Table Of Contents
Configuring Policy Templates
Understanding Policy Templates
Modifying the Configuration of a Policy Template
Configuring Policy Templates
This chapter describes how to configure the zone policy templates that the Cisco Traffic Anomaly Detector Module (Detector module) uses to create zone policies.
This chapter refers to the Cisco Guard (Guard), the companion product of the Detector module. The Guard is a Distributed Denial of Service (DDoS) attack detection and mitigation device that cleans the zone traffic as the traffic flows through it, dropping the attack traffic and injecting the legitimate traffic back into the network. When the Detector module determines that the zone is under attack, it can activate the Guard attack mitigation services. The Detector module can also synchronize zone configurations with the Guard. For more information about the Guard, see the Cisco Anomaly Guard Module Configuration Guide or the Cisco Guard Configuration Guide.
This chapter contains the following sections:
•
Understanding Policy Templates
•Modifying the Configuration of a Policy Template
Understanding Policy Templates
A policy template is a collection of policy construction rules that the Detector module uses to create the zone policies during the policy construction phase of the learning process. When you create a new zone, the Detector module includes a set of policy templates in the zone configuration. Based on the characteristics of the zone traffic, each policy template enables the Detector module to produce a group of policies during the policy construction phase. The Detector module uses the policies to monitor the zone traffic for anomalies that indicate an attack on the zone. The zone policies are configured to take action against a particular traffic flow if the flow exceeds the policy thresholds.
Changes that you make to a zone policy template configuration affect the policy construction phase. Using the WBM, you can enable, disable, or modify the zone policy templates to control the policies that the Detector module creates during the policy construction phase.
To match the services of a traffic flow, the Detector module uses several types of policy templates during the policy construction phase. The name of the policy template is derived from the characteristics that are common to all the policies that it creates and can be a protocol such as Domain Name System (DNS), an application such as HTTP, or an objective such as ip_scan. For example, the policy template tcp_connections produces policies that relate to a connection, such as the number of concurrent connections.
Table 6-1 describes the Detector module policy template types.
Table 6-1 Policy Templates
Policy template
|
Produces a set of policies relating to . . .
|
dns_tcp
|
DNS-TCP protocol traffic.
|
dns_udp
|
DNS-UDP protocol traffic.
|
fragments
|
Fragmented traffic.
|
http
|
HTTP traffic that flows, by default, through port 80 (or other user-configured ports).
|
ip_scan
|
IP scanning. A situation in which a client from a specific source IP address tries to access many destination IP addresses in the zone. This policy template is designed primarily for zones in which the IP address definition is a subnet.
By default, this policy template is disabled. The default action for this policy template is notify.
Note The policies that are produced from this policy template are resource consuming and can affect your network's performance.
|
other_protocols
|
Non-TCP and non-UDP protocols.
|
port_scan
|
Port scanning. A situation in which a client from a specific source IP address tries to access many ports in the zone.
By default, this policy template is disabled. The default action for this policy template is notify.
Note The policies that are produced from this policy template are resource consuming and can affect your network's performance.
|
tcp_connections
|
TCP connection characteristics.
|
tcp_not_auth
|
TCP connections that the Detector module anti-spoofing feature have not authenticated.
|
tcp_outgoing
|
TCP connections initiated by the zone.
|
tcp_ratio
|
Ratios between different types of TCP packets, such as SYN packets versus FIN/RST packets.
|
tcp_services
|
TCP services on ports other than HTTP-related ports, such as ports 80 and 8080.
|
udp_services
|
UDP services.
|
The Detector module includes additional policy templates for zones that were created from specific zone templates as described in Table 6-2.
Table 6-2 Specific Policy Templates
Zone Template
|
Policy Template
|
DETECTOR_WORM
|
worm_tcp—Constructs a group of policies relating to TCP worms. Worm TCP policies manage worm attacks, in which one or more source IP addresses create many nonestablished connections on the same port to many destination IP addresses. This policy template is designed primarily for zones in which the IP address definition is a subnet.
The Detector module adds services to policies that are created from this policy template during the threshold tuning phase of the learning process instead of during the policy construction phase. The policy template parameters, max_services and min_threshold, do not apply to this policy template.
|
If you create a zone from a GUARD_ zone template, you can configure the parameters of additional policy templates that can be synchronized to a Guard. The Guard supports the following additional policy templates:
•tcp_services_ns—TCP services. By default, the policies created by the tcp_services_ns template relate to IRC ports (666X), Secure Shell (SSH), and Telnet. This policy template does not create policies with actions that apply the Strong protection level to the traffic flow.
•tcp_connections_ns, tcp_outgoing_ns, and http_ns—The Guard includes additional policy templates that can protect zones for which you do not want to use the TCP proxy anti-spoofing functions. You can use these policy templates if the zone is controlled based on the IP addresses, such as an Internet Relay Chat (IRC) server-type zone, or if you do not know the type of services that are running on the zone.
•If you define a zone with the GUARD_TCP_NO_PROXY zone template, the Guard replaces the policy templates http, tcp_connections, and tcp_outgoing with the policy templates http_ns, tcp_connections_ns, and tcp_outgoing_ns policies. The http_ns, tcp_connections_ns, and tcp_outgoing_ns policy templates do not create policies with actions that require the Guard to use the Strong protection level.
Modifying the Configuration of a Policy Template
During the learning process, the Detector module analyzes a copy of the zone traffic. Each active policy template produces a group of policies based on the policy definitions and the zone traffic characteristics. The Detector module ranks the services (protocol and port numbers) that the policy template monitors by the traffic volume level. The Detector module then selects the services that have the highest traffic volume and that have exceeded the defined minimum threshold, and it creates a policy for each service. Some of the policy templates create an additional policy to handle all traffic flows for which a specific policy was not added with a service of any.
You can modify policy template parameters as follows to manage the policy construction phase:
•Enable or disable the policy template. Only enabled policy templates can produce policies during the policy construction phase.
•Control when the policy template creates policies during the learning process based on the volume of traffic for a service.
•Define the maximum number of policies that the Detector module can produce using the policy template during the policy construction phase.
To modify the configuration of a policy template, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > Policy templates > View. The Policy Templates screen appears.
Step 3 Choose a policy template. The Config Policy Template screen appears.
Step 4 Modify the desired parameters of the policy template. Table 6-3 describes the policy template parameters that are listed in the Policy Template form. Depending on the type of policy template selected, some or all of the parameters listed in the table display for editing.
Table 6-3 Policy Template Parameters
Parameter
|
Description
|
State
|
Operating state of the policy template. Choose one of the following options:
•enable—The Detector module applies the policy template to the traffic flow during the policy construction phase of the learning process. When the Detector module detects a service, it creates a new policy based on the rules of the policy template designed for that service.
•disable—The Detector module does not apply the policy template to the traffic flow during the policy construction phase of the learning process. If the Detector module detects a service associated with the disabled policy template, it does not create a new policy.
Caution Disabling a policy template may seriously compromise the ability of the Detector module to detect zone traffic anomalies. When you disable a policy template, the Detector module does not produce policies to manage the type of malicious traffic that the policy template is designed to manage.
|
Min Threshold
|
Minimum traffic volume for a service. When the service traffic rate exceeds the threshold, the Detector module constructs policies that relate to the service traffic according to the particular traffic flow that exceeded the threshold. By setting the threshold, you can better adapt the anomaly detection operation to the known traffic volume of the zone services.
You cannot configure the minimum threshold parameter for policy templates that are essential for proper traffic anomaly detection. These policies, such as tcp_services, udp_services, other_protocols, http, and fragments, always create a policy when required by the zone traffic.
Enter the minimum threshold rate in packets-per-second (pps). When measuring the concurrent connection and SYN/FIN ratio, the threshold value is the total number of connections.
|
Max Services
|
Maximum number of services (protocol numbers or port numbers) for which the policy template selects and creates policies. The Detector module ranks the services that the policy template relates to by the level of traffic volume for each service. The Detector module then selects the services that have the highest traffic volume and that have exceeded the defined minimum threshold (as defined by the min-threshold parameter), and it creates policies for each service. The Detector module may add an additional policy with a service of any to handle all other traffic flows with the characteristics of the policy template.
Note The higher the maximum number of services, the more memory the zone uses.
You can only define the maximum number of services parameter for policy templates that detect services: tcp_services, tcp_services_ns, udp_services, and other protocols. You cannot define the maximum number of services for policy templates that monitor a specific service, such as dns_tcp, which monitors service 53, or for policy templates that relate to a specific traffic characteristic, such as fragments.
The Detector module measures the traffic rate of the service based on the policy traffic characteristics. The traffic characteristic can be the source IP addresses or the destination IP addresses. A policy that monitors the service any measures the rate of source IP addresses on all services that are not handled by a specific policy, so it is not precise.
By limiting the service number, you can configure the Detector module policies to your preferred traffic flow requirements.
|
|
Step 5 Choose one of the following options:
•OK—Saves the new policy template configuration. The Policy Template screen appears.
•Clear—Reverts the form information back to the default values and clears any information that you added.
•Cancel—Exits the Config policy template screen without saving any information. The Policy Template screen appears.
To add or remove services from all policies that were created from a specific policy template, see the "Adding a Service" or the "Deleting a Service" sections in Chapter 8, "Managing Zone Policies."
