guard. A zone that you create using a Guard zone template has two sets of definitions; one for the Detector module, and one for the Guard. The zone configuration contains additional parameters that affect the Guard only.
This section contains the following topics:
•Displaying the Configuration of Guard Zones
•Configuring Protection Characteristics
•Protection Activation Methods
•Extent of Zone Protection
Displaying the Configuration of Guard Zones
You can display both sets of definitions of the zone configurations, one for the Detector module, and one for the Guard. A toggle filter appears at the top of the screen enabling you to toggle between the display of the two sets of definitions as follows:
•To display the configuration of the zone on the Detector module, click View Guard. The toggle button displays "View Detector" to indicate that the Detector module configuration is displayed.
•To display the configuration of the zone on the Guard, click View Detector. The toggle button displays "View Guard" to indicate that the Guard module configuration is displayed.
Configuring Protection Characteristics
You can define how the Guard activates zone protection. You must ensure that the zone configuration is synchronized to the Guard before you activate zone protection for the configuration to take effect. You can define the following protection characteristics:
•Operation mode—You can configure how the Guard performs zone protection and define whether the Guard applies measures to protect the zone automatically or in an interactive manner in which you must determine the protection measures that the Guard applies.
•Activation method—You can define whether to activate the zone according to the zone name, the zone address range, or the received traffic. See the "Protection Activation Methods" for more information.
•Activation extent—You can define whether to activate zone protection for the entire zone address range or only for a specific IP address within the zone. The activation extent applies to zones where zone protection is activated by an external device, such as a Detector module. See the "Extent of Zone Protection" section for more information.
•Protection termination timeout—You can define the timeout after which the Guard terminates zone protection.
Protection Activation Methods
The protection activation method defines how the Guard identifies the zone for which it activates zone protection when it receives an external indication. This indication can be a command from an external device, such as the Detector module, or traffic packets that are destined to the zone.
The method that the Guard uses to activate protection can be one of the following:
•IP Address—Activates zone protection when it receives a command from an external device, such as a Detector module, that consists of an IP address or subnet that is part of the zone.
•Packet—Activates zone protection when it receives traffic that is destined to the zone.
•Packet or IP Address—Activates zone protection when it receives traffic (a packet) that is destined to the zone or when it receives a command from an external device, such as the Detector module, that consists of an IP address or subnet that is part of the zone address range.
•Zone Name Only—Activates zone protection based on the zone name.
The following rules apply when you configure a zone with a protection activation method of Packet or Packet or IP Address:
•You must manually divert the zone traffic to the Guard using an external device. Otherwise, the Guard cannot monitor the zone traffic.
•You can configure the minimum received traffic rate that is required for the Guard to activate zone protection by using the protect-packet activation-sensitivity CLI command. You can only configure the activation sensitivity using the Guard CLI.
See the Cisco Guard Configuration Guide or the Cisco Anomaly Guard Module Configuration Guide for more information.
•Do not configure more than one zone with the same address range or zone protection may not function properly.
Extent of Zone Protection
The activation extent defines whether to activate zone protection for the entire zone or for a partial zone when the Guard receives an external indication. This indication can be a command from an external device, such as the Detector module, or traffic packets that are destined to the zone.
The Guard supports the following activation extents:
•Entire zone—Activates protection for the entire zone. The Guard activates protection when it receives traffic that is destined to the zone or when it receives an external indication that consists of an IP address or subnet that is part of the zone.
•IP Address only—Activates zone protection only for the specified IP address or subnet. When the Guard receives traffic that is destined to the zone or when it receives a command from an external device, such as the Detector module that consists of an IP address or subnet that is part of the zone, the Guard creates a new zone (subzone). This activation extent is the default.
Creating a New Zone
You can create a zone and configure the zone name, description, network address, operation definitions, and networking definitions.
You can create a new zone in two ways:
•Use a predefined zone template—Create a new zone using one of the predefined zone templates. Use this method to create a new zone with the default policies and filters.
After you create a new zone, you must configure the zone attributes.
•Use an existing zone configuration as a template—Create a new zone by duplicating an existing zone. Use this method if the new zone has traffic patterns that are similar to those of an existing zone.
See the "Configuring the Zone Attributes" section for information about how to modify the zone configuration settings.
This section contains the following topics:
•Creating a Zone from a Zone Template
•Creating a Zone from an Existing Zone
Creating a Zone from a Zone Template
To create a new zone using a zone template, perform the following steps:
Step 1 From the navigation pane, click Detector Summary. The Detector summary menu appears.
Step 2 From the Detector main menu, choose Zones > Create Zone. The Zone Form appears.
To display the Zone Form, you can also choose Zones > Zone list and then click Add or choose Main > Create Zone from the zone main menu.
Step 3 Define the zone. Table 4-1 describes the fields in the Zone form.
Table 4-1 Zone Configuration Form Fields
Field
|
Description
|
Name
|
Name of the new zone. The name is an alphanumeric string from 1 to 63 characters. The string must start with a letter, can contain underscores, but cannot contain any spaces.
|
Description
|
Text describing the zone. Enter an alphanumeric string from 1 to 80 characters in length.
|
Operation mode
|
Mode in which the Detector module performs zone protection. The operation mode can be one of the following:
•Automatic—The Detector module automatically activates all dynamic filters as it creates them during an attack.
•Interactive—The Detector module displays the dynamic filters that the policies create as recommendations. You must decide whether or not to activate each dynamic filter.
See the "Activating Automatic or Interactive Detect Mode" section for information about zone operation modes.
|
Zone Template
|
Zone template that defines the policies used in the zone configuration. The Detector module contains two sets of zone templates with the following prefixes:
•DETECTOR_—Zone templates for Detector module use only. Select the DETECTOR_ version of the zone template when you are not going to share the zone configuration with a Guard.
•GUARD_—Zone templates for use on the Detector module and the Guard. You can configure both Detector module and Guard attributes for zones that were created from these templates, and copy the zone configuration to the Guard. Select the GUARD_ version of the zone template when you plan to synchronize the zone configuration with a Guard.
|
Zone Template (continued)
|
Choose one of the following zone templates:
•DETECTOR_DEFAULT—Default zone template. You can use this zone template to protect a Voice-over-IP server. If you create a zone using this zone template, you cannot detect TCP worm attacks on the zone.
•DETECTOR_WORM—Zone template that allows the Detector module to detect TCP worm attacks on the zone. Zones that are created from the GUARD_WORM zone template contain policies that are produced from the worm_tcp policy template.
•DETECTOR_LINK templates—Zone templates that allow the Detector module to detect large subnets segmented according to zones with a known bandwidth. You can activate zone detection for zones defined by these zone templates without undergoing the learning process. To enable the Detector module to activate zone protection on a Guard for the attacked IP address or subnet only, configure the Protect-IP State parameter to Only Dst IP. See the Protect-IP State parameter in this table for more information.
The following bandwidth-limited link zone templates are available for 128-Kb, 1-Mb, 4-Mb, and 512-Kb links:
DETECTOR_LINK_128K, DETECTOR_LINK_1M, DETECTOR_LINK_4M, and DETECTOR_LINK_512K.
You cannot perform the policy construction phase of the learning process for zones that were created from these templates.
|
Zone Template (continued)
|
•GUARD_DEFAULT—Guard default zone template. The Guard may change the packet source IP address to the Guard TCP-proxy IP address. You can use this zone template if you do not use access-control lists, access policies, or load-balancing policies that are based on the incoming IP address for the zone network.
•GUARD_LINK templates—Zone templates for zones with a known bandwidth. The following templates are available for 128-Kb, 1-Mb, 4-Mb, and 512-Kb links: GUARD_LINK_128K, GUARD_LINK_1M, GUARD_LINK_4M, and GUARD_LINK_512K.
You cannot perform policy construction for zones that were created from these templates. You can activate zone detection for zones that were created from the GUARD_LINK zone templates without undergoing the threshold tuning phase.
To enable the Detector module to activate zone protection on a Guard for the attacked IP address or subnet only, configure the Protect-IP State parameter to Only Dst IP. See the Protect-IP State parameter in this table for more information.
•GUARD_TCP_NO_PROXY—Zone template for a zone for which no TCP proxy is to be used. You can use this zone template if the zone is controlled based on IP addresses, such as an Internet Relay Chat (IRC) server-type zone, or if you do not know the type of services running on the zone.
|
Protect-IP state
|
Guard-protection method that the Detector module uses to activate remote Guard modules. The Guard-protection method that you select can save Guard resources by allowing the Guard to focus on specific zone protection requirements.
|
Protect-IP state (continued)
|
The states from the Protect-IP state drop-down list are as follows:
•Entire Zone—Activates a Guard to protect the entire zone when it detects an anomaly in the zone traffic. This method saves Guard resources because it reduces the number of active zones that the Guard protects. We recommend that you use this strategy when the zone consists of related subzones.
•Only Dst IP—Activates a Guard to protect a particular IP address when it detects an anomaly in the zone traffic that is destined to that IP address. You can activate a Guard to protect the attacked IP address but avoid diverting the traffic of the entire zone to the Guard. If the Detector module cannot associate the traffic anomaly with a particular IP address, it does not activate a Guard module to protect the zone.
We recommend that you use this strategy when the zone consists of unrelated subzones.
•Policy type—Activates the Guard to protect the entire zone or to protect a particular IP address within the zone address range based on the policy that caused the Detector module to activate the Guard. The Detector module activates the Guard to protect a particular IP address if it detects an anomaly in the zone traffic that is destined to that IP address (for example, if the policy that caused the remote activation has traffic characteristics of dst_ip). If the Detector module cannot associate the traffic anomaly with a particular IP address, it activates the Guard to protect the entire zone (for example, if the policy that caused the remote activation has traffic characteristics of global).
We recommend that you use this strategy when the zone consists of related subzones so that you can avoid a situation in which a targeted zone may cause damage to the entire zone.
|
Protect-IP state (continued)
|
•Only Dst IP by address—Activates a Guard to protect a particular IP address when it detects an anomaly in the zone traffic that is destined to that IP address. The IP address must be in the address range of one of the zones that you have defined on the Guard. However, the name of the zone on the Detector module does not have to be identical to the zone name on the Guard module. Selecting Only Dst IP by address is equivalent protecting an IP address when the zone name is not known by choosing Main > Protect IP from the Guard main menu. We recommend that you use this strategy when the zone names on the Detector module are not identical to the zone names on the Guard, or when the zone consists of unrelated subzones.
To ensure that the Guard activates zone protection for the attacked IP address only and avoids diverting the traffic of the entire zone to itself, make sure that the zone is defined on the Guard with an activation extent of IP Address only.
|
IP address
|
Zone IP address. After you create the zone, you can modify the IP address or add additional IP addresses. See the "Configuring the Zone IP Address Range" section for more information.
|
Mask
|
Zone address mask. Select the address mask from the Mask drop-down list. After you create the zone, you can modify the address mask. See the "Configuring the Zone IP Address Range" section for more information.
|
Step 4 Click OK to save the new zone. The zone general view screen appears, displaying the zone configuration information.
After you create a zone, you can change the zone configuration and configure additional zone attributes, such as the Activation parameters and the Packet Dump parameters. See the "Configuring the Zone Attributes" section for more information.
Creating a Zone from an Existing Zone
To create a new zone using an exiting zone as a template, perform the following steps:
Step 1 From the navigation pane, choose a zone to be used as a zone template. The zone main menu appears.
Step 2 From the zone main menu, choose Main > Save as. The Zone Save as screen appears.
Step 3 Define the new zone name. In the Name text field, enter the zone name as an alphanumeric string of 1 to 63 characters. The string must start with a letter, can contain underscores, but cannot contain spaces.
Step 4 Click OK to save the new zone. The zone general view screen appears.
Configuring the Zone Attributes
After you create a zone, you can configure the zone attributes or modify the existing zone configuration.
To configure the zone attributes, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > General. The zone general view screen appears.
Step 3 Click Config (located below the first table). The Config Zone screen appears. The Config screen contains the following sections:
•General Details (this section has no heading)
•Packet Dump Parameters
If you created the zone from the Guard zone template, the Config screen contains two additional sections:
•Attack Detection/Termination Parameters
•Activation Parameters
Step 4 (Optional) Configure the zone general details. Table 4-2 describes the fields in the General Details section. See Table 4-1 for a more detailed description of each field.
Table 4-2 General Details Parameters
Field
|
Description
|
Description
|
Text that describes the zone. Enter an alphanumeric string of 1 to 80 characters.
|
Operation mode
|
Mode in which the Detector module performs zone protection. The operation modes are as follows:
•Automatic—The Detector module automatically activates all dynamic filters as it creates them during an attack.
•Interactive—The Detector module displays the dynamic filters that the policies create as recommendations. You must decide whether or not to activate each dynamic filter.
|
Protect-IP state
|
Guard-protection method that the Detector module uses to activate remote Guard modules. The Guard-protection method that you choose can save Guard module resources by allowing the Guard module to focus on specific zone protection requirements.
|
| |
Protect-IP state. The state can be one of the following:
•entire-zone—Activates a Guard to protect the entire zone when it detects an anomaly in the zone traffic.
•policy-type—Activates the Guard to protect the entire zone or to protect a particular IP address within the zone address range, based on the policy that caused the Detector module to activate the Guard.
•dst-ip-by-name—Activates a Guard to protect a particular IP address when it detects an anomaly in the zone traffic that is destined to that IP address.
•dst-ip-by-ip—Activates a Guard to protect a particular IP address when it detects an anomaly in the zone traffic that is destined to that IP address. The IP address must be in the address range of one of the zones that is defined on the Guard module.
|
Max. Rate
|
Amount of traffic that the Guard is allowed to inject back into the network. Enter an integer for the maximum rate and then choose the unit of measurement from the drop-down list. If the highest bandwidth value is not known, leave the Max. Rate and Burst fields blank and choose unlimited units (unlimit) from the drop-down list.
This field applies to the Guard configuration only and does not affect the Detector module.
|
Burst
|
Highest traffic peak that the Guard is allowed to pass to the zone. Enter an integer for the burst size rate. The units are bits, kilobits, kilopackets, megabits, and packets that correspond to the rate units that are specified by the maximum rate (Max. Rate) unit of measurement.
This field applies to the Guard configuration only and does not affect the Detector module.
|
Step 5 (Optional) Configure the Attack Detection/Termination Parameters. Table 4-3 describes the fields in the general details section. These parameters apply to the Guard configuration only and do not affect the Detector module.
Table 4-3 Attack Detection/Termination Parameters
Field
|
Description
|
Malicious-rate detection threshold
|
Minimum rate of zone packets that are dropped.
|
Protection-end Timer
|
Inactivity timeout that the Guard uses to terminate zone protection when there is no attack on the zone. Enter a value from seconds to an infinite amount of time.
|
Filter-rate termination threshold
|
Threshold value that together with the malicious-rate termination threshold specifies when the Guard can deactivate dynamic filters. Define this threshold in packets per second (pps).
|
Malicious-rate termination threshold
|
Threshold value that together with the Filter-rate termination threshold specifies when the Guard can deactivate dynamic filters. Define this threshold in packets per second (pps).
|
Step 6 Configure the Activation Parameters. These parameters apply to the Guard configuration only and do not affect the Detector module. Table 4-4 describes the fields in the Activation Parameters section.
Table 4-4 Activation Parameters
Field
|
Description
|
Activation interface
|
Protection activation method. The activation method can be one of the following:
•Zone name—This is the default activation method. Uncheck both check boxes to configure this activation method.
•By packet—Check the By packet check box to configure this activation method.
•By IP address—Check the By IP address check box to configure this activation method.
•By IP Address or By Packet—Check both the By IP address check box and the By packet check box to configure this activation method.
Note You must manually divert traffic to the Guard when the zone is attacked if you configure the protection activation to By Packet or By IP Address or By Packet.
See the "Protection Activation Methods" section for more information.
|
Activation extent
|
Defines whether the Guard activates zone protection for the entire zone or for a part of the zone when the Guard receives an external indication to activate zone protection. The activation extent can be one of the following:
•IP address only—Activates protection only for the specified IP address or subnet within the zone. This is the default activation extent.
•Entire zone—Activates protection for the entire zone.
For more information about the Activation extent options, see the "Extent of Zone Protection" section.
|
|
Step 7 (Optional) Configure the Packet Dump Parameters to enable automatic packet dump captures. See "Monitoring Network Traffic and Extracting Attack Signatures" for more information about using packet dump captures.
Table 4-5 describes the fields in the Packet Dump Parameters section.
Table 4-5 Packet Dump Parameters
Field
|
Description
|
Auto Packet Dump
|
Check the check box next to one of the following options:
•On—Enables auto packet dump
•Off—Disables auto packet dump (this is the default setting)
|
Max. disk space
|
Enter the maximum amount of disk space (in megabytes) to use for automatic packet dumps.
This field applies to the Cisco Traffic Anomaly Detector (appliance) only and does not affect the Cisco Traffic Anomaly Detector Module.
|
Step 8 Click OK to save the zone configuration.
Configuring the Zone IP Address Range
You must configure at least one IP address that is not excluded before you can activate zone anomaly detection, but you can add or delete IP addresses from the zone IP address range at any time.
This section contains the following topics:
•Adding an IP Address to the Zone IP Address Range
•Deleting an IP Address from the Zone IP Address Range
•Updating the Zone Policies
Adding an IP Address to the Zone IP Address Range
You can configure a large subnet and then exclude specific IP addresses from that subnet so that they are not part of the zone IP address range.
To add an IP address to the zone configuration, perform the following steps:
Step 1 From the navigation pane, select a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > General. The zone general view screen appears.
Step 3 Click Add (located below the second table). The Add Zone IP screen appears.
Step 4 Enter the following IP address information:
•IP Address—Zone IP address. Enter the IP address in dotted-decimal notation (for example, 192.168.100.32).
•IP Mask—Zone IP address mask. Enter the subnet mask in dotted-decimal notation (for example, 255.255.255.224). The default subnet mask is 255.255.255.255.
Step 5 (Optional) Check the Exclude check box to exclude the IP address from the zone IP address range.
Step 6 Click OK to save the zone configuration. The zone general view screen appears.
Step 7 Update the zone policies. See the "Updating the Zone Policies" section for more information.
Deleting an IP Address from the Zone IP Address Range
To delete an IP address from the zone IP address range, perform the following steps:
Step 1 From the navigation pane, select a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > General. The zone general view screen appears.
Step 3 Check the check box next to each IP address that you want to delete and then click Delete.
Step 4 Update the zone policies. See the "Updating the Zone Policies" section for more information.
Updating the Zone Policies
If you modify the zone IP address or subnet, perform one of the following tasks:
•If the new IP address or subnet consists of a new service that was not previously defined in the zone network, allow the Detector module to perform the policy construction phase before you activate zone protection or add the service manually. See the following sections for more information:
–"Starting the Policy Construction Phase" section
–"Adding a Service" section
•If zone protection and the learning process are enabled, mark the zone policies as untuned. Do not change the status of the zone policies to untuned if there is attack on the zone because that prevents the Detector module from detecting the attack and causes the Detector module to learn thresholds of malicious traffic. See the "Marking the Zone Policies as Tuned or Untuned" section for more information.
•If you did not enable zone anomaly detection and the learning process by selecting Detect and Learn and you do not plan to activate the two processes, activate the threshold tuning phase before activating zone protection. See the "Starting the Threshold Tuning Phase" section for more information.
Deleting a Zone
To delete one or more zones, perform the following steps:
Step 1 Click Detector Summary from the navigation pane. The Detector Summary menu appears.
Step 2 Choose Zones > Zone list from the Detector module main menu. The Zone list screen appears.
Step 3 Check the check box next to each zone that you want to delete, and then click Delete. To delete all the zones listed, check the check box in the header (next to Zone), and then click Delete. The Validation form appears.
Step 4 Click OK to delete the zone.
