Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 6.0)
Configuring the Detector

Table Of Contents

Configuring the Detector

Activating Detector Services

Configuring Access Control Using AAA

Configuring Authentication

Configuring Authentication Methods

Configuring Local Authentication

Configuring Authorization

Configuring Local Authorization

Configuring Authorization Methods

Disabling Tab Completion of Zone Names

Configuring Accounting

Configuring the TACACS+ Server Attributes

Configuring a TACACS+ Server IP Address

Configuring the TACACS+ Server Encryption Key

Configuring the TACACS+ Search Method

Configuring the TACACS+ Server Connection Timeout

Displaying TACACS+ Server Statistics

Establishing Communication with the Guard

Configuring the SSL Communication Channels Parameters

Enabling an SSL Communication Channel

Regenerating SSL Certificates

Configuring the SSH Communication Channel Parameters

Enabling an SSH Communication Channel

Regenerating SSH Communication Channel Keys

Establishing Communication Channels

Managing SSH Keys

Adding SSH Keys

Deleting SSH Keys

Configuring the Keys for SFTP and SCP Connections

Changing the Hostname

Enabling SNMP Traps

Configuring SNMP Community Strings

Configuring the Login Banner

Configuring the Login Banner from the CLI

Importing the Login Banner

Deleting the Login Banner

Configuring the Web-Based Manager Logo

Importing the WBM Logo

Deleting the WBM Logo

Configuring the Session Timeout


Configuring the Detector


This chapter describes how to configure the Cisco Traffic Anomaly Detector (Detector module) services.

This chapter refers to the Cisco Guard (Guard), the companion product of the Detector module. The Guard is a Distributed Denial of Service (DDoS) attack detection and mitigation device that cleans the zone traffic as the traffic flows through it, dropping the attack traffic and injecting the legitimate traffic back into the network. When the Detector module determines that the zone is under attack, it can activate the Guard attack mitigation services. The Detector module can also synchronize zone configurations with the Guard. For more information about the Guard, see the Cisco Anomaly Guard Module Configuration Guide or the Cisco Guard Configuration Guide.

This chapter contains the following sections:

Activating Detector Services

Configuring Access Control Using AAA

Establishing Communication with the Guard

Managing SSH Keys

Configuring the Keys for SFTP and SCP Connections

Changing the Hostname

Enabling SNMP Traps

Configuring SNMP Community Strings

Configuring the Login Banner

Configuring the Web-Based Manager Logo

Configuring the Session Timeout

Activating Detector Services

The Detector module has several service options which you can activate by enabling the service and then defining the IP address that is permitted access to the service. With the exception of the Secure Shell service which is always active, this section describes how to activate the services.

The Detector module services are as follows:

Internode communication service—The Detector module uses this service when establishing a communication channel with the Cisco Guard. See the "Establishing Communication with the Guard" section for more information.

Simple Network Management Protocol (SNMP) server service—You can access the Detector module using SNMP to retrieve information as defined by the following MIBs:

Riverhead private MIB

MIB2 (RFC1213-MIB)—All of the MIB groups with the exceptions of the EGP and transmission MIB groups

UCDAVIS (UCD-SNMP-MIB)—Only the following MIB groups: memory, latable, systemStats, version, and snmperrs

See the MIB file that is released with the software version for information about the MIB definitions.


Note The Riverhead MIB contains 64-bit counters. To read the MIB, you must use a browser that supports SNMP version 2.


SNMP trap service—When you activate the snmp-trap service, the Detector module generates SNMP traps. See the "Enabling SNMP Traps" section for more information.

Secure Shell (SSH) service—The SSH service is always active. See the "Accessing the Detector Module with SSH" section on page 3-13 and the "Managing SSH Keys" section for more information.

Web-Based Manager (WBM) service—You can control the Detector module from the web using a web browser. See the "Managing the Detector Module with the Web-Based Manager" section on page 3-11 for more information.

MultiDevice Manager (MDM) service—Using a web browser, you can monitor and control the Detector module and other Guard and Detector devices from the MDM server. See the "Managing the Detector Module with the Cisco DDoS MultiDevice Manager" section on page 3-13 for more information.

To activate a Detector module service, perform the following steps:


Step 1 Enable the Detector module service by entering the following command in configuration mode:

service {internode-comm | mdm | snmp-server | snmp-trap | wbm}

Table 4-1 provides the keywords for the service command.

Table 4-1 Keywords for the service Command 

Service
Description
internode-comm

Specifies the internode communication service.

mdm

Specifies the MDM service.

snmp-server

Specifies the SNMP server service.

snmp-trap

Specifies the SNMP trap service.

wbm

Specifies the WBM service.


Step 2 Permit access to the Detector module service by entering one of the following commands:

For the MDM service, permit access to the Detector module service from the MDM by entering the following command in configuration mode:

mdm server ip-addr

The ip-addr argument defines the IP address of your MDM server. Enter the IP address in dotted-decimal notation.

For all other services, permit access to the Detector module service and enable connectivity by entering the following command in configuration mode:

permit {internode-comm | snmp-server | ssh | wbm} {ip-address-general [ip-mask] | *}

Table 4-2 provides the arguments and keywords for the permit command.

Table 4-2 Arguments and Keywords for the permit Command 

Parameter
Description
internode-comm

Specifies the internode communication service.

snmp-server

Specifies the SNMP server service.

ssh

Specifies the SSH service.

wbm

Specifies the WBM service.

ip-address-general

IP address from which to permit access. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).

ip-mask

(Optional) IP subnet mask. Enter the subnet mask in dotted-decimal notation (for example, enter 255.255.255.0). The default subnet mask is 255.255.255.255.

*

Asterisk wildcard character that allows access by all remote manager IP addresses.


Caution For security reasons, we recommend that you not permit access to a service from all IP addresses.


The following example shows how to activate the WBM service:

user@DETECTOR-conf# service wbm
user@DETECTOR-conf# permit wbm 192.168.10.35 

Configuring Access Control Using AAA

Authentication, Authorization, and Accounting (AAA) is a method for controlling user access to the Detector module and the Detector module services. AAA provides the following features:

Authentication—Identifies a user before the user is allowed access to the system and system services.

Authorization—Determines what a user is allowed to perform once access to the system is obtained. This process occurs after the user is authenticated.

Accounting—Records what a user is performing or has performed. Accounting allows you to track the services that users are accessing.

The Detector module is preconfigured with the following system user accounts:

admin—The admin user account is configured with the administration access rights, allowing access to the Detector module CLI and all its functionality. When connecting to the Detector module CLI for the first time, you are required to set a password for this account. Use the admin user account to configure additional user accounts.

riverhead—The riverhead user account is configured with dynamic access rights. The Detector module uses this user account to establish the initial communication channel with the Guard. When you connect to the Detector module CLI for the first time, you are required to set a password for this account.

You cannot delete system user accounts.

You can divide the Detector module user community into domains and assign passwords for secure management access. We recommend that you create new user accounts and avoid using the system user accounts after the initial configuration so that you can monitor user actions.

The following sections describe how to configure access control:

Configuring Authentication

Configuring Authorization

Configuring Accounting

Configuring the TACACS+ Server Attributes

Configuring Authentication

You can configure which authentication method that the Detector module uses when a user tries to log into the Detector module or requests a higher privilege level (using the enable command). The Detector module offers the following authentication options:

Local authenticationUses locally configured login and enable passwords for authentication. This authentication method is the default. See the "Configuring Local Authentication" section for more information.

Terminal Access Controller Access-Control System Plus (TACACS+) authenticationRemote user authentication using one or more TACACS+ servers.


Note You must configure authentication for the user on a TACACS+ server before configuring user authorization or the user may not be able to access the Detector module (see the "Configuring Authorization" section).


You can configure that the Detector module to use one or both of the user authentication methods. When using TACACS+ authentication, you can define multiple TACACS+ servers. Defining more than one authentication method provides a backup in case the initial method fails due to a communication error.

The Detector module authenticates a user by using each of the methods that you define and in the order in which you define them on the Detector module. To view the list of defined authentication methods, enter the show running config command. The Detector module attempts to authenticate the user using the first method on the list. If the first authentication method does not respond, the Detector module sequentially selects the next authentication method on the list until it finds one that responds.

You can configure the action that the Detector module takes when it receives a response from the first TACACS+ server by using the tacacs-server first-hit command. If you disable the first-hit option (the default setting) and the first server rejects the authentication, the Detector module sequentially scans the other TACACS+ servers to find a server that accepts the authentication. User authentication fails when no defined TACACS+ servers accept the authentication or the Guard cannot communicate with any of the servers. If you enable the first-hit option, the Detector module accepts the authentication response (reject or accept) of the first TACACS+ server to respond as the final decision. By default, the first-hit option is disabled. For more information about the tacacs-server first-hit command, see the "Configuring the TACACS+ Search Method" section.


Note You can configure the Detector module to use its local database as a fallback for user authentication when the Detector module cannot communicate with the TACACS+ servers (see the "Configuring Authentication Methods" section).


This section contains the following topics:

Configuring Authentication Methods

Configuring Local Authentication

Configuring Authentication Methods

To configure the authentication method that the Detector module uses, perform the following steps:


Step 1 Configure the TACACS+ server connection if TACACS+ authentication is required. See the "Configuring the TACACS+ Server Attributes" section for more information.

Step 2 Define the authentication method by entering the following command in configuration mode:

aaa authentication {enable | login} {local | tacacs+}  
[tacacs+ | local]

Table 4-3 provides the keywords for the aaa authentication command.

Table 4-3 Keywords for the aaa authentication Command 

Parameter
Description
enable

Allows the Detector module to authenticate when a user enters a higher privilege level.

login

Allows the Detector module to authenticate when a user logs in.

local

Specifies the local database that the Detector module uses to authenticate a user.

tacacs+

Allows a TACACS+ server to authenticate a user.

tacacs+ | local

(Optional) Specifies an alternative authentication method should the configured method fail.


To change the authentication method, reenter the command.


The following example shows how to configure authentication on entering a higher privilege level. The primary authentication method is configured to TACACS+, and the secondary authentication method is configured to the local user database.

user@DETECTOR-conf# aaa authentication enable tacacs+ local

Configuring Local Authentication

The Detector module initially has a preconfigured username (called a user definition) with administration privileges, which allows you to create new users. The user definition allows you to divide the Detector module user community into domains and to assign passwords for secure management access.

To enable authentication of CLI users with a TACACS+ server, see the "Configuring Authentication" section.

This section contains the following topics:

Adding a User

Changing Your Password

Changing the Passwords of Other Users

Deleting a User from the Local User Database

Adding a User

To add a user to the Detector module local database, use the following command in configuration mode:

username username {admin | config | dynamic | show} [password]

Table 4-4 provides the arguments and keywords for the username command.

Table 4-4 Arguments and Keywords for the username Command 

Parameter
Description

username

Name of the user. Enter a case-sensitive alphanumeric string from 1 to 63 characters that starts with an alphabetic letter. The string cannot contain spaces but can contain underscores.

admin

Provides access to all operations.

config

Provides access to all operations except for operations relating to user definition, deletion, and modification.

dynamic

Provides access to monitoring and diagnostic operations, detection, and learning-related operations. Users with Dynamic privileges can also configure flex-content filters and dynamic filters.

show

Provides access to monitoring and diagnostic operations.

password

(Optional) User password. Enter a case-sensitive 6- to 24-character alphanumeric string with no spaces. If you do not enter a password, you are prompted for it.


The following example shows how to configure a new user and set the password:

user@DETECTOR-conf# username Robbin config 123456

Users enter passwords in clear text but the Detector module configuration file displays passwords in an encrypted manner. This example displays the Detector module configuration file (running-config):

username Richard config encrypted 840xdMk3

The encrypted keyword in the previous example indicates that the password is encrypted.

To display the list of users configured on the Detector module, use the show running-config or show detector commands.

To display a list of the users currently logged into the CLI, use the show users command.

Changing Your Password

You can change your own password. Administrators can change their own password and the passwords of other users (see the "Changing the Passwords of Other Users" section).

To change your own password, perform the following steps:


Step 1 Enter the following command in global mode:

password

Step 2 Enter your current password. The system prompts you for a new password.

Step 3 Enter a new password. The password must be an alphanumeric, 6- to 24-character alphanumeric string, with no spaces. The password is case sensitive. The system prompts you to confirm the new password by typing it again.


The following example shows how to change your password:

user@DETECTOR# password 
Old Password: <old-password>
New Password: <new-password>
Retype New Password: <new-password>

Changing the Passwords of Other Users

You must have administration user privileges to change the password of other users.

To change the password of another user, perform the following steps:


Step 1 Enter the following command in global mode:

password username-password

The username-password argument is the user whose password you are changing.

Step 2 Enter a new password.

The password must be an alphanumeric, 6- to 24-character string with no spaces. The password is case sensitive. The system prompts you to confirm the new password by typing it again.


The following example shows that the administrator changes the password of the user Jose:

user@DETECTOR# password Jose 
New Password: <new-password>
Retype New Password: <new-password>

Deleting a User from the Local User Database

When you delete a user from the local user database, the associated user cannot access the Detector module if authentication is performed using the local user database only.

To delete a user from the Detector module local user database, use the no username username command.

The following example shows how to delete a user from the local user database:

user@DETECTOR-conf# no username Robbin

Configuring Authorization

You can limit the services available to a user. When you enable authorization, the Detector module verifies the user profile, which is located either in the local user database or on a TACACS+ security server. The user is permitted access to the requested service only if the information in the user profile allows it.

You can configure which authorization method that the Detector module uses when a user tries to execute a command. The Detector module offers the following authorization options:

TACACS+ authorizationRemote user authorization method that uses one or more TACACS+ servers.

Two types of TACACS+ authorization are supported:

EXEC authorization—Determines the user privilege level once when the user is authenticated upon logging into the Detector module.

Command authorization—Consults a TACACS+ server to get authorization for each command after the user enters the command.

TACACS+ authorization enables you to specify access rights for each command.


Caution We recommend that you limit authorization to the copy running-config command because using the copy running-config command allows a user to execute all configuration commands, regardless of whether the user is actually authorized to use every command in the configuration file.

Local authorizationUses locally configured user profiles for command group access control. Authorization is defined for all commands at the specified privilege level. This authorization method is the default.

The Detector module can use local authorization when communication to the TACACS+ server fails.

You can configure a sequential authorization list that defines the methods for authorizing a user, allows you to designate one or more methods to be used for authorization, and provides a backup if communication to the initial method fails.

The Detector module uses the first method that you list to authorize users; if that method does not respond, the Detector module selects the second authorization method. The authorization fails only if both authorization methods do not succeed.

To configure the Detector module to consider an authentication rejection as final and stop further searching with other TACACS+ servers or the local user database, you can configure the TACACS+ server attributes. See the "Configuring the TACACS+ Server Attributes" section for more information.

This section contains the following topics:

Configuring Local Authorization

Configuring Authorization Methods

Disabling Tab Completion of Zone Names

Configuring Local Authorization

Access to Detector operations depends on the user privilege level. You can limit the operations available to a user. The Detector module checks the user profile to verify the user access rights. Once authorized, the user is granted access to the requested operation only if the information in the user profile allows it. See Table 3-1 for more information about user privilege levels.

This section contains the following topics:

Assigning Privilege Levels with Passwords

Moving Between User Privilege Levels

Assigning Privilege Levels with Passwords

You can set passwords that restrict access to user privilege levels. After you specify the privilege level and the password, you can give the password to the users who need to access this level. Without knowing the privilege level password, the user cannot move to the password-protected level.

To set a local password to control access to a privilege level, use the following command in configuration mode:

enable password [level level] [password]

Table 4-5 provides the arguments for the enable password command.

Table 4-5 Arguments for the enable password Command 

Parameter
Description

level level

(Optional) The user privilege level. The level can be one of the following:

admin—Provides access to all operations.

config—Provides access to all operations except for operations relating to user definition, deletion, and modification.

dynamic—Provides access to monitoring and diagnostic operations, detection, and learning-related operations. Users with Dynamic privileges can also configure flex-content filters and dynamic filters.

show—Provides access to monitoring and diagnostic operations.

The default level is admin.

password

(Optional) Password for the privilege level. The password must be an alphanumeric, 6- to 24-character string with no spaces. The password is case sensitive. If you do not enter a password, you are prompted for it.


The following example shows how to assign a password to the user privilege level admin:

user@DETECTOR-conf# enable password level admin <password>

Moving Between User Privilege Levels

Authorized users can move between user privilege levels.

To move between user privilege levels, perform the following steps:


Step 1 Enter the following command in global mode:

enable [level]

The level argument specifies the user privilege level. This level can be one of the following:

admin—Provides access to all operations.

config—Provides access to all operations except for operations relating to user definition, deletion, and modification.

dynamic—Provides access to monitoring and diagnostic operations, detection, and learning-related operations. Users with Dynamic privileges can also configure flex-content filters and dynamic filters.

show—Provides access to monitoring and diagnostic operations.

The default level is admin.

Step 2 Enter the privilege level password.


The following example shows how to switch to the admin privilege level:

user@DETECTOR> enable admin 
Enter enable admin Password: <password>

To return to the show privilege level (as described in Table 4-5), use the disable command.

Configuring Authorization Methods

To configure the authorization method, perform the following steps:


Step 1 Configure the TACACS+ server connection if TACACS+ authorization is required. See the "Configuring the TACACS+ Server Attributes" section for more information.

Step 2 Define the authorization method by entering one of the following commands in configuration mode:

aaa authorization exec tacacs+

aaa authorization commands level tacacs+

To remove an authorization method, use the no form of the command.

Table 4-6 provides the arguments and keywords for the aaa authorization command.

Table 4-6 Arguments and Keywords for the aaa authorization Command 

Parameter
Description

exec

Runs authorization to determine if the user is allowed to run an EXEC shell. The Detector module consults the TACACS+ server to determine the privilege level for an authenticated user.


Caution You must configure the user on a TACACS+ server before you configure authorization or the user may not be able to access the Detector module.

commands

Runs authorization for all commands at the specified privilege level. To configure authorization for more than one privilege level, use the command for each privilege level that requires authorization.

level

Authorization for one of the following privilege levels:

admin—Provides access to all operations.

config—Provides access to all operations except for operations relating to user definition, deletion, and modification.

dynamic—Provides access to monitoring and diagnostics operations, detection, and learning-related operations. Users with Dynamic privileges can also configure flex-content filters and dynamic filters.

tacacs+

Verifies the user access rights with a TACACS+ server.


We recommend that you do not configure authorization for show privilege level commands because it may affect Detector module performance.



Note No TACACS+ authorization is performed for commands that you enter from console sessions.


The following example shows how to configure authorization for commands that require the config privilege level:

user@DETECTOR-conf# aaa authorization commands config tacacs+


Caution You must grant access to the dynamic user privilege level or specify access rights to the configure command to enable access to the configuration command mode.

TACACS+ Server Sample Configuration

You can specify authorization for each command in the TACACS+ server database.

The following example shows how to configure authorization on a TACACS+ server for the user Zoe:

user=Zoe {
	cmd = detect {
		permit .*
	}
	cmd = "no detect" {
		permit .*
	}
	cmd = learning {
		deny policy*
	}
	cmd = "no learning" {
		deny .*
	}
	cmd = dynamic-filter {
		permit .*
	}
	cmd = "no dynamic-filter" {
		permit .*
	}
}

Disabling Tab Completion of Zone Names

You can limit the access to the zone configurations to authorized users only by disabling the tab completion feature when entering the zone names. This setting applies to all commands in which you specify the zone name.

When you enter commands in global or configuration mode, such as the zone command, no zone command, show zone command, and deactivate command, the Detector module no longer displays or completes the zone name. You must enter the complete zone name to configure a zone, change the zone operation mode, or display zone statistics.

The Detector module sends the tab-complete zone-list command to the TACACS+ server when you disable tab completion of zone names. Configure authorization for the tab-complete zone-list command on the TACACS+ server to enable tab completion of zone names to authorized users.

The following example shows how to disable tab completion of zone names for all the zone commands:

user@DETECTOR-conf# aaa authorization commands zone-completion tacacs+

To enable tab completion of zone names, use the no form of the command.

Configuring Accounting

Accounting management allows you to track the services that users are accessing and save the accounting information about a TACACS+ server. You can enable accounting of requested services for billing, reporting, or security purposes. By default, the Detector module is configured with accounting management disabled.

To configure accounting, perform the following steps:


Step 1 Configure the TACACS+ server connection. See the "Configuring the TACACS+ Server Attributes" section for more information.

Step 2 Configure accounting by entering the following command in configuration mode:

aaa accounting commands {show | dynamic | config | admin} stop-only {local | tacacs+} 

Table 4-7 provides the keywords for the aaa accounting command.

Table 4-7 Keywords for the aaa accounting Command 

Parameter
Description

show | dynamic | config | admin

Defines accounting for the specified privilege level (see Table 3-1 for information about user privilege levels).

stop-only

Records the action when the command execution terminates.

local

Does not save accounting information.

tacacs+

Uses a TACACS+ server database to record accounting information.


To configure accounting for more than one privilege level, enter the aaa accounting command for each privilege level, as required.

We recommend that you enable accounting management for the config user privilege level only. Tracking and saving accounting data may affect Detector module performance.

Use the no form of the command to remove the accounting management for a privilege level.


The following example shows how to configure accounting for commands that require the config privilege level on a TACACS+ server.

user@DETECTOR-conf# aaa accounting commands config stop-only tacacs+ 

Configuring the TACACS+ Server Attributes

You must configure the TACACS+ server attributes to enable authentication, authorization, or accounting with a TACACS+ server.


Caution You must configure the TACACS+ server attributes before you apply the TACACS+ authentication method or you may not be able to access the Detector module.

To configure the TACACS+ server attributes, perform the following steps:


Step 1 Configure the IP address of the TACACS+ server by entering the tacacs-server host ip-address port port_number command.

See the "Configuring a TACACS+ Server IP Address" section for more information.

Step 2 Configure the encryption key that the Detector module uses to access the TACACS+ server by entering the tacacs-server key tacacs-key command.

See the "Configuring the TACACS+ Server Encryption Key" section for more information.

Step 3 (Optional) Configure the search method that the Detector module uses for authentications by entering the tacacs-server first-hit command.

See the "Configuring the TACACS+ Search Method" section for more information.

Step 4 (Optional) Configure the TACACS+ server connection timeout by entering the tacacs-server timeout timeout command.

See the "Configuring the TACACS+ Server Connection Timeout" section for more information.

Step 5 Display the TACACS+ server connection statistics by entering the show tacacs statistics command.

See the "Displaying TACACS+ Server Statistics" section for more information.


The Detector module user privilege levels relate to the TACACS+ privilege numeration as follows:

admin = 15

config = 10

dynamic = 5

show = 0

This section contains the following topics:

Configuring a TACACS+ Server IP Address

Configuring the TACACS+ Server Encryption Key

Configuring the TACACS+ Search Method

Configuring the TACACS+ Server Connection Timeout

Displaying TACACS+ Server Statistics

Configuring a TACACS+ Server IP Address

You can configure the Detector module to use a sequential list of TACACS+ servers for authentication, authorization, and accounting. The Detector module uses the TACACS+ server list to authenticate or authorize users or send an accounting event; if that server does not respond, the Detector module selects the second server. Authentication or authorization fails only if all servers listed do not respond.

Alternatively, you can configure the Detector module to use only the first TACACS+ server on the list to authenticate users (see the "Configuring the TACACS+ Search Method" section for more information).

You must define the IP address of each TACACS+ server on the list. You can define a maximum of nine TACACS+ servers.

To add a TACACS+ server to the list and assign its IP address, use the following command in configuration mode:

tacacs-server host ip-address [port port_number]

Table 4-8 provides the arguments and keywords for the tacacs-server host command.

Table 4-8 Keywords for the tacacs-server host Command 

Parameter
Description

ip-address

IP address of the TACACS+ server. Enter the IP address in dotted-decimal notation (for example, an IP address of 192.168.100.1).

port port_number

(Optional) Specifies the port number to use. If you do not specify a port number, the Detector module uses port 49 by default.


The TACACS+ servers are added to the list in the order in which you enter them. You can add a maximum of nine servers to the list.

The following example shows how to add a server to the TACACS+ server list:

user@DETECTOR-conf# tacacs-server host 192.168.33.45 port 60

Configuring the TACACS+ Server Encryption Key

You must configure the encryption key to access a TACACS+ server. The key must match the key on the TACACS+ servers. The key cannot contain spaces.

To configure the server encryption access key, use the following command in configuration mode:

tacacs-server key tacacs-key

The argument tacacs-key is an alphanumeric string that contains up to 100 characters.


Note You can define only one encryption key. When using several TACACS+ servers, the Detector module uses the same key to encrypt communication with all TACACS+ servers.


Disable the encryption function by using the following command:

no tacacs-server key

The following example shows how to set the TACACS+ server encryption key to MyKey:

user@DETECTOR-conf# tacacs-server key MyKey

Configuring the TACACS+ Search Method

You can configure the Detector module to consider an authentication rejection as final and stop further searching with other TACACS+ servers by using the tacacs-server first-hit command in configuration mode. The Detector module performs user authentication using only the first TACACS+ server on the server list. If the first TACACS+ server does not respond, the Detector module selects the next server on the list. The Detector module regards the first user authentication approval or rejection received as the final decision and stops attempting to authenticate the user with other TACACS+ servers.

To configure the Detector module to continue a sequential search of the defined TACACS+ servers in an attempt to find a server that accepts the user authentication, use the no tacacs-server first-hit command in configuration mode. This method is the default setting for the first-hit operation. User authentication fails if all of the defined TACACS+ servers reject the user authentication or the Detector module cannot communicate with any of the servers.

The following example shows how to configure the TACACS+ search method so that the Detector module uses only the first TACACS+ server on the list to authenticate users:

user@DETECTOR-conf# tacacs-server first-hit

Configuring the TACACS+ Server Connection Timeout

You can configure the amount of time that the Detector module waits for a reply from the TACACS+ server. When the timeout ends, the Detector module either attempts to establish a connection with the next TACACS+ server (if a server was configured) or falls back to local AAA (if a fallback was configured). Authentication and authorization fail if no fallback method is configured.


Note The same server timeout is used for communication with all TACACS+ servers.


To configure the TACACS+ server connection timeout, use the following command in configuration mode:

tacacs-server timeout timeout

The timeout argument specifies the amount of time (in seconds) that the Detector module waits for a TACACS+ server to reply. The default timeout is 0.

The following example shows how to configure the TACACS+ server connection timeout to 600 seconds:

user@DETECTOR-conf# tacacs-server timeout 600


Tip You may want to increase the timeout value if you have network problems or if the TACACS+ servers are slow to respond and cause persistent timeouts.


Displaying TACACS+ Server Statistics

You can display statistical information for the TACACS+ servers that you define by using the show tacacs statistics command in configuration mode.

To clear the TACACS+ statistics, use the clear tacacs statistics command in configuration mode.

Table 4-9 displays the fields in the show tacacs statistics command output.

Table 4-9 Field Descriptions in the show tacacs statistics Command Output 

Field
Description

PASS

Number of times that the Detector module accessed the TACACS+ server successfully and was granted access.

FAIL

Number of times that the Detector module accessed the TACACS+ server successfully and was denied access.

ERROR

Number of times that the Detector module could not access the TACACS+ server.


Establishing Communication with the Guard

You can establish a secure communication channel between the Detector module and the Guards that you define on the Detector module remote Guard lists. The secure communication channel enables the Detector to perform the following tasks:

Activate the Guard—When the Detector module detects a zone traffic anomaly, it uses the communication channel to activate the Guard that provides zone protection and to poll the Guard during zone protection.

Synchronize a zone configuration—The Detector module uses the communication channel to exchange zone configuration information with the Guard.

After you configure the communication channel parameters on both the Detector module and Guard, from the Detector module you initiate a connection with the Guard which enables the Detector module to exchange the keys and certificates that are required to establish a secure communication channel with the Guard. The Detector module then closes the connection and establishes the communication channel when it needs to activate the Guard, synchronize a zone configuration, or poll the Guard.

The Detector module and Guard support the following two types of communication channels:

Secure Shell (SSH) version 2—Enables the Detector to activate the Guard.

Secure Sockets Layer (SSL)—Enables the Detector to activate the Guard, poll the Guard, and synchronize zone configurations.

You use the zone remote Guard list and default remote Guard list on the Detector module to specify the Guards that the Detector module communicates with for zone protection and synchronization. When you specify a Guard on a remote Guard list, you select the type of communication channel that the Detector module is to establish with the Guard: SSH or SSL. Both devices require the SSH service for establishing a SSH or SSL communication channel. By default, the SSH service is always enabled on both devices. When you establish an SSL communication channel, the Detector module uses the SSH communication channel only for the initial connection with a Guard, during which time the devices exchange their keys and certificates.


Note Before you can establish a communication channel with a Guard, you must add the Guard to a remote Guard list on the Detector module. See the "Activating Remote Guards to Protect a Zone" section on page 9-5 for more information.


This section contains the following topics:

Configuring the SSL Communication Channels Parameters

Configuring the SSH Communication Channel Parameters

Establishing Communication Channels

Configuring the SSL Communication Channels Parameters

Configure an SSL communication channel between the Detector module and the Guard when you need the Detector module to interact with the Guard as follows:

Activate the Guard when the Detector module detects a traffic anomaly.

Synchronize zone configurations with the Guard.

Poll the Guard to identify that an attack on the zone has ended. If you enable the detect and learn process on the Detector module, the Detector module suspends the learning process (threshold tuning) when it detects an attack on the zone. The Detector module polls the Guard that it activated to mitigate the attack to determine when the attack is over, at which point, the Detector module automatically resumes the learning process.

Monitor communication with the Guard and notify you if remote actions fail, such as activating the Guard to protect the zone.

An SSL communication channel provides secure connections through a combination of authentication and data encryption and relies upon digital certificates, private-public key exchange pairs, and Diffie-Hellman key agreement parameters for this level of security. SSL encrypts the data so that only the intended recipient can decipher the data.

Each Guard and Detector module uses a digital certificate to authenticate the device attempting to communicate with it over the communication channel. The identity of the Guard and the Detector module in the SSL certificates is associated with the device IP address. To ensure a secure connection, the Detector module generates a private-public key pair and distributes its public key to the Guards that you define on the remote Guard lists.

After you configure the SSL communication parameters on both the Guard and the Detector module, you must establish the communication channel between the two devices, which you perform from the Detector module. During the initial connection to the Guard, the Detector module establishes an SSH communication channel with the user riverhead on the Guard and then the devices exchange the keys and certificates that are required to secure the communication channel. After the initial connection, the Detector module establishes an SSL communication channel when needed to activate the Guard, poll the Guard, or synchronize zone configurations.

If you replace one the devices on either end of an SSL communication channel or change one of their IP addresses, then you must regenerate the SSL certificates in both devices so that the two devices can successfully authenticate each other.

This section contains the following topics:

Enabling an SSL Communication Channel

Regenerating SSL Certificates

Enabling an SSL Communication Channel

To enable an SSL communication channel, you must configure the Detector module and the Guard to allow the following connection types:

SSH—The Detector module establishes the initial connection with the Guard using an SSH communication channel to exchange the keys and certificates.

SSL—The Detector module uses an SSL communication channel to establish all connections with the Guard after the initial connection.


Caution If the Guard is authenticating users using TACACS+ authentication, you must define the user riverhead on the TACACS+ server to enable the Detector to establish the SSH communication channel during the initial connection with the Guard.

To enable an SSL communication channel, perform the following steps on both the Detector module and the Guard:


Step 1 Permit access to the SSH service by the companion device IP address by entering the permit ssh ip-address-general [ip-mask] in configuration mode.

The ip-address-general and ip-mask arguments define the IP address of the companion device.

Step 2 Enable the communication channel service by entering the service internode-comm command in configuration mode.

Step 3 Permit access to the communication channel service by the companion device IP address by entering the permit internode-comm ip-address-general [ip-mask] command in configuration mode.

The ip-address-general and ip-mask arguments define the IP address of the companion device.


After you configure the Detector module and the Guard to enable the SSL communication channel, you can establish the communication channel between them. For information on establishing the communication channel, see the "Establishing Communication Channels" section.

Regenerating SSL Certificates

The key that identifies the Guard and the Detector in the SSL certificates is associated with the device IP addresses. You must regenerate new SSL certificates for the Guard and the Detector on both ends of a communication channel when you make the following changes:

Change the IP address of one of the devices.

Replace one of the devices.

The process of regenerating new SSL certificates includes deleting the current certificates from both devices.

To display the current SSL certificates, use the show internode-comm certs command.

To regenerate the SSL certificates, perform the following steps:


Step 1 From the Detector module, delete the SSL certificate of the Guard by using the following command in configuration mode:

cert remove cert-host-ip

The cert-host-ip argument specifies the IP address of the Guard. Enter an asterisk (*) to delete the SSL certificates of all the Guards that you define on the remote Guard lists.

The following example shows how to delete an SSL certificate:

user@DETECTOR-conf# cert remove 10.56.36.4

Step 2 From the Guard, delete the SSL certificate of the Detector module by using the following command in configuration mode:

cert remove cert-host-ip

The cert-host-ip argument specifies the IP address of the Detector module. Enter an asterisk (*) to delete the SSL certificates of all Detector modules that have established communication channels with the Guard.

Step 3 If you replace the Guard, then you must also delete its SSH host key from the Detector module. From the Detector module, use the following command in configuration mode to delete Guard SSH host keys:

no host-keys ip-address-general

The ip-address-general argument specifies the IP address of the remote device.

The following example shows how to delete host keys from the Detector module:

user@DETECTOR-conf# no host-keys 10.56.36.4

Step 4 From the Detector module, regenerate new SSL certificates by establishing a new SSL communication channel between the Guard and the Detector module. For information about establishing a communication channel, see the "Establishing Communication Channels" section.


Configuring the SSH Communication Channel Parameters

Configure an SSH communication channel between the Detector module and the Guard when the only interaction between the two devices that you need is for the Detector module to activate the Guard when it detects a traffic anomaly. An SSH communication channel does not allow the Detector module to perform the following tasks with the Guard:

Synchronize zone configurations with the Guard.

Poll the Guard to identify that an attack on the zone has ended. If you enable the detect and learn process on the Detector module, the Detector module suspends the learning process (threshold tuning) when it detects an attack on the zone. Because the Detector module cannot poll the Guard to determine when the attack is over, it is unable to automatically resume the learning process when the attack ends.

Monitor communication with the Guard and notify you if remote actions fail, such as activating the Guard to protect the zone.

To allow the Detector module to perform these tasks, you must configure an SSL communication channel (see the "Configuring the SSL Communication Channels Parameters" section).

To ensure a secure SSH communication channel, the Detector module generates a private-public SSH key pair and distributes the public SSH key to the Guards listed in the remote Guard lists.

After you enable the SSH communication channel, you must establish the communication channel between the Detector module and the Guard, which you perform from the Detector module.

If you replace a Guard at one end of an SSH communication channel, then you must regenerate the SSH private (host) and public keys on the Detector module so that it can successfully authenticate itself with the new Guard.

This section contains the following topics:

Enabling an SSH Communication Channel

Regenerating SSH Communication Channel Keys

Enabling an SSH Communication Channel

To enable an SSH communication channel between a Guard and a Detector module, from the Guard, permit access to the SSH service by the Detector module IP address by entering the permit ssh command in configuration mode.

After you enable the SSL communication channel between the Guard and the Detector module, you can establish the communication channel between them. For information on establishing the communication channel, see the "Establishing Communication Channels" section for more information.

Regenerating SSH Communication Channel Keys

If you replace a Guard that a Detector module communicates with over an SSH communication channel, then you must perform the following steps to regenerate the SSH communication channel keys:


Step 1 Delete the SSH host key from the Detector module by entering the no host-keys ip-address-general configuration mode command on the Detector module.

The ip-address-general argument specifies the IP address of the remote device.

To display the host keys listed on the Detector module, use the show host-keys command.

Step 2 Configure the SSH key on the remote Guard by performing one of the following actions:

Establish a new SSH communication channel from the Detector module (see the "Establishing Communication Channels" section).

Add the Detector module public key manually to the remote Guard. You can copy the Detector module public SSH key, and paste it into the list of SSH keys that the Guard maintains.

To display the Detector module public SSH key, use the show public-key command on the Detector.

To add the Detector module public SSH key to the list of SSH keys that the Guard maintains, use the key add command on the Guard.


Establishing Communication Channels

Establish an SSH or SSL communication channel between the Detector and the Guard to enable the Detector to communicate directly with the Guard.


Note You must enable the communication channel on both the Detector module and the Guard before you establish the communication channel. For information about enabling a communication channel, see the "Enabling an SSL Communication Channel" section or the "Enabling an SSH Communication Channel" section.


During the initial connection between the two devices, the Detector module exchanges the SSH keys and SSL certificates that are required to secure the communication channel. The Detector module then closes the connection and establishes the communication channel when it needs to activate the Guard, synchronize a zone configuration with the Guard (SSL communication channel only), or poll the Guard (SSL communication channel only).


Caution If the Guard is authenticating users using TACACS+ authentication, you must define the user riverhead on the TACACS+ server in order for the key publish command to function.

To establish a communication channel from the Detector module to the Guard, perform the following steps on the Detector module:


Step 1 Generate the SSH private-public key pair by entering the following command in configuration mode:

key generate

If an SSH key pair already exists, the following message appears:

/root/.ssh/id_rsa already exists.
Overwrite (y/n)? 

Choose the desired option by entering one of the following options:

y—The Detector module generates a new SSH key pair.

n—The Detector module does not generate a new SSH key pair.

Step 2 Publish the public SSH key only, which is required for an SSH communication channel, or publish the public SSH key and generate and exchange the SSL certificate, which is required for an SSL communication channel. Use one of the following commands in configuration mode:

key publish remote-guard-address {ssh | ssl}

key publish *

Table 4-10 provides the arguments and keywords for the key publish command.

Table 4-10 Arguments and Keywords for the key publish Command 

Parameter
Description
remote-guard-address

Remote Guard IP address.

ssh

Publishes the SSH public key to the remote Guard that is defined by the remote-guard-address argument.

ssl

Publishes the SSH public key and generates and exchanges an SSL certificate with the remote Guard that is defined by the remote-guard-address argument.

*

Publishes the SSH key and generates and exchanges SSL certificates with all of the Guards that are configured in the remote Guard lists.

The Detector module establishes an SSH communication channel with each of the Guards in the remote Guard lists. Repeat Step 3 and Step 4 for each remote Guard.


Step 3 To prevent a man-in-the-middle attack (attack in which an attacker is able to intercept and modify messages going between two victims), SSH uses host keys to verify the remote host, or Guard, authenticity. When initiating an SSH communication channel to a Guard for the first time, the Guard sends its public key to the Detector module. If this is the first connection initiated from the Detector module to the Guard, the following message appears:

The authenticity of host '<remote-hostname> (<remote-host IP
address>)' can't be established.
RSA key fingerprint is <RSA key fingerprint> 
Are you sure you want to continue connecting (yes/no)?

Enter yes.

The following prompt appears:

riverhead@remote-Guard-IP-address's password:

Step 4 Enter the password configured on the Guard for the user riverhead.


The following example shows how to generate the private-public SSH key pair and establish an SSH communication channel between the Detector module and a remote Guard that has an IP address of 192.168.100.33:

user@DETECTOR-conf# key generate
user@DETECTOR-conf# key publish 192.168.100.33 ssh
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
The authenticity of host '192.168.100.33 (192.168.100.33)' can't be
established.
RSA key fingerprint is
de:cb:ac:36:9a:fe:33:f9:6a:d8:7b:98:a9:51:75:54.
Are you sure you want to continue connecting (yes/no)? yes
riverhead@192.168.100.33's password: <password>
user@DETECTOR-conf# 

The following example shows how to establish a communication channel with all the Guards that are listed in the remote Guard lists:

user@DETECTOR-conf# key publish *

To display the Detector module SSH public key, use the show public-key command.

To display the host keys listed on the Detector module, use the show host-keys command.

Managing SSH Keys

The Detector module supports SSH for secure remote login. You can add a list of SSH keys to enable secure communication from a remote device to the Detector module without entering a login and password.

The following sections describe how you can manage the Detector module SSH key list:

Adding SSH Keys

Deleting SSH Keys

Adding SSH Keys

You can enable an SSH connection without entering a login and password by adding the remote connection SSH public key to the Detector module SSH key list.

Enter the following command in configuration mode:

key add [user-name] {ssh-dsa | ssh-rsa} key-string comment

Table 4-11 provides the arguments and keywords for the key add command.

Table 4-11 Arguments and Keywords for the key add Command 

Parameter
Description

user-name

(Optional) Name of the user to which the SSL key is added. Only an administrator can add an SSH key for other users.

The default is to add the SSH key for the current user.

ssh-dsa

Specifies the SSH2-DSA key type.

ssh-rsa

Specifies the SSH2-RSA key type.

key-string

Public SSH key that was created on a Guard or remote terminal. The key string is limited to 8192 bits.

You must copy the complete key excluding the key type identification (ssh-rsa or ssh-dsa).

comment

Device description. The comment format is usually in the format of user@hostname for the user and machine used to generate the key. For example, the default comment used for the SSH public keys that the Guard generates is root@GUARD.


The following example shows how to add an SSH RSA key:

user@DETECTOR-conf# key add ssh-rsa 14513797528175730. . .user@Detector module.com

Deleting SSH Keys

You can remove an SSH key from the list. If you remove the SSH key, you must authenticate the next time that you establish an SSH session with the Detector module.

To remove an SSH key from the Detector module, use the following command in configuration mode:

key remove [user-name] key-string

Table 4-12 provides the arguments for the key remove command.

Table 4-12 Arguments for the key remove Command 

Parameter
Description

user-name

(Optional) Name of the user from which the SSH keys are removed.

Only an administrator can delete an SSH key for other users. The default is to delete the SSH key for the current user.

key-string

Public SSH key to delete.

Paste the SSH public key onto the prompt. Paste only the key without the identification field (ssh-rsa or ssh-dsa).


The following example shows how to view a user key so that it can be cut and pasted into the key remove command:

user@DETECTOR-conf# show keys Lilac
ssh-rsa 2352345234523456... user@Detector module.com
user@DETECTOR-conf# key remove Lilac 2352345234523456...

Configuring the Keys for SFTP and SCP Connections

Secure File Transfer Protocol (SFTP), which is layered on top of SSH2, and Secure Copy Protocol (SCP), which relies on SSH, provide a secure and authenticated method for copying files. SFTP and SCP use public key authentication and strong data encryption, which prevents login, data, and session information from being intercepted or modified in transit.

To configure the keys for SFTP and SCP connections, perform the following steps:


Step 1 Display the Detector module public key on the Detector module by entering the show public-key command in configuration mode.

If the key exists, skip Step 2 and proceed to Step 3.

If no key exists, proceed to Step 2.

Step 2 Generate a private-public key pair on the Detector module by entering the key generate command in configuration mode.


Caution We recommend that you do not regenerate the private-public key pair if one already exists. Unnecessarily regenerating the key pair may cause future communication problems with remote Guards that are not currently online. If you regenerate the private-public key pair, you must publish the new public key by using the key publish command to all remote Guards that are configured in the Detector default remote Guard lists and the zone remote Guard lists.

If an SSH key pair already exists, the following message appears:

/root/.ssh/id_rsa already exists.
Overwrite (y/n)? 

Type y to regenerate the key.

The Detector module creates the public-private key pair. To display the Detector module public key, use the show public-key command in configuration mode.

Step 3 Copy the public key from the Detector module and paste it into the key file on the network server.

For example, if you are connecting to a network server that is installed on a Linux operating system with the username user account, add the Detector module public key to the /home/username/.ssh/authorized_keys2 file.

Make sure that the key is copied as a single line. If the key is copied as two lines, delete the new line character at the end of the first line.


Note If you do not copy the public key and paste it into the key file on the network server, you cannot configure automatic export functions (such as the export reports command) and you have to enter your password each time that you manually connect to the network server.



Changing the Hostname

You can change the hostname of the Detector module. The change takes effect immediately, and the new hostname is automatically integrated into the CLI prompt string.

To change the Detector module hostname, use the following command in configuration mode:

hostname name

The name argument specifies the new hostname.

The following example shows how to change the hostname of the Detector module:

user@DETECTOR-conf# hostname CiscoDetector
admin@CiscoDetector-conf# 

Enabling SNMP Traps

You can enable the Detector module to send SNMP traps and notify you of significant events that occur on the Detector module. In addition, you can configure the Detector module SNMP trap generator parameters and define the scope of the SNMP trap information that the Detector module reports.

A trap is logged in the Detector module event log and displayed in the event monitor when a trap condition occurs, regardless of whether the SNMP agent sends the trap.

To configure the Detector module to send SNMP traps, perform the following steps:


Step 1 Enable the SNMP trap generator service by entering the following command in configuration mode:

service snmp-trap

Step 2 Configure the SNMP trap generator parameters (the trap destination IP address and the trap information scope) by entering the following command:

snmp trap-dest ip-address [community-string [min-severity]]

Table 4-13 provides the arguments for the snmp trap-dest command.

Table 4-13 Arguments for the snmp trap-dest Command 

Parameter
Description
ip-address

Destination host IP address.

community-string

(Optional) Community string that is sent with the trap. This string must match the community string defined for the destination host. The default community string is public. Enter an alphanumeric string from 1 to 15 characters. The string cannot contain spaces.

min-severity

(Optional) Trap information scope. Define the scope by stating the minimum severity-level coverage. The trap then displays all specified severity-level events and above. For example, if you specify Warnings, the trap displays all severity-level events from Warnings to Emergencies. The following list states the severity-level options:

Emergencies—System is unusable (severity=0).

Alerts—Immediate action needed (severity=1).

Critical—Critical conditions (severity=2).

Errors—Error conditions (severity=3).

Warnings—Warning conditions (severity=4).

Notifications—Normal but significant conditions (severity=5).

Informational—Informational messages (severity=6).

Debugging—Debugging messages (severity=7).

By default, the report displays all severity-level events.



To delete SNMP trap generator parameters, use the no snmp trap-dest command. Enter an asterisk (*) to remove all SNMP trap destination parameters.

The following example shows that traps with a severity level equal to or higher than errors are sent to the destination IP address 192.168.100.52 with the SNMP community string of tempo:

user@DETECTOR-conf# snmp trap-dest 192.168.100.52 tempo errors 

Table 4-14 lists the SNMP traps that the Detector module generates.

Table 4-14 SNMP Traps 

SNMP Trap
Severity
Description

rhExcessiveUtilizationTrap

EMERGENCY

The Detector module cannot add new dynamic filters because more than 150,000 dynamic filters are active concurrently in all the Detector module zones.

rhExcessiveUtilizationTrap

EMERGENCY

The anomaly detection engine memory limit was reached (higher than 90 percent).

rhGeneralTrap

EMERGENCY

The installed software license is missing or malformed. This device is not operational.

rhGeneralTrap

EMERGENCY

The installed software license cannot be verified. This device is not operational.

rhGeneralTrap

EMERGENCY

The installed software license expires tomorrow (<dd-mmm-yyyy>).

rhGeneralTrap

EMERGENCY

The installed software license expired today. This device is no longer operational.

rhGeneralTrap

EMERGENCY

The installed software license is invalid: <failure message>.

rhGeneralTrap

ALERT

The disk space is 80 percent.

rhGeneralTrap

ALERT

The installed software license expires in 3 or 2 weeks on <dd-mmm-yyyy>.

rhGeneralTrap

ALERT

The installed software license expires in 1 week on <dd-mmm-yyyy>.

rhGeneralTrap

ALERT

The installed software license expires in 30, 6, 5, 4, 3, or 2 days on <dd-mmm-yyyy>.

rhExcessiveUtilizationTrap

CRITICAL

The Gigabit interface link utilization in bps1 is above 85 percent.

rhExcessiveUtilizationTrap

CRITICAL

The memory utilization is above 85 percent.

rhExcessiveUtilizationTrap

CRITICAL

The accelerator card CPU utilization is above 85 percent.

rhDynamicFilterTrap

ERROR

The number of pending dynamic filters is 1000, and new pending dynamic filters will be discarded.

rhProtectionTrap

ERROR

The Detector module failed to activate a remote Guard to protect the zone by using an SSL communication channel.

rhZoneGenericTrap

ERROR

The Detector module failed to synchronize the zone configuration.

rhGeneralTrap

ERROR

The Detector module failed to activate zone anomaly detection as follows:

From detect or from learn to detect and learn

From detect and learn to detect or to learn

The Detector module deactivated zone anomaly detection and the learning process.

rhDynamicFilterTrap

WARNING

The Detector module failed to add dynamic filters.

This error may occur in one of the following situations:

There are too many active dynamic filters.

The dynamic filter action is remote-activate and the Detector module failed to connect to a remote Guard that is listed in the remote Guard lists.

rhExcessiveUtilizationTrap

WARNING

The Detector module has more than 135,000 dynamic filters that are active concurrently in all the zones. When the number of active dynamic filters reaches 150,00, the Detector module cannot add new dynamic filters.

rhGeneralTrap

WARNING

The disk space is 75 percent.

rhPolicyConstructionTrap

WARNING

The policy construction phase of the learning process has failed.

rhDetectionTrap

WARNING

The Detector module failed to start zone anomaly detection.

rhReloadTrap

WARNING

The Detector module has restarted. The trap contains a MIB2 warm-start or cold-start trap and information about what caused the Detector module to restart.

rhReloadTrap

WARNING

The Detector module has shut down. The trap contains a MIB2 warm-start or cold-start trap and information about what caused the Detector module to shut down.

rhThresholdTuningTrap

WARNING

The threshold tuning phase of the learning process has failed.

rhAttackTrap

NOTIFICATIONS

An attack has started.

rhAttackTrap

NOTIFICATIONS

An attack has ended.

rhPolicyConstructionTrap

NOTIFICATIONS

The policy construction phase of the learning process has been started.

rhPolicyConstructionTrap

NOTIFICATIONS

The policy construction phase of the learning process has been accepted.

rhPolicyConstructionTrap

NOTIFICATIONS

The policy construction phase of the learning process has been stopped.

rhDetectionTrap

NOTIFICATIONS

The zone anomaly detection has started.

rhDetectionTrap

NOTIFICATIONS

The zone anomaly detection has ended.

rhProtectionTrap

NOTIFICATIONS

The Detector module has failed to activated a remote Guard to protect the zone by using an SSL communication channel.

rhThresholdTuningTrap

NOTIFICATIONS

The threshold tuning phase of the learning process has been started.

rhThresholdTuningTrap

NOTIFICATIONS

The threshold tuning phase of the learning process has been accepted.

rhThresholdTuningTrap

NOTIFICATIONS

The threshold tuning phase of the learning process has been stopped.

rhZoneGenericTrap

NOTIFICATIONS

The Detector module has started to synchronize the zone configuration.

rhZoneTrap

NOTIFICATIONS

A new zone has been created.

rhZoneTrap

NOTIFICATIONS

A zone has been deleted.

rhDynamicFilterControlTrap

INFO

The number of attack-detection events that the Detector module did not send for a specific policy.

rhDynamicFilterControlTrap

INFO

The Detector module has more than 1000 active dynamic filters and will not send traps for dynamic filters that it deletes.

rhDynamicFilterTrap

INFO

A dynamic filter has been added.

rhDynamicFilterTrap

INFO

A dynamic filter has been deleted.

rhDynamicFilterTrap

INFO

A pending dynamic filter has been added.

1 bps = bits per second


Configuring SNMP Community Strings

You can access the Detector module SNMP server and retrieve information as defined by the Management Information Base 2 (MIB2) and the Cisco Riverhead proprietary MIB. The community string acts like a password and permits read access from the Detector module SNMP agent. You can configure the Detector module SNMP community string and enable access to the SNMP agent from clients in different organizational units and with different community strings.

To add an SNMP community string, use the following command in configuration mode:

snmp community community-string

The community-string argument specifies the desired Detector module community string. Enter an alphanumeric string from 1 to 15 characters. The string cannot contain spaces. The Detector module default community string is riverhead. You can specify as many community names as you want. To delete a community string, use the no community string command. Enter an asterisk (*) to remove all SNMP community strings.

The following example shows how to configure the SNMP community string:

user@DETECTOR-conf# snmp community tempo

Configuring the Login Banner

The login banner is the text that appears on the screen before user authentication when you open an SSH session, a console port connection, or a WBM session to the Detector module.

You can configure a login banner to warn users against unauthorized access, describe what is considered the proper use of the system, and alert users that the system is being monitored to detect improper use and other illicit activity.

The Detector module displays the login banner in the following locations:

CLI—Before the password login prompt or as a popup window (depending on the SSH client that you are using).

WBM—On the right side of the Detector module login window.

This section contains the following topics:

Configuring the Login Banner from the CLI

Importing the Login Banner

Deleting the Login Banner

Configuring the Login Banner from the CLI

You can create a single or multiple message banner by using the login-banner command. If you enter more than one login banner, the new login banner is appended to the existing login banner as a new line.

To configure the login banner, use the following command in configuration mode:

login-banner banner-str

The banner-str argument specifies the banner text. The maximum string length is 999 characters. If you use spaces in the expression, enclose the expression in quotation marks (" ").

To display the login banner, use the show login-banner command.

The following example shows how to configure and display the login banner:

user@DETECTOR-conf# login-banner "Welcome to the Cisco Traffic Anomaly Detector"
user@DETECTOR-conf# login-banner "Unauthorized access is prohibited."
user@DETECTOR-conf# login-banner "Contact sysadmin@corp.com for access."
user@DETECTOR-conf# show login banner
Welcome to the Cisco Traffic Anomaly Detector
Unauthorized access is prohibited.
Contact sysadmin@corp.com for access.

Importing the Login Banner

You can import a text file from a network server to replace the existing login banner by entering one of the following commands in global mode or in configuration mode:

copy ftp login-banner server full-file-name [login [password]]

copy {sftp | scp} login-banner server full-file-name login

The maximum length of each line in the file that you import is 999 characters.

Because SFTP and SCP rely on SSH for secure communication, if you do not configure the key that the Detector module uses before you enter the copy command with the sftp or scp option, the Detector module prompts you for the password. See the "Configuring the Keys for SFTP and SCP Connections" section for more information about how to configure the key that the Detector module uses for secure communication.

Table 4-15 provides the arguments and keywords for the copy login-banner command.

Table 4-15 Arguments and Keywords for the copy login-banner Command 

Parameter
Description

ftp

Specifies FTP.

sftp

Specifies SFTP.

scp

Specifies SCP.

server

IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).

full-file-name

Complete name of the file. If you do not specify a path, the server copies the file from your home directory.

login

Server login name.

The login argument is optional when you define an FTP server. When you do not enter a login name, the FTP server assumes an anonymous login and does not prompt you for a password.

password

(Optional) Password for the remote FTP server. If you do not enter the password, the Detector module prompts you for it.


The following example shows how to import the login banner from an FTP server:

user@DETECTOR-conf# copy ftp login-banner 10.0.0.191 /root/login-banner <user> <password> 

Deleting the Login Banner

If you no longer want to display a message before user authentication, delete the login banner.

To delete the login banner, use the no login-banner command in configuration mode.

The following example shows how to delete the login banner:

user@DETECTOR-conf# no login-banner

Configuring the Web-Based Manager Logo

To customize your end-user interface, you can add a company logo or any customized logo to the Web-Based Manager (WBM) web pages.

The new logo appears in the following places:

On the Detector module login page, under the Cisco Systems logo.

On all WBM pages, except for the Detector module login page, on the right side of the Cisco Systems logo.

The new logo must be in GIF format. We recommend that the size of the new logo is as follows: width = 87 pixels and height = 41 pixels.

This section contains the following topics:

Importing the WBM Logo

Deleting the WBM Logo

Importing the WBM Logo

To import a new logo from a network server for use in the WBM, use the following command in global mode or in configuration mode:

copy ftp wbm-logo server full-file-name [login [password]]

copy {sftp | scp} wbm-logo server full-file-name login

Because SFTP and SCP rely on SSH for secure communication, if you do not configure the key that the Detector module uses before you enter the copy command with the sftp or scp option, the Detector module prompts you for a password. See the "Configuring the Keys for SFTP and SCP Connections" section for more information about how to configure the key that the Detector module uses for secure communication.

Table 4-16 provides the arguments and keywords for the copy wbm-logo command.

Table 4-16 Arguments and Keywords for the copy wbm-logo Command 

Parameter
Description

ftp

Specifies FTP.

sftp

Specifies SFTP.

scp

Specifies SCP.

server

IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).

full-file-name

Complete name of the file including the GIF file extension. If you do not specify a path, the server copies the file from your home directory.

login

(Optional) Server login name. The login argument is optional when you define an FTP server. When you do not enter a login name, the FTP server assumes an anonymous login and does not prompt you for a password.

password

(Optional) Password for the remote FTP server. If you do not enter the password, the Detector module prompts you for it.


The following example shows how to import the WBM logo file from an FTP server:

user@DETECTOR-conf# copy ftp wbm-logo 10.0.0.191 /root/WBMlogo.gif <user> <password> 

Deleting the WBM Logo

To delete the WBM logo, use the no wbm-logo command in configuration mode.

The following example shows how to delete the login banner:

user@DETECTOR-conf# no wbm-logo

Configuring the Session Timeout

The session timeout is the amount of time that a session remains active when there is no activity. If there is no activity for the configured time, a timeout occurs, and then you must log in again. The session timeout is disabled by default.

The session timeout applies to the CLI only and does not apply to the WBM.

You can configure the number of minutes until the Detector module disconnects an idle session automatically by entering the following command in configuration mode:

session-timeout timeout-val

The timeout-val argument specifies the number of minutes until the Detector module disconnects an idle session automatically. Valid values are from 1 to 1440 minutes (one day).

The following example shows how to configure the Detector module to disconnect an idle session after 10 minutes:

user@DETECTOR-conf# session-timeout 10

To prevent the Detector module from disconnecting idle sessions automatically, use the no session-timeout command.

To display the value of the session timeout, use the show session-timeout command.