Table Of Contents

Configuring Zones

Overview

Basic Zone Configuration

Creating a Zone

Duplicating a Zone

Learning the Zone Traffic Characteristics

Constructing Policies

Terminating the Policy Construction Phase

Tuning Thresholds

Terminating the Threshold Tuning Phase

Protecting the Zone

Terminating Protect Mode

On-Demand Protection

Analyzing the Zone Traffic

Viewing Zone Counters

Viewing the Zone Status

Configuring Zones

---

This chapter describes how to create and manage zones. These procedures are required to set the Guard module to protect the zone.

This chapter contains the following major sections:

•Overview

•Basic Zone Configuration

•Learning the Zone Traffic Characteristics

•Protecting the Zone

•On-Demand Protection

•Analyzing the Zone Traffic

Overview

The zone configuration process consists of the following steps:

---

Step 1 Basic zone configuration—The basic configuration includes creating a zone and configuring the zone name and description, the zone network address and operation definitions, and basic networking characteristics such as the zone bandwidth. See the "Basic Zone Configuration" section for further details.

Step 2 Configuring diversion —To protect the target host (zone), traffic to this host must be diverted to the Guard module. The diversion is configured globally, via the Guard module routing configuration. You must make sure that the global diversion configuration covers that of the new zone. This step includes configuring traffic injection methods. See "Configuring Zone Traffic Diversion" for further details.

Step 3 Learning the zone traffic and adjusting policies—Create protection policies. The policies are the mechanisms that measure a particular traffic flow and take action against the flow as a result of threshold violation. The Guard module creates the protection policies using policy templates, in a two-phase process of learning the zone traffic. Alternatively, you can use on-demand protection. See the "Learning the Zone Traffic Characteristics" section for further details.

Step 4 Configuring the Guard module filters—Configuring the various zone filters. These are the mechanism that direct the diverted traffic to the required protection modules. You can configure the filters and design a variety of possibilities for customized traffic direction and anti-DDoS attack mechanisms. See "Configuring Zone Filters," for further details.

Step 5 Protecting the zone—After learning the zone traffic characteristics, the Guard module is ready to protect the zone. You can wait for an external indication (from the Cisco Traffic Anomaly Detector Module or any other means) of an attack before setting the Guard module to protect the zone, or command the Guard module to protect the zone right after configuring the zone. When the zone is in protect mode, the Guard module diverts the zone traffic and applies its protection policies. See the "Protecting the Zone" section for further details.

---

Basic Zone Configuration

When creating a new zone, you can create a zone based on system-defined templates or use an existing zone as a template. The template defines the zone initial configuration. This configuration is used for on-demand protection (protection for which learning was not performed). See the "On-Demand Protection" section for further details.

To create a new zone and configure its basic characteristics, perform the following steps:

---

Step 1 Create a new zone based on system-defined templates. See the "Creating a Zone" section.

OR

Create a zone based on an existing zone. See the "Duplicating a Zone" section.

To change the configuration of an existing zone enter the zone configuration mode. Use the zone zone-name command.

Step 2 Define the zone IP address. You must define this to enable the Guard module to perform traffic learning and protection.

When you initially defined the zone, you must insert the zone IP address when the zone is not in protect mode. However, you can define the zone subnet or its add additional IP addresses when the zone is in protect mode.

To add additional IP addresses, enter this command more than once. You can add up to 100 IP entries (specific IP address or subnets) for each zone.

Enter the following command:

ip address ip-addr [ip-mask] 

Table 6-1 provides the arguments for the ip address command.

Table 6-1 Arguments for the ip address Command 

Parameter	Description
ip-addr	The zone IP address. The zone can also be a subnet.
ip-mask	(Optional) The IP mask. The default subnet mask is 255.255.255.255.

Step 3 (Optional) Define the bandwidth allowed to pass to the zone according to the traffic amount the zone can handle.

---

Note We recommend to set the bandwidth value to the highest bandwidth measured entering the zone. If you do not known it, leave the default bandwidth value (no-limit).

---

Enter the following command:

rate-limit {no-limit | rate burst-size rate-units}

Table 6-2 provides the arguments for the rate limit command.

Table 6-2 Arguments for the rate limit Command 

Parameter	Description
no-limit	The zone is defined with no rate limit.
rate	An integer greater than 64 that specifies the amount of traffic that is allowed to pass to the zone. The units are specified by the rate-units argument. The rate limit can be up to ten times greater than the burst limit.
burst	An integer greater than 64 that specifies the highest traffic peak allowed to pass to the zone. The units are bits, kilo-bits, kilo-packets, mega-bits, and packets in correspondence to the rate units that are specified by the rate-units argument. The burst limit can be up to eight times greater than the rate limit.
rate-units	The rate units. The units are: •bps—Bits per second •kbps—Kilo bits per second •kpps—Kilo packets per second •mbps—Mega bits per second •pps—Packets per second

Step 4 (Optional) Add a description to the zone for identification purposes. Enter the following command:

description string

The string length is limited to a maximum of 80 characters.

To modify a zone description re-enter the command. The new description overrides the former.

---

For example:

admin@GUARD-conf-zone-scannet# ip address 192.168.100.34 
255.255.255.252

admin@GUARD-conf-zone-scannet# rate-limit 1000 2300 pps

admin@GUARD-conf-zone-scannet# description This zone is used for 
demonstration purposes

---

Note To display the configuration file of the newly configured zone, use the show running-config command in zone configuration mode.

---

Creating a Zone

To create a zone based on system-defined templates, enter the following command:

zone new-zone-name [template-name] [interactive]

After executing the command, the Guard module enters the configuration mode of the new zone. If you enter the name of an existing zone, the Guard module enters the specific zone configuration mode.

Table 6-3 provides the arguments and keywords for the zone command.

Table 6-3 Arguments and Keywords for the zone Command 

Parameter	Description
new-zone-name	The name of a new zone. The name is an alphanumeric string from 1 to 63 characters long. The string must start with a letter, can contain underscores but cannot contain any spaces.
template-name	(Optional) A template that defines the zone configuration. The default is to create the zone using the Guard module DEFAULT zone template. See Table 6-4 for further details.
interactive	Sets the operation (protect) mode of the new zone to interactive. In this mode the Dynamic filters the policies produce appear as recommendations. You must decide whether or not to activate each Dynamic filter. See "Interactive Protect Mode," for further details.

Table 6-4 displays the Guard module zone templates.

Table 6-4 Guard Module Zone Templates 

Template	Description
DEFAULT	The Guard module default zone template. The Guard module uses this template in the TCP proxy anti-spoofing mechanism. This mechanism changes the packet source IP address to the Guard module TCP proxy IP address. You can use this template if you do not use IP based access list (ACLs), access policy or load balancing policy based on incoming IP address for the zone network.
TCP_NO_PROXY	This template is designed for a zone for which no TCP proxy is to be used. You can use this template if the zone is moderated according to IP addresses such as an Internet Relay Chat (IRC) server-type zone or if you do not have knowledge of the type of services running on the zone.
Bandwidth-limited Link Templates	Templates designed for on-demand protection of large subnets segmented according to zones with a known bandwidth. Protection for these zones should be activated for the attacked subnet or range. We recommend that you define such a zone on the Detector with a protect-ip-state of only-dest-ip. The following bandwidth-limited link templates are available for 128K, 1M, 4M, and 512K links respectively: LINK_128K LINK_1M LINK_4M LINK_512K Note You cannot perform learning policy-construction for these templates.
Bandwidth-limited Link Templates	Templates designed for on-demand protection of large subnets segmented according to zones with a known bandwidth. Protection for these zone should be assumed for the attacked subnet or range. We recommend that you define such a zone on the Detector with a protect-ip-state of only-dest-ip. The following bandwidth-limited link templates are available for 128K, 1M, 4M, and 512K links respectively: LINK_128K LINK_1M LINK_4M LINK_512K Note You cannot perform policy construction for these templates.

---

Note To display the zone templates, use the show templates command. To display the template default policies, use the show templates template-name policies command.

---

For example:

admin@GUARD-conf# zone scannet interactive 

admin@GUARD-conf-zone-scannet#

Duplicating a Zone

You can create a new zone based on an existing one.

To duplicate a zone, perform one of the following:

•Enter the following command in configuration mode:

zone new-zone-name copy-from base-zone-name

The base-zone-name argument specifies the name of the zone to be used as a template for the new zone.

For example:

admin@GUARD-conf# zone scanserver copy-from scannet 
admin@GUARD-conf-zone-scanserver#

OR

•Enter the following command in the relevant zone configuration mode:

zone new-zone-name copy-from-this

The configuration of the new zone is copied from the configuration of the current zone.

For example:

admin@GUARD-conf-zone-scannet# zone mailserver copy-from-this 

admin@GUARD-conf-zone-mailserver#

The new-zone-name argument specifies the name of the new zone. The zone name is an alphanumeric string from 1 to 63 characters long. The string must start with a letter, can contain underscores but cannot contain any spaces.

After executing the command, the Guard module enters the configuration mode of the new zone.

Learning the Zone Traffic Characteristics

During the Learning process, the Guard learns the zone traffic characteristics. The results are translated into protection policies. These policies instruct the Guard protection system how to regard the zone traffic flows. The Guard Learning process begins by diverting the routine zone traffic to the Guard using diversion mechanisms.

---

Note You must configure diversion before initiating the learning process. Configure zone diversion using the Guard routing configuration.

See "Configuring Zone Traffic Diversion" for further details.

---

The policy templates are the Guard tools for constructing the policies. These define the types of zone policies the Guard creates according to the zone traffic characteristics. The policy templates also define the maximum number of services and the minimum threshold for each policy service. To change the guiding rules for constructing zone policies, change the policy template parameters before you initiate the learning process. See "Configuring Policy Templates and Policies," for further details.

---

Note If the Guard module is not in protect and learning mode and there is an attack on the zone before the learning process has been completed, perform the following steps:

1. Abort the learning phase. Use the no learning command.

2. Define a new zone and use this new zone for on-demand protection. See the "On-Demand Protection" section for further details.

---

The learning process consists of two phases, during which the Guard learns the zone traffic and adapts itself to the particular characteristics:

1. Policy Construction—In this phase, the Guard creates the zone policies using the policy templates. The traffic flows transparently through the Guard enabling it to discover the main services the zone uses.

2. Threshold Tuning—In this phase, the Guard tunes the policies to fit the zone services traffic rates. The traffic flows transparently through the Guard, enabling it to tune the thresholds for the services it discovered while constructing the zone policies.

During the learning process, the Guard drops packets if one of the following fields in the packet equals zero:

•Source IP address

•Protocol number

•UDP source or destination port

•TCP source or destination port

---

The Guard learns the zone traffic characteristics to acquire a basis on which to compare zone traffic and trace any anomalies that might, in turn, become malicious. Once the policies are created, you can add and delete policies, or change policy parameters such as thresholds, services, time-outs and actions. The action a policy takes can range from simple notification, to directing the traffic to various Guard protection mechanisms, or to dropping malicious traffic.

Constructing Policies

In this phase, the Guard creates the zone policies using the policy templates. The traffic flows transparently through the Guard enabling it to discover the main services the zone uses. You can configure the policy construction guiding rules, for example, you can prevent the Guard from creating policies of a certain type by disabling the relevant policy template. To change the guiding rules for constructing zone policies, change the policy template parameters before you initiate the policy construction phase. See "Configuring Policy Templates and Policies." for further details.

You cannot perform policy construction for zones that are based on the bandwidth-limited link templates: LINK_128K, LINK_1M, LINK_4M and LINK_512K.

To construct the zone policies, perform the following steps:

---

Step 1 Initiate the policy construction phase. Enter the following command in zone configuration mode:

learning policy-construction

Check that the Guard module is diverting the zone traffic. Wait at least ten seconds after initiating the policy construction phase and issue the show rates details command. Verify that the value of the Received traffic rate is greater than zero. A value of zero indicates a diversion problem.

Step 2 After a sufficient period of time, terminate the policy construction phase and decide how to handle the newly constructed policies.

---

Note We recommend letting the policy construction phase continue for at least two hours before proceeding to the next phase.

---

See the next section, "Terminating the Policy Construction Phase" for further details.

---

For example:

admin@GUARD-conf-zone-scannet# learning policy-construction

---

Timesaver You can issue the learning policy-construction command and the no learning command for several zones at the same time. Issue the command in global mode and use an asterisk (*) as a wildcard. For example, to initiate the policy construction phase for all zones, enter learning policy-construction * in global mode. To accept the results of the policy construction phase for all Guard module zones with names that begin with scan (such as scannet and scanserver), enter no learning scan* accept in global mode.

---

Terminating the Policy Construction Phase

There are three ways to terminate the policy construction phase:

•Accept the suggested policies—To accept the policies that the Guard suggested, enter the following command in the relevant zone configuration mode:

no learning accept

The Guard erases previously learned policies and thresholds.

After accepting the newly constructed policies, you can manually add or remove policies or change the policy parameters. See "Configuring Policy Templates and Policies." for further details.

•Reject the suggested policies—To reject the policies that the Guard suggested, enter the following command in the relevant zone configuration mode:

no learning reject

In this case, the Guard stops the process and erases all its learned data. As a result, the Guard reverts back to its default settings (in the case of a new zone) or to the zone traffic configurations it had prior to the policy construction phase.

•View the suggested policies—You can view the outcome of the learning process before making a decision. See the "Creating Snapshots and Comparing Policies" section for further details.

For example:

admin@GUARD-conf-zone-scannet# no learning accept

Tuning Thresholds

In this stage, the Guard further analyses the zone traffic and defines thresholds for the policies that were constructed during the previous, policy construction, phase. The Guard sets default values for the policy timeout and action (operational) parameters. See "Configuring Policy Templates and Policies," for information on how to configure the values of the operational parameters.

To tune the policy thresholds, perform the following steps:

---

Step 1 Initiate the threshold tuning phase. Enter the following command in the relevant zone configuration mode:

learning threshold-tuning

Step 2 After a sufficient period of time, terminate the threshold tuning phase and decide how to handle the newly tuned policies.

---

Note We recommend that you run the threshold tuning phase during peak traffic time (the busiest day) for a minimum of 24 hours.

---

See the next section, "Terminating the Threshold Tuning Phase" for further details.

---

For example:

admin@GUARD-conf-zone-scannet# learning threshold-tuning

---

Timesaver You can issue the learning threshold-tuning command and the no learning command for several zones at the same time. Issue the command in global mode and use an asterisk (*) as a wildcard. For example, to initiate threshold tuning for all zones, enter learning threshold-tuning * in global mode. To accept the results of the threshold tuning phase for all Guard module zones with names that begin with scan (such as scannet and scanserver), enter no learning scan* accept in global mode.

---

Use the show policies statistics command to view the learning results.

See the "Viewing Policies" section for further details.

Terminating the Threshold Tuning Phase

There are three ways to terminate the threshold tuning phase:

•Accept the suggested policies—To accept the policy thresholds that the Guard suggested, enter the following command in the relevant zone configuration mode:

no learning accept

The Guard erases previously learned thresholds.

After accepting the newly tuned policies, you can manually change the policy parameters. See "Configuring Policy Templates and Policies." for further details.

•Reject the suggested policies—To reject the policy thresholds that the Guard suggested, enter the following command in the relevant zone configuration mode:

no learning reject

In this case, the Guard stops the threshold tuning phase and reverts to the results from the policy construction phase with the thresholds it had prior to the policy construction phase. This results in a situation whereby newly constructed policies have thresholds that are tuned for on-demand protection or that were obtained according to past traffic characteristics.

•View the suggested policies—You can view the outcome of the learning process before making a decision. See the "Creating Snapshots and Comparing Policies" section for further details.

For example:

admin@GUARD-conf-zone-scannet# no learning accept

Protecting the Zone

Before activating a zone in protect mode, we recommend that you let the Guard module study the zone traffic patterns. The learning process allows the Guard module to learn the traffic patterns of each zone and to create sets of recommended thresholds according to statistical analysis of the traffic.

---

Note In case there is an attack on the zone before the learning process has been completed and the Guard module has not yet adopted its protection policy, the Guard module has on-demand protection. The Guard default thresholds for a new zone enable effective on-demand protection. See the "On-Demand Protection" section for further details.

---

You can activate the Guard protection in two operation modes:

•Automatic protect mode—Dynamic filters are activated without user intervention.

•Interactive protect mode—Dynamic filters are activated manually, in an interactive mode. The Dynamic filters are grouped as recommendations that await your decision. You can review these recommendations and decide which of them to accept, ignore, or direct to automatic activation. See "Interactive Protect Mode," for further details.

You can wait for an external indication (from the Cisco Traffic Anomaly Detector Module or any other means) of an attack before setting the Guard module to protect the zone, or command the Guard module to protect the zone right after configuring the zone. When the zone is in protect mode, the Guard module diverts the zone traffic and applies its protection policies.

You can define protection termination according to Dynamic filter inactivity timeout. See the "Terminating Protect Mode" section for further details.

You can choose to protect a zone in one of the following ways:

•Protect the overall zone.

Enter the following in the relevant zone configuration mode:

protect

OR

•Protect an IP-specific zone that is a part of the zone address range. In this case, the Guard module creates a new zone. The name of the new zone consists of the first 30 characters of the major zone, an underscore, and the specific IP address. If a zone by the same name already exists, the Guard module activates protection for the existing zone instead of creating another zone by the same name.

To activate protect mode for an IP-specific zone, enter the following command:

protect zone-name ip-addr

The zone-name argument specifies the name of the specific zone and the ip-addr argument specifies the specific IP address within the zone address range.

To remove this zone, use the no form of the zone command.

For example:

admin@GUARD# protect scannet 192.168.5.6

creating zone scannet_192.168.5.6

admin@GUARD#

---

Tip Check that the Guard module is diverting the zone traffic. Wait at least ten seconds after activating protect mode and issue the show rates command. Verify that the value of at least one of the rates is greater than zero. If the value of all rates equals zero, this indicates a diversion problem.

---

Terminating Protect Mode

You define to terminate protect mode according to Dynamic filter inactivity timeout. If for a predefined span of time, there are no Dynamic filters in use and no new Dynamic filters are added, the Guard module assumes the attack on the zone has ended and terminates protect mode (See the "Deactivating Dynamic Filters" section for information on how the Guard decides when to remove Dynamic filters). You can define this timeout from seconds to infinite.

Enter the following command:

protection-end-timer {time-seconds | forever}

Table 6-5 provides the arguments and keywords for the protection-end-timer command.

Table 6-5 Arguments and Keywords for the protection-end-timer Command

Parameter	Description
time-seconds	An integer greater than 60 that specifies the protection timeout measured in seconds.
forever	An indefinite timeout.

The default is forever. If you do not change the default value, you must deactivate protect mode manually.

For example:

admin@GUARD-conf-zone-scannet# protection-end-timer 300

On-Demand Protection

You can protect a zone without performing the learning process in case of an immediate need such as a zone under attack. The system-defined zone templates include predefined protection policies and User filters that are suited to protect a zone that has not finished the learning process. The default thresholds of these zone templates are tuned so that the Guard module activates the anti-spoofing mechanisms quickly if it identifies traffic abnormality in the zone traffic.

Since the Guard module has no knowledge of the zone traffic patterns, the thresholds used to block (drop) source IP addresses are set to relative high values. This implies that on-demand protection requires user intervention when mitigating non-spoofed attacks. You must monitor the zone legitimate and malicious traffic rates and view the Guard module mitigation actions.

To initiate on-demand protection, perform the following steps:

---

Step 1 Create a new zone. Enter the following command:

zone new-zone-name [template] [interactive]

See the "Creating a Zone" section for further details.

Step 2 Configure the zone IP address. Enter the following command:

ip address ip-addr [ip-mask] 

The ip-addr and ip-mask arguments define the zone IP address.

See the "Basic Zone Configuration" section for further details.

Step 3 Activate protect mode. Enter the following command:

protect

See the "Protecting the Zone" section for further details.

Step 4 Analyze the zone traffic patterns. See "Analyzing Guard Module Mitigation" for further details.

---

Analyzing the Zone Traffic

You can display an overview of the zone status or the zone rates or counters.

Viewing Zone Counters

You can use the following commands to analyze zone traffic:

•show rates—Displays the average traffic rates of the Malicious and the Legitimate counters.

•show rates details—Displays the average traffic rates for all Guard module counters.

•show rates history—Displays the average traffic rates of the Malicious and the Legitimate counters for every minute, in the past 24 hours,

•show counters—Displays the Guard module Malicious and Legitimate counters.

•show counters details—Displays all Guard module counters.

•show counters history—Displays the values of the Malicious and the Legitimate counters for every minute in the past hour.

The rate units are in bps and in pps.

---

Note Zone rates are only available when the zone is in learning or protect mode.

---

The Guard measures the total traffic and computes the average traffic rate. A rate with the value of cleared indicates a time when the zone was not in protect mode.

The counters units are in packets and in Kilo bits. The counters are set to zero when protect mode is initiated.

Table 6-6 The Guard Module Counters 

Counter	Description
Malicious	Malicious traffic destined to the zone. Malicious traffic is the sum of the Dropped counter and the Spoofed counter (which also include the zombie packets).
Legitimate	Legitimate traffic forwarded by the Guard module to the zones.
Received	Packets received and handled by the Guard module. The Received counter is the sum of the Legitimate counter and the Malicious counter.
Forwarded	Legitimate traffic forwarded by the Guard module to the zones.
Dropped	Packets that were identified by the Guard module as part of an attack and dropped.
Replied	Packets to which replies were sent to the initiating client as part of the anti-spoofing or anti-zombie mechanisms in order to verify whether they are part of authentic traffic or part of an attack.
Spoofed	Packets that were identified by the Guard module as spoofed packets and therefore not forwarded to the zone. Spoofed packets are replied packets (see Replied counter above for further details) for which no replies were received. Zombie packets are also included in the spoofed packets counter.
Invalid zone	Diverted traffic that is not destined to any one of the Guard module protected zones.

Table 6-6 displays the Guard module counters.

For example:

admin@GUARD-conf-zone-scannet# show rates 

Viewing the Zone Status

You can display an overview of a particular zone to get a general picture of the zone and its current status. Use the show command to display an overview of the zone. The overview includes the following information:

•Zone status—Indicates whether the zone is currently in protect mode, is in one of the learning phases, or is inactive.

•Zone basic configuration—Describes the basic zone configuration such as, operation mode (automatic or interactive), thresholds and timers and IP addresses. See the "Basic Zone Configuration" section for more details.

•Zone filters—Includes the Flex filter configuration, the number of active Dynamic filters and the User filter configuration. If the zone is in interactive protect mode, the overview displays the number of recommendations. See the "Configuring the Flex Filter" section and the "Configuring User Filters" section for further details.

•Zone traffic rates—Displays the zone legitimate and malicious traffic rates. See the "Viewing Zone Counters" section for further details.

For example:

admin@GUARD-conf-zone-scannet# show