Table Of Contents
Configuring Policy Templates
Policy Template Types
Modifying a Policy Template Configuration
Configuring Policy Templates
A policy template is a collection of rules and guidelines the Guard module uses during the policy construction phase of the learning process to construct new zone policies for services it detects in the zone traffic flow. The output of each policy template is a set of zone policies the Guard module uses to protect the zone against DDos attacks. When you create a new zone, the Guard module includes a set of policy templates in the new zone configuration.
This chapter describes how to perform advanced policy template configuration tasks. Changes you make to a zone policy template configuration affect the policy generation phase of the learning process. Using the WBM, you can enable, disable, or modify the zone policy templates to control the policies the Guard module creates during the policy generation phase.
This chapter includes the following sections:
•
Policy Template Types
•Modifying a Policy Template Configuration
Policy Template Types
To match the services of a traffic flow, there are several types of policy templates the Guard module can use during the policy construction phase. The name of the policy template is derived from the characteristics that are common to all the policies the Guard module creates from the template. The characteristics can be a protocol such as DNS, an application such as HTTP, or the objective such as ip_scan. For example, the policy template tcp_connections produces policies that relate to connections such as the number of concurrent connections.
Table 6-1 describes each of the Guard module policy template types.
Table 6-1 Policy Templates
Policy template
|
Produces a set of policies relating to . . .
|
dns_tcp
|
DNS-TCP protocol traffic.
|
dns_udp
|
DNS-UDP protocol traffic.
|
fragments
|
Fragmented traffic.
|
http
|
HTTP traffic flowing (by default) through port 80 or other user-configured ports.
|
ip_scan
|
IP scanning traffic (a situation in which a source IP address attempts to access several destination IP addresses within the zone). This policy template is designed primarily for applications in which the defined zone is a subnet. By default, this policy template is disabled. The default action configured for this policy template is notify.
Caution Policies created by the ip_scan policy template are resource consuming and may affect performance.
|
other_protocols
|
Non TCP or UDP protocols.
|
port_scan
|
Port scanning. The port_scan policy template produces policies that manage attacks in which a remote client from a specific source IP address attempts to access several ports within the zone. By default, this policy template is disabled. The default action for this policy template is notify.
Caution Policies created by the port_scan policy template are resource-consuming and may affect performance.
|
tcp_connections
|
TCP connection characteristics.
|
tcp_not_auth
|
TCP connections that the Guard module anti-spoofing feature have not authenticated.
|
tcp_outgoing
|
TCP connections initiated by the zone.
|
tcp_ratio
|
Ratios between different types of TCP packets, such as SYN packets versus FIN/RST packets.
|
tcp_services
|
TCP services on ports other than HTTP-related ports, such as ports 80 and 8080.
|
tcp_services_ns
|
TCP services. By default, the policies created by the tcp_services_ns template relate to IRC ports (666X), SSH, and Telnet. This policy template does not create policies with actions that apply the Strong protection level to the traffic flow.
|
udp_services
|
UDP services.
|
The Guard module first looks for indicators of TCP traffic on dedicated ports 6660 to 6670 and 21 to 23. If the Guard module detects traffic on these ports, the following actions occur:
•The tcp_services_ns policy template produces a set of policies for the TCP traffic on ports 6660 to 6670 and 21 to 23.
•The tcp_services policy template processes TCP services on all other ports.
If the Guard module does not detect traffic on these ports, the tcp_services_ns policy template is not used.
Table 6-2 lists additional policy templates that are designed for zones for which you do not want the Guard module to serve as a proxy. You can use these policy templates if the zone is moderated according to IP addresses, such as an Internet Relay Chat (IRC) server-type zone. The policies created by these templates do not have actions that apply the Strong protection level to the traffic flow.
If you define a zone with the GUARD_TCP_NO_PROXY zone template, the Guard module uses the policy templates described in Table 6-2. The Guard module replaces the policy templates http, tcp_connections and tcp_outgoing with the policy templates http_ns, tcp_connections_ns and tcp_outgoing_ns policies respectively.
Table 6-2 TCP_NO_PROXY Policy Templates
Policy template
|
Produces a group of policies relating to . . .
|
tcp_connections_ns
|
TCP connection characteristics.
|
tcp_outgoing_ns
|
TCP connections initiated by a zone.
|
http_ns
|
HTTP traffic flowing (by default) through port 80 or other user-configured ports.
|
Modifying a Policy Template Configuration
To manage the policy construction phase, you can modify certain policy template parameters in the following ways to manage the policy generation phase:
•Enable or disable the policy template. Only enabled policy templates produce policies based on the services the Guard module detects during the policy generation phase. Some of the policy templates create an additional policy to handle all traffic flows for which a specific policy was not added. These policies are added with a service of any.
•Control when the policy template creates policies during the learning process (based on the volume of traffic for a service).
•Define the maximum number of policies that the Guard module can produce using the policy template during the learning process.
To modify the configuration of a policy template:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Configuration > Policy templates from the zone main menu. The Policy Templates screen appears.
Step 3 Select a policy template. The Config policy template screen appears.
Step 4 Modify the desired parameters of the policy template. Table 6-3 describes the policy template parameters listed in the Policy Template Form. Depending on the type of policy template selected, some or all of the parameters listed in the table display for editing.
Table 6-3 Policy Template Parameters
Parameter
|
Description
|
State
|
Operating state of the policy template. Choose one of the following options:
•enable—Policy template is applied to the traffic flow during the policy construction phase of the learning process. When the Guard module detects a service, it creates a new policy based on the rules of the policy template designed for the detected service.
•disable—The Guard module does not apply the policy template to the traffic flow during the policy construction phase of the learning process. If the Guard module detects a service associated with the disabled policy template, it does not create a new policy.
Caution Disabling a policy template may seriously compromise zone protection. When you disable a policy template, the Guard module does not produce policies to manage the type of malicious traffic the policy template is designed to manage.
|
Min Threshold
|
Defines the minimum traffic volume for a service. Once a specific traffic flow with that service exceeds the threshold, the Guard module constructs policies that relate to the traffic. You cannot configure this parameter for policy templates that are essential for proper zone protection and therefore always construct a policy. You can configure the minimum threshold for the following policy templates: http, tcp_services, tcp_services_ns, udp_services, other_protocols, and port_scan.
Enter the minimum threshold rate in packets-per-second (pps). When measuring the concurrent connection and SYN/FIN ratio, the threshold value is the total number of connections
|
Max Services
|
The maximum number of services (protocol numbers or port numbers) that the policy template picks up and creates policies for. Enter an integer that defines the maximum number of services.
The Guard module ranks the services that the policy template applies to by their level of traffic volume. The Guard module selects the services that have exceeded the defined minimum threshold (as defined by the Min Threshold parameter) with the highest traffic volume and creates policies for each service. The Guard module may add an additional policy to handle all other traffic flows with the characteristics of the policy template may be added with a service parameter setting of any. The higher the maximum number of services you configure, the more Guard module memory the zone requires.
You can define this parameter for policy templates that detect services only: tcp_services, tcp_services_ns, udp_services and other protocols. You cannot configure this parameter for:
•Policy templates that relate to a specific service, such as the dns_tcp policy template, which relates to service 53
•Policy templates that relate to a specific traffic characteristic, such as the fragments policy template
The Guard module measures the traffic rate to the service according to the policy traffic characteristics. The traffic characteristic can be the source IP addresses, the destination IP addresses, or source nets. A policy that relates to the service any measures the rate of source IP addresses on all services that are not handled by a specific policy, thus it is less precise.
|
|
Step 5 Choose one of the following options:
•OK—Saves the new policy template configuration. The Policy Template screen appears.
•Clear—Reverts the form information back to the default values and clears any information you added.
•Cancel—Exits the Config policy template screen without saving any information. The Policy Template screen appears.
To add or remove services from all policies that were created from a specific policy template, refer to the "Adding a Service" or "Deleting a Service" sections in "Managing Zone Policies."
