-
Cisco Anomaly Guard Module Configuration Guide (Software Version 5.0)
-
Index
-
Preface
-
Product Overview
-
Configuring the Guard Module on the Supervisor Engine
-
Initializing the Guard Module
-
Configuring the Guard Module
-
Configuring Traffic Diversion
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Using Interactive Protect Mode
-
Understanding Attack Reports
-
Using the Guard Module Diagnostics Tools
-
Performing Maintenance Tasks
-
Analyzing Guard Module Mitigation
-
Table Of Contents
Learning the Zone Traffic Characteristics
Understanding the Learning Process
Understanding the Protect and Learn Function
Synchronizing the Zone Learning Process Results with a Cisco Traffic Anomaly Detector Module
Configuring Learning Parameters
Configuring the Threshold Selection Method
Tuning Zone Policy Thresholds and Enabling Zone Protection Simultaneously
Synchronizing the Zone Configuration Offline
Protecting an IP Zone that is Part of the Zone Address Range
Protecting an IP Address when the Zone Name is Not Known
Configuring How the Guard Performs Zone Protection
Configuring the Activation Method
Configuring the Activation Extent
Configuring the Protection Inactivity Timeout
Configuring Zones
This chapter describes how to create and manage zones on the Cisco Anomaly Guard Module (Guard module). These procedures are required to enable zone protection.
This chapter contains the following sections:
•
Learning the Zone Traffic Characteristics
•
•
Overview
A zone is a network element that the Guard uses to protect against DDoS attacks. A zone can be a network server, client, or router; a network link, subnet, or an entire network; an individual Internet user or a company; an Internet Service Provider (ISP), or any combination of the above. The Guard module can protect different zones simultaneously as long as their network address ranges do not overlap.
You assign a name to the zone and use this name to refer to it.
The zone configuration process consists of the following tasks:
•
•
•
•
Creating a Zone
You can create a zone and configure the zone name, description, network address, operation definitions, and networking definitions.
When you create a new zone, you can use an existing zone as a template or you can create a zone from system-defined zone templates. The zone template defines the initial policy and filter configuration of the zone.
The new zone has default policies that are tuned for on-demand protection. However, if there is no immediate need to protect the zone, we recommend that you allow the Guard module to learn the zone traffic characteristics. See the "Enabling On-Demand Protection" section for more information. Alternatively, you can copy the configuration of the zone and the zone policies from the Cisco Traffic Anomaly Detector Module.
You can create a new zone in three ways:
•
After you create a new zone, you must configure the zone attributes.
•
•
You can initiate this action only from the Cisco Traffic Anomaly Detector Module. See the Cisco Trafiic Anomaly Detector Module Configuration Guide for more information.
See the "Configuring Zone Attributes" section for information on how to modify the zone configuration settings.
Creating a New Zone
To create a new zone from system-defined zone templates, enter one of the following commands:
•
•
When using a system-defined zone template, the Guard module applies the default settings to all zone attributes. These default policy settings are tuned for on-demand protection.
If the command is performed successfully, the Guard module enters the configuration mode of the new zone.
If you enter the name of an existing zone without specifying a zone template, the Guard module enters the configuration mode of the specified zone.
Table 6-1 provides the arguments and keywords for the zone command.
Table 6-1 Arguments and Keywords for the zone Command
new-zone-name
The name of a new zone. The name is an alphanumeric string from 1 to 63 characters. The string must start with an alphabetic letter, can contain underscores, but cannot contain any spaces.
zone-name
The name of an existing zone.
template-name
(Optional) A zone template that defines the zone configuration. The default is to create the zone using the GUARD_DEFAULT zone template.
See Table 6-2 for more information.
interactive
(Optional) Sets the Guard module to perform zone protection in an interactive manner. The dynamic filters that the policies create appear as recommendations. You must decide whether or not to activate each dynamic filter. See Chapter 9, "Using Interactive Protect Mode," for more information.
Table 6-2 displays the zone templates.
This example shows how to create a new zone:
user@GUARD-conf# zone scannet interactiveuser@GUARD-conf-zone-scannet#To delete a zone, use the no zone command. When deleting a zone, you can use an asterisk (*) as a wildcard character at the end of the zone name. The wildcard allows you to remove several zones with the same prefix in one command.
To display the zone templates, use the show templates command in global or configuration mode. To display the zone template default policies, use the show templates template-name policies command in global or configuration mode.
Duplicating a Zone
You can create a new zone based on an existing zone. When using an existing zone as a template for the new zone, all properties of the existing zone are copied to the newly defined zone. If you specify a snapshot, the zone policies are copied from the snapshot.
To duplicate a zone, enter one of the following commands:
•
•
Table 6-3 provides the arguments for the zone command.
Table 6-3 Arguments for the zone Command
new-zone-name
The name of a new zone. The name is an alphanumeric string from 1 to 63 characters. The string must start with an alphabetic letter and can contain underscores, but cannot contain any spaces.
copy-from-this
Creates a new zone with the configuration of the current zone.
copy-from
Creates a new zone with the configuration of the specified zone.
zone-name
The name of an existing zone.
snapshot-id
The ID of an existing snapshot. See the "Displaying Snapshots" section on page 8-39 for more information.
The following example shows how to create a new zone from the current zone:
user@GUARD-conf-zone-scannet# zone mailserver copy-from-thisuser@GUARD-conf-zone-mailserver#If the command is performed successfully, the Guard module enters the configuration mode of the new zone.
The policies of the new zone are marked as untuned. We recommend that you perform the threshold tuning phase of the learning process to tune the policy thresholds to the zone traffic. If the traffic characteristics of the new zone are identical or very similar to the traffic characteristics of the originating zone, you can mark the policy thresholds as tuned. See the "Marking the Policies as Tuned" section for more information.
The activation interface of the new zone is set to zone-name-only, regardless of the configuration of the source zone. See the "Configuring the Activation Method" section for more information.
Configuring Zone Attributes
After you create the zone, you can configure the zone attributes.
To configure the zone attributes, perform the following steps:
Step 1
To enter zone configuration mode, enter one of the following commands:
•
•
The zone-name argument specifies the name of an existing zone.
Step 2
To configure the zone IP address, enter the following command:
ip address ip-addr [ip-mask]Table 6-4 provides the arguments for the ip address command.
You must define at least one IP address before you can activate zone protection. You can add additional zone IP addresses and subnets at any time.
If you modify the zone IP address or subnet, perform one of the following tasks:
•
•
•
Step 3
rate-limit {no-limit | rate burst-size rate-units}We recommend that you set the bandwidth value to the highest bandwidth that was measured entering the zone. If you do not know what this value is, leave the default bandwidth value (no-limit).
Table 6-5 provides the arguments and keywords for the rate limit command.
Step 4
description stringThe maximum string length is 80 characters.
To modify a zone description, reenter the zone description. The new description overrides the previous description.
Step 5
The configuration information consists of CLI commands that are executed to configure the Guard module with the current settings. Refer to the specific command entries for more information.
The following example shows how to create a new zone and configure the zone attributes:
user@GUARD-conf# zone scannetuser@GUARD-conf-zone-scannet# ip address 192.168.100.34 255.255.255.252user@GUARD-conf-zone-scannet# rate-limit 1000 2300 ppsuser@GUARD-conf-zone-scannet# description Demonstration zoneLearning the Zone Traffic Characteristics
This section describes how to use the Guard module learning process to analyze zone traffic characteristics to create and fine-tune the policies that the Guard uses for zone protection.
This section contains the following topics:
•
•
•
•
Understanding the Learning Process
During the learning process, the Guard learns the normal zone traffic characteristics. The Guard module uses the learning process results to create policies for zone protection. These policies instruct the Guard on how to handle the zone traffic flows.
After an initial learning process of constructing policies, you can activate the learning process and zone protection simultaneously. At the same time, the Guard module tunes the policy thresholds and monitors the policy thresholds for traffic anomalies. This process enables the Guard module to protect the zone, while constantly updating the policy thresholds according to the zone traffic characteristics, and prevents the Guard module from learning malicious traffic thresholds.
To learn the zone traffic characteristics, the zone traffic must be diverted to the Guard. You must configure diversion before initiating the learning process, or divert the zone traffic to the Guard manually, using an external device. Configure zone diversion using the Guard routing configuration.
See Chapter 5, "Configuring Traffic Diversion" for more information.
The learning process consists of these two phases:
1.
The policy templates are the Guard module tools for constructing the policies. These templates define the types of zone policies that the Guard module creates. The policy templates also define the maximum number of services that the Guard module monitors closely and the minimum threshold that triggers the Guard module to create new policies. To change the rules for constructing zone policies, change the policy template parameters before you initiate the policy construction phase. See Chapter 8, "Configuring Policy Templates and Policies," for more information.
2.
You can activate the threshold tuning phase and activate zone protection simultaneously (the protect and learn function) to prevent the Guard module from learning malicious traffic thresholds. You can set the Guard module to constantly tune the zone policies and define the intervals in which the Guard module updates the policy thresholds.
Note
The Guard module learns the zone traffic characteristics to acquire a basis on which to compare zone traffic and trace any anomalies that might become malicious. The Guard module does not modify the current zone policies during the learning process and updates the policies when you decide to accept the results of one of the learning phases only. After the policies are created, you can add and delete policies or change policy parameters such as thresholds, services, timeouts, and actions.
You can back up the current zone policies at all times by using the snapshot threshold-selection cur-thresholds command. See the "Creating Snapshots" section on page 8-36 for more information.
Note
If there is an attack on the zone before the learning process has been completed, use on-demand protection to protect the zone if one of the following conditions apply:
•
•
•
See the "Enabling On-Demand Protection" section for more information.
You can enter learning-related commands for several zones at the same time. Enter the command in global mode and use an asterisk (*) as a wildcard. For example, to initiate the policy construction phase for all zones, enter the learning policy-construction * command in global mode. To accept the results of the policy construction phase for all Guard module zones with names that begin with scan (such as scannet and scanserver), enter the no learning scan* accept command in global mode.
Understanding the Protect and Learn Function
After an initial learning process of constructing policies, you can activate the learning process and enable zone protection simultaneously using the protect and learn function. The Guard module tunes the policy thresholds and at the same time monitors the policy thresholds for traffic anomalies. The protect and learn function enables the Guard module to protect the zone, constantly update the policy thresholds according to the zone traffic characteristics, and prevents the Guard module from learning malicious traffic thresholds.
Before you activate the protect and learn function, you can configure when and how the Guard module accepts the results of the learning process by configuring the learning parameters.
See the "Tuning Zone Policy Thresholds and Enabling Zone Protection Simultaneously" section for more information.
Synchronizing the Zone Learning Process Results with a Cisco Traffic Anomaly Detector Module
You can configure a Cisco Traffic Anomaly Detector Module (Detector module) to constantly learn the zone traffic and update the Guard module with the zone policies.
When the Detector module detects an attack on the zone, it stops the learning process, and activates the Guard module to protect the zone, and resumes learning the zone traffic when the attack ends. This process enables you to tune the zone policy thresholds continuously, but refrain from constantly diverting the zone traffic to the Guard module.
To synchronize the learning process results with a Detector module, you must perform the following tasks:
1.
2.
Create the zone on the Detector module using a GUARD zone template You can synchronize the zone configuration with the Detector module or configure the Detector module to synchronize the zone configuration with the Guard module automatically. See the "Synchronizing the Zone Configuration in the Guard Module with the Cisco Traffic Anomaly Detector Module" section for more information.
You can configure this option on the Detector module only. See the Cisco Trafiic Anomaly Detector Module Configuration Guide for more information.
Constructing Policies
In the policy construction phase, the Guard creates the zone policies using the policy templates. The traffic flows transparently through the Guard enabling it to discover the main services (ports and protocols) that the zone uses. You can configure the policy construction rules. For example, you can prevent the Guard from creating policies of a certain type by disabling the relevant policy template. To change the rules for constructing zone policies, change the policy template parameters before you initiate the policy construction phase. See the "Understanding Policy Templates" section on page 8-4 for more information.
The Guard module sets default values for the policy parameters (timeout, action and threshold). See Chapter 8, "Configuring Policy Templates and Policies," for information on how to configure the default values for the operational parameters.
The new policies that the Guard module creates in this phase replace the existing ones.
Note
To construct the zone policies, perform the following steps:
Step 1
learning policy-construction
Tip
Step 2
You can save a snapshot of the learning parameters (services, thresholds, and other policy related data) by using the snapshot command at any stage during the policy construction phase, and review it later. You can save a single snapshot or save a periodic snapshot at specified intervals.
For more information, see the "Using Snapshots to Verify the Results of the Learning Process" section on page 8-35.
Step 3
To accept the policies that the Guard module suggested and continue the policy construction phase, enter the following command:
learning acceptTo automatically accept the policies that the Guard module suggests at specified intervals, enter the following command:
learning-params periodic-action auto-accept learn_params_days learn_params_hours learn_params_minutesSee the "Configuring Learning Parameters" section for more information.
Use the no learning-params periodic-action command to terminate the periodic action.
Step 4
We recommend letting the policy construction phase continue for at least 2 hours before terminating it.
You can perform one of the following actions:
•
no learning acceptThe Guard module erases previously learned policies and thresholds.
After accepting the newly constructed policies, you can manually add or remove policies. See Chapter 8, "Configuring Policy Templates and Policies." for more information.
•
no learning rejectThe Guard module stops the process and does not save the new policies that it has just learned. The policies of the zone are the policies that the Guard module had prior to initiating the learning process or prior to the last time that you accepted the results of the policy construction phase.
The following example shows how to initiate the policy construction phase and accept the suggested policies at 12 hour intervals. It then stops the policy construction phase and accepts the suggested policies.
user@GUARD-conf-zone-scannet# learning policy-constructionuser@GUARD-conf-zone-scannet# learning-params periodic-action auto-accept 0 12 0user@GUARD-conf-zone-scannet# no learning acceptTuning Thresholds
In the threshold tuning phase, the Guard module analyzes the zone traffic and defines thresholds for the policies that were constructed during the policy construction phase.
You can set the Guard module to learn the zone traffic while monitoring the last accepted policy thresholds for traffic anomalies. After the Guard module detects an attack on the zone, it stops the threshold tuning phase but continues zone protection to prevent the Guard module from learning malicious traffic thresholds.
The Guard module resumes the learning process after the attack ends. The Guard module waits for a period of time, as defined by the protection-end-timer but no longer than 10 minutes, after the attack has ended before reactivating the learning process. See the"Configuring the Protection Inactivity Timeout" section for more information.
To tune the policy thresholds, perform the following steps:
Step 1
protect learningWe recommend that you enable the protect and learn function, that is, activate the threshold tuning phase and set the Guard module to perform zone protection at the same time.
You can alternatively, enter both the learning threshold-tuning command and the protect command (the order is not important).
Tip
If the Guard module detects an attack on the zone, it stops the threshold tuning phase but continues zone protection.
Note
•
•
To deactivate zone protection and the threshold tuning phase simultaneously, enter the deactivate command in zone configuration mode.
To activate the threshold tuning phase only, use the learning threshold-tuning command.
Step 2
You can save a snapshot of the learning parameters (services, thresholds, and other policy-related data) by using the snapshot command at any time during the threshold tuning phase. You can review the snapshot later or compare the learning parameters with another snapshot. You can save a single snapshot or save a periodic snapshot at specified intervals.
For more information, see the "Using Snapshots to Verify the Results of the Learning Process" section on page 8-35.
Step 3
You can accept the zone policies that the Guard module suggested and continue the threshold tuning phase once, or define that the Guard module automatically accept the suggested policies at specified intervals to ensure that the zone has the most updated policies and continues to learn the zone traffic.
To accept the policies that the Guard suggested and continue the threshold tuning phase, enter the following command:
learning accept [threshold-selection {new-thresholds | max-thresholds | weighted weight}]See Table 6-7 for a description of the threshold-selection arguments and keywords.
To automatically accept the policies that the Guard suggests at specified intervals, enter the following command:
learning-params periodic-action auto-accept learn_params_days learn_params_hours learn_params_minutesSee the "Configuring Learning Parameters" section for more information.
Use the no learning-params periodic-action command to terminate the periodic action.
Step 4
Note
However, if the Guard module is constantly diverting the zone traffic, we recommend that you keep the protect and learn function active and do not terminate the threshold tuning phase.
You can perform one of the following actions:
•
no learning accept [threshold-selection {new-thresholds | max-thresholds | weighted weight}]See Table 6-7 for a description of the threshold-selection arguments and keywords.
The Guard module erases previously learned thresholds.
After accepting the newly tuned policies, you can manually change the policy parameters. See Chapter 8, "Configuring Policy Templates and Policies," for more information.
•
no learning rejectThe Guard module stops tuning the thresholds and reverts to prior thresholds. This process may result in a situation in which new zone policies have thresholds that were obtained according to past traffic characteristics. We recommend that you enable the threshold tuning phase at a later time or that you configure the thresholds manually.
The following example shows how to initiate the threshold tuning phase and accept the suggested policies at 1 hour intervals. It then stops the threshold tuning phase and accepts the suggested policies if the threshold values are higher than the current values (the max-thresholds method).
user@GUARD-conf-zone-scannet# learning threshold-tuninguser@GUARD-conf-zone-scannet# learning-params periodic-action auto-accept 0 1 0user@GUARD-conf-zone-scannet# no learning accept threshold-selection max-thresholdsTo display the learning results, use the show policies statistics command. See the "Displaying Policies" section on page 8-31 for more information.
After reviewing the learned thresholds, you may choose to modify some of the results. To avoid overriding these changes by future threshold tuning phases, perform one of the following tasks:
•
•
Configuring Learning Parameters
The learning parameters allow you to configure the learning-related actions that the Guard module can perform and how the Guard module handles specified policies. You can define the following parameters:
•
•
•
•
•
To display the configuration of the learning parameters, use the show learning-params command in zone configuration mode.
Configuring Periodic Actions
You can set the Guard module to perform one of the following actions at specified intervals:
•
•
See the "Monitoring Policies" section on page 8-31 for more information on snapshots.
To set the periodic action the Guard module performs, enter the following command in zone configuration mode:
learning-params periodic-action {auto-accept | snapshot-only} learn_params_days learn_params_hours learn_params_minutes
Table 6-6 provides the arguments and keywords for the learning-params command.
The value of the interval is the sum of the learn_params_days value, the learn_params_hours value, and the learn_params_minutes value.
The following example shows how set the Guard module to accept the policies at 1 hour intervals.
user@GUARD-conf-zone-scannet# learning-params periodic-action auto-accept 0 1 0Configuring the Threshold Selection Method
You can set the default method that the Guard module uses to generate new thresholds after new policy thresholds are accepted during the threshold tuning phase. You can accept the results of the threshold tuning phase manually, or configure the Guard module to automatically accept the results of the threshold tuning phase at specified intervals.
To configure the threshold selection method, enter the following command in zone configuration mode:
learning-params threshold-selection {new-thresholds | max-thresholds | weighted weight}
Table 6-7 provides the arguments and keywords for the learning-params threshold-selection command.
This example shows how to configure the Guard module to accept the suggested policies if the learned threshold values are higher than the current policy threshold values:
user@GUARD-conf-zone-scannet# learning-params threshold-selection max-thresholdsMarking the Policies as Tuned
The Guard module marks the policy threshold status that defines if the policy thresholds are tuned or not, and relates to this status when you enable the protect and learn function. The policy threshold status specifies if the Guard module identifies an attack on the zone when the policy threshold is exceeded.
When a new zone is created, or after you accept the policy construction phase results for a zone, the Guard module marks the zone policy thresholds as untuned. The default thresholds of the zone templates are tuned so that the Guard module activates the anti-spoofing functions quickly if it identifies traffic anomalies in the zone traffic. When you enable the protect and learn function, the learning process might stop if the current zone traffic is higher than the current policy threshold values. To avoid such situations, the Guard module does not detect attacks in the zone traffic when you enable the protect and learn function if the zone policies are not tuned, until the zone policy thresholds are accepted one time.
If the zone policies are untuned, the Guard module activates only a threshold selection method of accept-new and ignores previous threshold values when accepting the new policies. If the Guard module accepts the threshold tuning phase results of the learning process for a zone with a threshold selection method other than accept-new, bad policy threshold values may result. See the "Configuring the Threshold Selection Method" section for more information on the threshold selection method.
The Guard module marks the zone policies as untuned in the following circumstances:
•
•
•
The Guard module marks the zone policies as tuned after accepting the threshold tuning phase results.
You can modify the settings of the zone policies. To mark the zone policies as tuned, enter the following command in zone configuration mode:
learning-params threshold-tuned
To mark the zone policies as untuned, use the no form of this command.
You might change the status of the zone policies to tuned when one of the following applies:
•
•
You might change the status of the zone policies to untuned when one of the following applies:
•
•
•
When the zone policies are marked as untuned, the Guard module does not monitor the current policy thresholds and does not detect attacks on the zone if the policy thresholds are exceeded.
Note
The following example shows how to mark the status of the zone policies as tuned:
user@GUARD-conf-zone-scannet# learning-params threshold-tunedTuning Zone Policy Thresholds and Enabling Zone Protection Simultaneously
After an initial learning process of constructing policies, you can activate the learning process and enable zone protection simultaneously using the protect and learn function. The Guard module tunes the policy thresholds and at the same time monitors the policy thresholds for traffic anomalies. The protect and learn function enables the Guard module to protect the zone, constantly update the policy thresholds according to the zone traffic characteristics, and prevents the Guard module from learning malicious traffic thresholds.
When you create a new zone, when you add or remove a service from the zone policies, or after you accept the policy construction phase results, the Guard module marks the zone policies as untuned. The Guard module marks the zone policies as tuned only after you accept the results of the threshold tuning phase of the learning process.
If you enable the learning process and zone protection simultaneously and the zone policies are not tuned, the Guard module functions in the following ways:
•
•
When the Guard module identifies an attack on the zone, it stops the learning process but continues to protect the zone and resumes protecting the zone and learning the zone traffic characteristics when the attack ends.
Before you activate the protect and learn function, you can configure when and how the Guard module accepts the results of the learning process. See the "Configuring Learning Parameters" section for more information.
To activate the learning process and zone protection simultaneously, use the protect learning command or enter both the learning threshold-tuning command and the protect command (the order is not important).
See the "Tuning Thresholds" section and the "Protecting the Zone" section for more information.
Synchronizing the Zone Configuration in the Guard Module with the Cisco Traffic Anomaly Detector Module
You can synchronize the zone configuration and policies with the zone on the Cisco Traffic Anomaly Detector Module (Detector module). The Detector module copies the complete zone configuration to the Guard module. This process allows you to configure the zone once, but maintain the same configuration and policies on both the Guard module and the Detector module.
Communication between the Detector module and the Guard module requires the Secure Sockets Layer (SSL) protocol, which provides authentication and encryption. You must configure the SSL communication connection channel before you synchronize the zone. See the "Establishing Communication with the Cisco Traffic Anomaly Detector Module" section on page 4-22 for more information.
You can set the Detector module to continuously learn the zone traffic characteristics to keep the zone policies updated, and avoid constantly diverting the zone traffic to the Guard module.
You must create the zone for synchronization and synchronize the zone from the Detector module. See the Cisco Trafiic Anomaly Detector Module Configuration Guide for more information.
This section contains the following topics:
•
Configuration Guidelines
To synchronize zones between a Guard module and a Detector module, use the following guidelines:
Create the new zone on the Detector module using zone templates that are appropriate for both the Guard module and the Detector module (GUARD zone templates).
•
•
•
•
See the "Configuring the Activation Method" section, the "Configuring the Activation Extent" section, and the "Configuring the Protection Inactivity Timeout" section for more information.
Synchronizing the Zone Configuration Offline
You can synchronize a zone configuration even if you cannot establish a secure communication channel between the Detector module and a Guard module. You may need to synchronize a zone configuration offline if one of the following conditions applies:
•
•
•
To synchronize a zone configuration offline, you must first export the zone configuration from the Detector module to an FTP or a Secure FTP (SFTP) server, and then manually import the zone configuration to the Guard module. Because there is no secure communication channel between the Guard module and the Detector module, you must manually activate the Guard module to protect the zone when the Detector module detects anomalies in the zone traffic.
See the "Protecting the Zone" section for more information.
To enable the Guard module to synchronize the zone configuration, you must create the zone on the Detector module using one of the GUARD zone templates.
To synchronize the zone configuration offline, perform the following steps:
Step 1
copy zone zone-name running-config ftpSee the "Exporting Configuration" section on page 12-2.
Step 2
•
•
See the "Importing and Updating Configuration" section on page 12-3 for more information.
Note
Example Scenario
This example scenario shows how to make use of synchronization to ensure proper zone protection according to current traffic characteristics:
1.
The Guard module identifies such zones by displaying (Guard/Detector) next to the zone ID field in the output of the show command in zone configuration mode.
2.
3.
4.
5.
6.
7.
8.
–
–
–
You can modify the zone policies on the Guard when the attack is in progress.
The Detector module polls the Guard module constantly and when it identifies that the Guard has deactivated zone protection (the Guard module deactivates zone protection when the attack ends) and additional traffic anomalies do not exist and then reactivates zone anomaly detection and the learning process.
9.
For more information, see the "Setting the Threshold as Fixed" section on page 8-22 and the "Configuring a Threshold Multiplier" section on page 8-23.
You can perform this action only from the Detector module. See the Cisco Trafiic Anomaly Detector Module Configuration Guide for more information.
Protecting the Zone
Before activating zone protection, we recommend that you let the Guard module study the zone traffic patterns or synchronize the zone configuration, including the zone policies, from a Cisco Traffic Anomaly Detector Module (Detector module). The learning process allows the Guard module to learn the traffic patterns of each zone and to create sets of recommended thresholds according to statistical analysis of the zone traffic. You can protect several zones at the same time only if their IP address ranges do not overlap.
You must configure diversion before initiating the learning process or divert the zone traffic to the Guard module manually. Configure zone diversion using the Guard module routing configuration.
See Chapter 5, "Configuring Traffic Diversion" for more information.
If the zone is not under attack, you can activate the protect and learn function to enable the Guard module to constantly divert the zone traffic and tune the zone policy thresholds. See the "Learning the Zone Traffic Characteristics" section for more information.
You can define the following protection characteristics:
•
•
•
•
This section contains the following topics:
•
•
•
•
Activating Zone Protection
You can wait for an external device (such as a Cisco Traffic Anomaly Detector Module) to detect an attack on the zone before setting the Guard module to protect the zone, or command the Guard module to protect the zone after configuring the zone. When the Guard module protects a zone, the Guard module diverts the zone traffic to itself and applies its protection policies.
If the zone is under attack before the Guard module has learned the zone traffic characteristics, use on-demand protection to protect the zone. The Guard module default policy thresholds for a new zone enable effective on-demand protection. See the "Enabling On-Demand Protection" section for more information.
Note
You can activate zone protection in one of the following ways:
•
•
•
Tip
Protecting the Entire Zone
You can protect the entire zone by entering the following command in zone configuration mode:
protect [learning]
The learning keyword sets the Guard module to protect the zone and tune the policy thresholds. See the "Tuning Thresholds" section for more information.
The following example shows how to activate zone protection:
user@GUARD-conf-zone-scannet# protectProtecting an IP Zone that is Part of the Zone Address Range
You can protect an IP-specific zone that is a part of the zone address range. In this case, the Guard module creates a new zone. The name of the new zone consists of the first 30 characters of the major zone and the specific IP address concatenated by an underscore. If a zone by the same name already exists, the Guard module activates zone protection for the existing zone instead of creating another zone by the same name.
To activate zone protection for an IP-specific zone, enter the following command in global mode:
protect zone-name ip-address-general
Table 6-8 provides the arguments for the zone configuration mode protect command.
To remove this zone, use the no form of the zone command.
The following example shows how to activate zone protection for IP address 192.168.5.6 that is included in the IP address range of the zone scannet:
user@GUARD# protect scannet 192.168.5.6creating zone scannet_192.168.5.6user@GUARD#Protecting an IP Address when the Zone Name is Not Known
You can protect a specific IP address even if you do not know the name of the zone that the IP address is its IP address range by entering the following command in global mode:
protect ip-address-general [subnet-mask]
Table 6-9 provides the arguments for the global mode protect command.
The Guard module activates zone protection according to the IP address activation method. See the "Configuring the Activation Extent" section for more information.
The following example shows how to activate zone protection for IP address 192.168.5.6:
user@GUARD# protect 192.168.5.6You can enter the protect-related commands for several zones at the same time. Enter the command in global mode and use an asterisk (*) as a wildcard. For example, to stop zone protection for all zones, enter the no protect * command in global mode. To stop zone protection for all zones with names that begin with scan (such as scannet and scanserver), enter the no protect scan* command in global mode.
Deactivating Zone Protection
When there is no attack on a zone and you rely on another source for detecting zone traffic anomalies, you may want to deactivate zone protection and end traffic diversion to the Guard module.
To deactivate zone protection, enter one of the following commands in zone configuration mode:
•
•
The following example show how to deactivate zone protection and the learning process:
user@GUARD-conf-zone-scannet# deactivateConfiguring How the Guard Performs Zone Protection
You can configure the Guard to perform zone protection in one of the following ways:
•
•
See Chapter 9, "Using Interactive Protect Mode," for more information.
Configuring the Activation Method
The activation method defines how the Guard module identifies the zone for which it activates zone protection once it receives an external indication. This indication can be a command from an external device, such as a Cisco Traffic Anomaly Detector Module, or traffic that is destined to the zone (packet).
The Guard module supports the following activation methods:
•
•
Caution
•
The Guard module activates zone protection only if the received traffic rate to a single IP address is higher than the activation sensitivity. The activation sensitivity is defined globally and applies to all zones.
To change the minimum packet rate that is required to activate zone protection, enter the following command in configuration mode:
protect-packet activation-sensitivity min-rate
The min-rate argument defines the minimum packet rate that is destined to a single zone destination IP address that causes the Guard module to activate zone protection. The default is 0 pps.
Note
•
If the activation method is not zone-name-only, the Guard module activates the entire zone or the specified IP address range according to the zone activation extent (see "Configuring the Activation Extent" section).
To configure the activation method, enter the following command in zone configuration mode:
activation-interface {packet | ip-address | packet-or-ip-address | zone-name-only}
The default is zone-name-only. If you duplicate a zone (see the "Duplicating a Zone" section), the activation interface is set to the default, regardless of the configuration of the source zone.
Note
You can create a default zone for the Guard module to protect if the received IP address or packet is not part of any other zone. You can define a default zone only if the network is homogenous and can use the same zone template. You cannot perform the learning process for a default zone. Create the zone with an IP address of 0.0.0.0 and a subnet of 0.0.0.0. Define the activation extent as ip-address (see the "Configuring the Activation Extent" section).
To display the zone activation method, enter the show running-config command in zone configuration mode.
Configuring the Activation Extent
The activation extent defines whether to activate zone protection for the entire zone or for a partial zone once the Guard module receives an external indication. This indication can be a command from an external device, such as the Cisco Traffic Anomaly Detector Module, or traffic that is destined to the zone (packet).
The Guard module supports the following activation extents:
•
•
To configure the activation extent, enter the following command in zone configuration mode:
activation-extent {entire-zone | ip-address-only}
Table 6-9 provides the arguments for the activation-extent command.
The following example shows how to configure the activation extent to entire-zone:
user@GUARD-conf-zone-scannet# activation-extent entire-zoneTo display the zone activation extent, use the show running-config command.
Understanding Subzones
The Guard module creates a subzone when it activates zone protection for a partial zone (a zone that does not include the complete IP address range of the source zone). The IP address range of the subzone is included in the address range of the source zone.
The subzone configuration is identical to the configuration of the source zone apart from the IP address and name that are different. The name of the subzone consists of the first 30 characters of the name of the source zone, the IP address and the subnet, concatenated with underscores. If the subzone consists of a single IP address, the subnet is not added. For example, If the name of the source zone is scannet with an address range of 10.10.10.0 and a subnet of 255.255.255.0 and the Guard module activates zone protection for an internal range of IP address 10.10.10.192 and subnet 255.255.255.252, the name of the subzone is scannet_10.10.10.192_255.255.255.252.
The IP address and subnet of the subzone are the IP address and subnet that the Guard module received with the external command, or the IP address of the packet that triggered the Guard module to activate zone protection.
Once zone protection for the subzone ends, the Guard module erases the subzone, but does not erase the logs and attack reports of the subzone.The Guard module terminates zone protection for a subzone according to the activation method and the protection termination timeout that are configured for the source zone.
To display the logs and reports of the subzone after the Guard module has erased it, enter the following commands:
•
•
To display a list of the subzones, enter the command and press TAB for the sub-zone-name argument.
Configuring the Protection Inactivity Timeout
The Guard module can activate or deactivate zone protection and the learning process when the Guard module identifies that an attack on the zone has ended. If the Guard module is protecting a zone, it terminates zone protection when the zone is no longer under attack. If the protect and learn function is enabled, the Guard module deactivates the learning process when it detects an attack on the zone, and resumes the learning process when the zone is no longer under attack.
The Guard module verifies whether an attack on the zone has ended according to an inactivity timeout. You can define this timeout from seconds to infinite.
To define the inactivity timeout, enter the following command in zone configuration mode:
protection-end-timer {time-seconds | forever}
Table 6-11 provides the arguments and keywords for the protection-end-timer command.
Table 6-11 Arguments and Keywords for the protection-end-timer Command
The timeout in seconds. Enter an integer greater than 60.
Indefinite timeout.
The default is forever. If you do not change the default value, you must deactivate zone protection manually.
The following example shows how to configure the protection inactivity timeout:
user@GUARD-conf-zone-scannet# protection-end-timer 300The Guard module measures the inactivity based on dynamic filter inactivity and dropped traffic. If for a predefined span of time, no Dynamic filters are in use and both the following conditions apply, the Guard module assumes the attack on the zone has ended:
•
•
attack-detection zone-malicious-rate threshold
The threshold argument defines the minimum rate of dropped zone packets. If the rate goes lower than this threshold, the Guard module may end zone protection.
If the zone activation method is Packet, the Guard module checks for inactivity based on the received traffic before deactivating a zone. The Guard module deactivates protection only if the previous conditions apply, and no packet to the zone was received.
Enabling On-Demand Protection
You can protect a zone without performing the learning process in an immediate need such as a zone under attack. The system-defined zone templates include predefined zone protection policies and user filters that are suited to protect a zone that has not finished the learning process. The default thresholds of these zone policies are tuned so that the Guard module activates the anti-spoofing functions quickly if it identifies traffic anomalies in the zone traffic.
Because the Guard module does not know the zone traffic patterns, the thresholds used to block (drop) source IP addresses are set to high values. On-demand protection requires user intervention when mitigating non-spoofed attacks. You must monitor the zone legitimate and malicious traffic rates and view the Guard module mitigation actions.
You may require on-demand protection for a zone if there is an attack on the zone and one of the following conditions apply:
•
•
•
To initiate on-demand protection, perform the following steps:
Step 1
zone new-zone-name [template-name] [interactive]See the "Creating a New Zone" section for more information.
Step 2
ip address ip-addr [ip-mask]See the "Configuring Zone Attributes" section for more information.
Step 3
protectSee the "Protecting the Zone" section for more information.
Step 4
a
