-
Cisco Anomaly Guard Module Configuration Guide (Software Version 4.0)
-
Index
-
Preface
-
Introduction
-
Configuring the Guard Module on the Supervisor Engine Module
-
Initializing the Guard Module
-
Configuring the Guard Module
-
Configuring Zone Traffic Diversion
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Interactive Protect Mode
-
Attack Reports
-
Guard Module Diagnostics and Maintenance
-
Analyzing Guard Module Mitigation
-
Glossary
-
Table Of Contents
Configuring Policy Templates and Policies
Understanding Policy Templates
Configuring Policy Template Parameters
Configuring All Policy Template Parameters Simultaneously
Configuring All Policy Parameters Simultaneously
Configuring the Policy Threshold
Multiplying a Threshold by a Factor
Configuring Specific IP Thresholds
Configuring the Proxy-Threshold
Configuring the Interactive Status
Creating Snapshots and Comparing Policies
Configuring Policy Templates and Policies
This chapter provides an explanation on the Guard module policies and policy structure, the policy templates and describes how to configure the policy and the policy template parameters.
This chapter contains the following sections:
•
Understanding Policy Templates
•
•
Understanding Policies
The policies are the building blocks of the Guard module statistical engine. They are the mechanism that measures a particular traffic flow and take action against the flow as a result of threshold violation. Each zone has a set of policies that are tuned to the zone traffic patterns. These policies are the basis to which the Guard module compares zone traffic in order to trace any anomalies that might, in turn, become malicious.
To create policies that are tuned to the zone particular traffic characteristics, the Guard module learns the zone traffic in a two-phase learning process. It uses pre-defined policy templates to construct the policies. Each policy template is used to create policies that deal with the protection aspects that the Guard module requires to protect against a specific DDoS threat.
After the policies are created, you can add and delete policies or change policy parameters.
Policy Structure
The Guard module performs statistical analysis on zone traffic flow. Each policy measures a specific traffic flow. The policy defines the characteristics the Guard module uses for the analysis. The policy name is composed of sections. Each section describes a different role that relates to different traffic characteristic. For example, the policy http/80/analysis/syns/src_ip measures traffic flow of HTTP SYN packets, destined to port 80, that were authenticated by the Guard module Analysis protection module and aggregated according to source IP addresses.
Figure 8-1 provides an example of a policy name.
Figure 8-1 Policy Name
Table 8-1 details the policy name section.
Table 8-1 Policy Name Sections
Policy template
Denotes which policy template was used to produce the policy. Each policy template deals with the protection aspects the Guard module requires to protect against a specific DDoS threat. See the "Understanding Policy Templates" section for further details.
Service
Denotes which port number or protocol number the protection policy relates to. See the "Services" section for further details.
Protection module
Denotes the protection module the Guard module uses to process the traffic flow. See the "Protection Module" section for further details.
Packet type
Denotes the packet types the Guard module monitors. See the "Packet Type" section for further details.
Traffic characteristics
Denotes the traffic characteristics that the Guard module uses to aggregate the policy. See the "Traffic Characteristics" section for further details.
The first four sections of the policy name (policy-template, service, protection-module and packet-type) define what type of traffic is analyzed. The last section of the policy path (traffic-characteristics) defines how to analyze the flow.
Policies have cross dependencies and priorities. If there are two policies that define the same traffic flow, the Guard module will analyze the flow using the policy that is more specific. For example, policies relating to TCP services exclude the HTTP services that are handled by the HTTP-related policies.
You can configure the policy operational aspects. These define what triggers the policy and the action the policy assumes once such it is activated. See the "Configuring Policy Parameters" section for further details.
Creating Policies
The Guard module creates the zone policies in a learning process. The learning process consists of two phases, during which the Guard learns the zone traffic and adapts itself to the particular characteristics:
1.
•
See the "Learning the Zone Traffic Characteristics" section for further details.
Understanding Policy Templates
A Policy Template is a collection of policy constructing guiding rules. The output of each template, at the end of the policy construction phase, is a group of policies. The name of the policy template is derived from the characteristics that are common to all the policies it creates. This can be a protocol (such as DNS), an application (such as HTTP) or the objective (such as ip_scan). For example, the policy template tcp_connections produces policies that relate to connection, such as the number of concurrent connections. If you define a zone with the DEFAULT zone template, the Guard module uses these policy templates.
Table 8-2 describes the Guard module policy templates.
Note
•
•
•
The Guard includes additional policy templates that are designed for protecting zones for which you do not want to use the TCP proxy anti-spoofing mechanism. You can use these policy templates if the zone is moderated according to IP addresses such as an Internet Relay Chat (IRC) server-type zone or if you do not know what type of services are running on the zone.
If you define a zone with the TCP_NO_PROXY zone template, the Guard module uses the policy templates described in Table 8-3. The Guard module replaces the policy templates http, tcp_connections and tcp_outgoing with the policy templates http_ns, tcp_connections_ns and tcp_outgoing_ns policies respectively.
Table 8-3 details the Guard policies for TCP_NO_PROXY.
To view a list of all policy templates, enter the policy-template command in zone configuration mode and press TAB twice.
Configuring Policy Template Parameters
During the learning process, the zone traffic flows transparently through the Guard. Each active policy template produces a group of policies, according to the zone traffic characteristics. The Guard enables you to define the maximum number of policies the Guard produces from a specific policy template. The Guard ranks the services that the policy template relates to by their level of traffic volume. The Guard then picks up the services with the highest traffic volume that have exceeded the defined minimum threshold, and creates a policy for each one of them. Some of the policy templates create an additional policy to handle all traffic flows for which a specific policy was not added. These policies are added with a service of any.
You can configure the following policy template parameters:
•
•
•
To configure the policy template parameters, enter the policy template configuration mode. Enter the following command:
policy-template policy-template-name
The policy-template-name argument specifies the name of the policy template. See Table 8-2 for further details.
After executing the command, the Guard module enters the policy template configuration mode.
For example:
admin@GUARD-conf-zone-scannet# policy-template httpadmin@GUARD-conf-zone-scannet-policy_template-http#To display the parameters of a specific policy template, use the show command in policy template configuration mode.
Maximum Number of Services
The maximum number of services parameter defines the maximum number of services (protocol numbers or port numbers) that the policy template picks up and creates policies for. The Guard ranks the services that the policy template relates to by their level of traffic volume. The Guard picks up the services with the highest traffic volume, that have exceeded the defined minimum threshold (as defined by the min-threshold parameter), and creates policies for each one of them. An additional policy to handle all other traffic flows with the characteristics of the policy template may be added with a service of any.
Note
You can only define this parameter for policy templates that detect services, such as tcp_services. You cannot configure it for policy templates that relate to a specific service, such as dns_tcp that relates to service 53, or for policy templates that relate to a specific traffic characteristic, such as fragments.
Limiting the service number allows you to configure the Guard policies to your preferred traffic flow requirements.
To configure the maximum number of services, enter the following command:
max-services max-services
The max-services argument is an integer greater than 1 that defines the maximum number of services the Guard picks up.
Note
For example:
admin@GUARD-conf-zone-scannet-policy_template-tcp_services# max-services 5Minimum Threshold
The minimum threshold parameter defines the minimum traffic volume threshold for a service. Once the threshold is exceeded, the Guard produces policies that relate to the service traffic according to the particular traffic flow that violated the threshold.
You cannot configure this parameter for policy templates that are essential for proper zone protection and therefore always produce a policy, such as fragments.
Setting the threshold enables you to better adapt the Guard protection to the traffic volume of the zone services.
To configure the minimum threshold, enter the following command:
min-threshold min-threshold
The min-threshold argument is an integer that defines the minimum threshold rate in pps. When measuring the concurrent connection and syn/fin ratio, the threshold is the total number of connections.
For example:
admin@GUARD-conf-zone-scannet-policy_template-http# min-threshold 12Policy Template State
This parameter defines the policy template state. The policy template can be enabled or disabled. Disabling a policy template prevents it from producing policies once the Guard undergoes the policy construction phase.
Caution
Use the disable command to disable a policy template.
Use the enable command to enable a policy template.
Configuring All Policy Template Parameters Simultaneously
You can configure all policy template operational parameters with a single command. Enter the following command:
policy-template policy-template-name max-services min-threshold {disabled | enabled}
Table 8-4 provides the arguments and keywords for the policy-template command.
Table 8-4 Arguments and Keywords for the policy-template Command
policy-template-name
The policy template name. See Table 8-1 for further details.
max-services
The maximum number of services the Guard picks up and produces policies for, from the specific policy template. See the "Maximum Number of Services" section for further details.
min-threshold
The minimum threshold that must be exceeded for the Guard module to rank the service. See the "Minimum Threshold" section for further details.
disabled
Disable the policy template from producing policies. See the "Policy Template State" section for further details.
enabled
Enable the policy template. See the "Policy Template State" section for further details.
Note
This example shows how to set the parameters of the policy template tcp_services. The maximum number of services is set to 3. The minimum threshold is unchanged (-1) and the policy state is set to enabled.
admin@GUARD-conf-zone-scannet# policy-template tcp_services 3 -1 enabledThe Policy Sections
The policy path consists of the following sections:
•
Services
The services section denotes which zone application port or protocol the policy relates to. Policies have cross dependencies and priorities. If there are two policies that define the same traffic flow, the Guard module will analyze the flow using the policy that is more specific. The service any relates to all traffic that does not specifically match other services created from the same policy template.
Caution
Adding a Service
You can add services to all policies that were created from a specific policy template and thus create more specific policies. The new service is added in addition to the services that were discovered during the policy construction phase. The new service is defined with default values. You can define the threshold manually, however, we recommend that you run the threshold tuning phase (see the "Tuning Thresholds" section for further details) to tune the policies to the zone traffic.
You can add a new service to the following policy templates:
•
•
•
•
•
Note
To add a service, enter the following command in policy template configuration mode:
add-service service-num
OR
Enter the following command in zone configuration mode:
policy-template policy-template-name add-service service-num
Table 8-5 provides the arguments for the policy-template command.
Table 8-5 Arguments for the policy-template Command
The policy template name. See Table 8-2 for further details.
service-num
The protocol or port number.
For example:
admin@GUARD-conf-zone-scannet-policy_template-tcp_services# add-service 25
Deleting a Service
You can delete a specific service relating to a policy template. The Guard module deletes the service from all policies that were created from the specific policy template.
To delete a service, enter the following command in policy template configuration mode:
remove-service service-num
OR
Enter the following command in zone configuration mode:
policy-template policy-template-name remove-service service-num
See Table 8-5 for information on the policy-template command arguments.
Caution
For example:
admin@GUARD-conf-zone-scannet-policy_template-tcp_services# remove-service 25
Protection Module
The protection module section denotes the protection module that the Guard module uses to process the traffic flow. This section is informational, you can not configure the protection module. The Guard module has three protection modules:
•
•
•
After activating a mechanism, the Guard module continues to analyze the traffic. If it can still spot traffic abnormalities in the clean traffic destined to the zone, it activates a stronger protection mechanism.
Packet Type
The packet type section describes the packet characteristic that the Guard module monitors. The packet characteristics can be one of the following:
•
•
•
Table 8-6 describes the packet types the Guard module monitors.
Traffic Characteristics
The traffic characteristics section describes the traffic characteristic that was used to aggregate the policies. The first four sections of the policy name (policy-template, service, protection-module and packet-type) define what type of traffic is analyzed. Traffic characteristics define how to analyze the traffic flow. There can, therefore, be different policies that analyze the same traffic flow but measure the rate according to different characteristics. For example, dns_tcp/53/analysis/pkts/dst_ip and dns_tcp/53/analysis/pkts/src_ip.
Table 8-7 describes the traffic characteristics the Guard module monitors.
Configuring Policy Parameters
After completing the learning process, you can view specific policy parameters. Displaying these parameters helps you decide whether the policy parameters suit the zone traffic. You can configure a single policy or a group of policies. If necessary, you can configure the policy parameters to adapt the policy to the zone traffic requirements.
To display the configuration of the policy parameters, use the show command in policy configuration mode.
You can configure a specific policy or group of policies.
To enter the policy configuration mode, enter the following command in zone configuration mode:
policy policy-path
The policy-path argument specifies the policy path sections. The path can be a partial path that includes only part of the policy sections. See the "Policy Structure" section for further details.
Note
For example:
admin@GUARD-conf-zone-scannet# policy dns_tcp/*/analysis/syns/global admin@GUARD-conf-zone-scannet-policy-/dns_tcp/*/analysis/syns/global#You can configure the following parameters:
•
•
•
•
•
The policy action, timeout and threshold arguments may be changed at every section of the policy path. However, more policies are affected when these parameters are changed at the higher-level policy sections (such as policy template or service sections). Configuring these parameters at a high-level policy path hierarchy will change these parameters in all the sub-policy paths.
Tip
For example, the policy: tcp_services//analysis//global.
Configuring All Policy Parameters Simultaneously
You can configure all policy parameters with a single command. Enter the following command in zone configuration mode:
policy policy-path threshold action timeout state [proxy-threshold]
Table 8-8 provides the arguments for the policy command.
Table 8-8 Arguments for the policy Command
The policy path section. See "Policy Structure" for further details.
The threshold that must be exceeded for the Guard module to take action. See the "Configuring the Policy Threshold" section for further details.
The action a policy assumes as a result of threshold violation. See the "Configuring the Action" section for further details.
The minimum time span the policy action is valid. See the "Configuring the Timeout" section for further details.
The policy state. See the "Changing the Policy State" section for further details.
proxy-threshold
The proxy threshold. See the "Configuring the Proxy-Threshold" section for further details.
Note
This example sets the parameters of the policy dns_tcp/53/analysis/pkts/dst_ip. The threshold is set to 300, the policy timeout is set to 360 seconds, the policy action is set to filter/drop, and the policy state is set to active.
admin@GUARD-conf-zone-scannet# policy dns_tcp/53/analysis/pkts/dst_ip 300 filter/drop 360 activeChanging the Policy State
The Guard module policies have three possible states:
•
•
•
Caution
To change the policy state, enter the following command in the relevant policy section configuration mode:
state {active | disabled | inactive}
For example:
admin@GUARD-conf-zone-scannet-policy-/dns_tcp/*/analysis/syns# state disabled
Caution
If you run the policy construction phase after disabling a policy, the policies are reconfigured according to the traffic flow. This could result in the policy being reactivated.
Configuring the Policy Threshold
The policy threshold defines the threshold traffic rate for a specific policy. Once this threshold is violated, the policy takes an action to protect the zone. The threshold is set by default to a value appropriate for on-demand protection. It is adjusted by the threshold tuning phase. The threshold is measured in pps except for the following policies:
•
•
To configure the policy threshold, enter the following command:
threshold threshold
The threshold argument specifies the policy threshold.
For example:
admin@GUARD-conf-zone-scannet-policy-/dns_tcp/*/analysis/syns/global# threshold 300
Multiplying a Threshold by a Factor
You can multiply the threshold of a policy or a group of policies by a factor. This way you can increase or decrease the threshold of a policy or a group of policies if the traffic volume does not represent the zone traffic.
To multiply the threshold by a factor, enter the following command:
policy policy-path thresh-mult threshold-multiply-factor
Table 8-9 provides the arguments for the policy thresh-mult command.
Table 8-9 Arguments for the policy thresh-mult Command
The policy template name. See Table 8-2 for further details.
A real number to multiply the threshold by.
For example:
admin@GUARD-conf-zone-scannet# policy */*/*/*/src_ip thresh-mult 0.5Configuring Specific IP Thresholds
In cases of known high-volume traffic from an IP source, you can configure a threshold to apply to the specific IP source address.
In cases of a non-homogenous zone (that is, a zone that has more than a single IP address defined) where there is known high-volume traffic only to part of the zone, you can configure a threshold to apply to the specific IP destination address.
You can only configure specific IP thresholds for the following policies:
•
•
To configure a specific IP threshold, enter the following command:
policy policy-path threshold-list ip threshold [ip threshold ...]
Table 8-10 provides the arguments for the policy threshold-list command.
Table 8-10 Arguments for the policy threshold-list Command
The policy template name. See Table 8-2 for further details
The specific IP address
The threshold traffic rate in pps, except for policies measuring concurrent connections and SYN-by-FIN ratio where the threshold is the number of connections
You can add up to five specific IP thresholds for each policy. You can enter all specific IP thresholds in a single command.
The following example shows how to set specific IP thresholds for IP addresses 10.10.10.2 and 10.10.15.2 for the policy http/80/analysis/syns/src_ip.
admin@GUARD-conf-zone-scannet-policy-/http/80/analysis/syns/src_ip# threshold-list 10.10.10.2 500 10.10.15.2 500Configuring the Proxy-Threshold
The proxy threshold parameter defines the traffic rate for clients that connect to the zone in HTTP via proxies. It enables the Guard module and you to adapt the policy to traffic volumes coming from different sources. The Guard module uses the proxy thresholds only to block traffic, thus you can configure them only for policies in the DEFAULT zone template with a Strong protection module and for policies in the TCP_NO_PROXY zone template with a Basic protection module.
A proxy threshold is only available for the http, http_ns, tcp_connection and tcp_connection_ns policies. A proxy threshold for policies created from the tcp_connection or tcp_connections_ns policy templates is effective only if the zone has active http or http_ns policies.
To configure the proxy-threshold, enter the following command:
proxy-threshold proxy-threshold
The proxy-threshold argument specifies the proxy-threshold traffic rate in pps.
The following example shows how to set the proxy threshold for the policy tcp_ratio/any/basic/syn_by_fin/dst_ip_ratio to 20.
admin@GUARD-conf-zone-scannet-policy-/tcp_ratio/any/basic/syn_by_fin/ dst_ip_ratio# proxy-threshold 20Configuring the Timeout
The timeout parameter defines the minimum time span that the policy action is valid. Once the timeout expires, the Guard determines whether to deactivate the Dynamic filters that were created as a result of the policy threshold violation. If the Guard decides not to deactivate the Dynamic filters, the filter activation timeout resumes for another time span. See the "Deactivating Dynamic Filters" section for further details.
To configure the policy timeout, enter the following command:
timeout {forever | timeout}
Table 8-11 provides the arguments and keywords for the timeout command.
You can change the timeout of a group of policies simultaneously. Use the policy set-timeout command in the relevant zone configuration mode.
Configuring the Action
The action parameter defines the type of action the policy takes once its threshold is violated. To configure the policy action, enter the following command:
action policy-action
Table 8-12 describes the policy actions.
Use the policy set-action command in the relevant zone configuration mode to change the action of a group of policies simultaneously.
Note
This example shows how to set the action of all policies that relate to dns_tcp.
admin@GUARD-conf-zone-scannet# policy dns_tcp/ set-action filter/dropset action of dns_tcp/ to filter/drop: 16 policy actions set.Configuring the Interactive Status
The interactive status parameter defines the interactive status the pending Dynamic filters, created by the policy, assume. The interactive status is applicable only for zones in interactive protect mode when the zone is in protect mode. See "Interactive Protect Mode" for further details.
Use the interactive-status command to modify the status of the policy pending Dynamic filters if you have set the interactive status of a recommendation of a currently protected zone to always-accept or always-ignore.
For example, if you have defined the status of a recommendation to always-accept, the recommendation and the recommendation pending Dynamic filters are longer displayed. To choose to ignore the recommendation or pending Dynamic filters the recommendation produces, change the policy interactive status to interactive or always-accept.
To configure the policy interactive status, enter the following command:
interactive-status {always-ignore | always-accept | interactive}
Table 8-13 provides the keywords for the interactive-status command.
For example:
admin@GUARD-conf-zone-scannet-policy-/dns_tcp/53/analysis/pkts/src_ip# interactive-status always-acceptCreating Snapshots and Comparing Policies
You can save a snapshot of the learning parameters (services, thresholds and other policy related data) at any stage during the learning process, and review it later. The Guard module saves this data as a new zone. You can compare the snapshot to the zone or to another snapshot to verify the outcome of the learning process and trace differences in policies, services, and thresholds.
The Guard module continues its learning phase while the snapshot is taken.
Tip
To compare policies and view the outcome of the learning process, perform the following steps:
Step 1
Note
Enter the following command:
snapshot zone-name new-zone-nameTable 8-14 provides the arguments for the snapshot command.
The Snapshot creates a new zone. After you have verified the snapshot parameters, or compared two snapshots, you can delete the snapshot. Alternatively, you can decide to keep the snapshot and delete the original zone.
Step 2
diff zone-name zone-name [percent]Table 8-15 provides the arguments for the diff command.
For example:
admin@GUARD# snapshot scannet scannet-8amadmin@GUARD# diff scannet scannet-8amCopying Policies
You can copy policy configuration, or partial configuration, from a source zone to the current zone. This way you can configure the zone policies without having to apply the learning process.
Caution
To copy a service from a source zone, enter the following command:
copy-services src-zone-name [service-path]
Table 8-16 provides the arguments and keywords for the copy-services command.
The default is to copy all policies.
The following example shows how to copy all policies that relate to the policy template tcp_connections from the zone webnet to the current zone, scannet.
admin@GUARD-conf-zone-scannet# copy-services webnet tcp_connections/Monitoring Policies
You can monitor the policies to see how well they are suited to the zone traffic volume and services.
You can perform the following:
Viewing Policies
You can display the zone policies to verify that they are adapted to the zone traffic characteristics. You may wish to view the zone constructed policies, to verify that these policies are well tailored to the zone traffic characteristics. You can configure only policies that appear in this list.
To view the zone policies, enter the following command:
show policies
Note
Table 8-17 provides a description of the fields in the show policies command output.
Table 8-17 Field Descriptions of the show policies Command Output
Policy
Specifies the policy name. See the "Policy Structure" section for further details.
State
Specifies the policy state. See the "Changing the Policy State" section for further details.
act = active, inact = inactive, disab= disabled
IStatus
Specifies the policy interactive status. See the "Configuring the Interactive Status" section for further details.
a-accept = always-accept, a-ignor = always-ignore,
interac = interactiveThreshold
Specifies the policy threshold. Once this threshold is violated, the Guard module takes action to protect the zone. See the "Configuring the Policy Threshold" section for further details.
Proxy
Specifies the policy proxy-threshold. See the "Configuring the Proxy-Threshold" section for further details.
List
Specifies the number of specific IP thresholds defined for the policy. See the "Configuring Specific IP Thresholds" section for further details.
Action
Specifies the action the policy takes once the threshold is violated. See the "Configuring the Action" section for further details.
Timeout
Specifies the minimum time span the policy action is valid. See the "Configuring the Timeout" section for further details.
To display the details of a specific policy, use the show policies details command.
Viewing Policy Statistics
You can view the rate of the traffic flowing through a policy or a group of policies. You can determine whether the type of services and volume represent the zone traffic. The Guard module displays the traffic flows forwarded to the zone, with the highest rates as measured by the protection policies.
Note
To display the policy statistics, enter the following command:
show policies statistics [policy-path] [num-entries]
Table 8-18 provides the arguments for the show policies statistics command output.
Table 8-18 Arguments for the show policies statistics Command
Specifies a group of policies for which to display statistics. See the "Policy Structure" section for further details.
Specifies the number of entries to display. The Guard module displays the policies with the highest values.
The Guard module displays the information in three tables. The information in each table is sorted by value, with the highest values appearing at the top.
Table 8-19 displays the fields in the tables in the show policies statistics command output.
Table 8-19 Field Descriptions of the show policies statistics Command Output Tables
Key
Specifies the key, which is the traffic characteristic that was used to aggregate the policies. For example, in the policy tcp_services/any/analysis/syns/dst_ip, the key is the destination IP address (dst_ip). If the traffic characteristic that was used to aggregate the policies is global, the key displays N/A. See Table 8-6 for further details.
Policy
Specifies the policy name. See the "Policy Structure" section for further details.
Rate
Specifies the rate of the traffic, flowing through the policy, measured in pps. The rate is calculated based on traffic samples.
Connection
Specifies the number of concurrent connections. This information is available for policies tcp_connections and for the following packets types:
•
•
Ratio
Specifies the ratio between the number of SYN flagged packets and the number of FIN/RST flagged packets. This information is available only for policies syn_by_fin.
Note
For example:
admin@GUARD-conf-zone-scannet#show policies statisticsKey Rate Policy192.168.100.34 1.29 tcp_not_auth/any/strong/pkts/dst_ipN/A 1.29 tcp_not_auth/any/strong/pkts/global192.168.100.44 0.03 http/80/basic/syns/src_ip... ... ...Key Connections Policy... ... ...192.168.100.35 1.91 tcp_connections/any/strong/in_conns/src_ipN/A 1.91 tcp_connections/any/strong/in_conns/global192.168.100.45 1.67 tcp_connections/any/strong/in_conns/src_ip... ... ...
