-
Cisco Anomaly Guard Module Configuration Guide (Software Version 5.1)
-
Index
-
Preface
-
Product Overview
-
Configuring the Guard Module on the Supervisor Engine
-
Initializing the Guard Module
-
Configuring the Guard Module
-
Configuring Traffic Diversion
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Learning the Zone Traffic Characteristics
-
Protecting Zones
-
Using Interactive Protect Mode
-
Understanding Attack Reports
-
Using Guard Module Diagnostics Tools
-
Performing Maintenance Tasks
-
Analyzing Guard Module Mitigation
-
Table Of Contents
Activating Guard Module Services
Configuring Access Control Using AAA
Configuring Authentication Methods
Configuring Local Authentication
Configuring Local Authorization
Configuring Authorization Methods
Disabling Tab Completion of Zone Names
Configuring the TACACS+ Server Attributes
Configuring a TACACS+ Server IP Address
Configuring the TACACS+ Server Encryption Key
Configuring the TACACS+ Search Method
Configuring the TACACS+ Server Connection Timeout
Displaying TACACS+ Server Statistics
Establishing Communication with the Cisco Traffic Anomaly Detector Module
Configuring SSL Communication Channels
Enabling SSL Communication Channels
Configuring SSH Communication Channels
Enabling an SSH2 Communication Channel
Regenerating SSH2 Communication Channel Keys
Configuring the Keys for SFTP and SCP Connections
Configuring SNMP Community Strings
Configuring the Login Banner from the CLI
Configuring the Session Timeout
Configuring the Guard Module
This chapter describes how to configure the Cisco Anomaly Guard Module (Guard module) services.
This chapter contains the following sections:
•
Activating Guard Module Services
•
•
•
•
•
Activating Guard Module Services
You can define which Guard module services are active. The service must be enabled, and access to the service must be permitted to enable proper functionality. You can control the activation of the Guard module services and grant or deny permission from a specific IP address, which will limit the IP addresses from which the Guard module is accessed and controlled.
Table 4-1 describes the Guard module services.
Table 4-1 Guard Module Services
Inter-node communication service. The Guard module uses this service when establishing a communication channel with the Cisco Traffic Anomaly Detector Module.
See the "Establishing Communication with the Cisco Traffic Anomaly Detector Module" section for more information.
SNMP server service. You can access the Guard module using SNMP to retrieve information as defined by the Riverhead private MIB, MIB2, and UCDavis MIB.
See the MIB file that is released with the software version for information on the MIB definitions.
Note
SNMP trap service. When you activate the snmp-trap service, the Guard module generates SNMP traps. See the "Enabling SNMP Traps" section for more information.
Secure Shell service. The SSH service is always active. See the "Accessing the Guard with SSH" section on page 3-19 and the "Managing SSH Keys" section for more information.
Web-based manager (WBM) service. You can control the Guard module from the web using a web browser. See the "Managing the Guard with a Web-Based Manager" section on page 3-18 for more information.
To activate a Guard module service, perform the following steps:
Step 1
service {internode-comm | snmp-server | snmp-trap | wbm}See Table 4-1 for a description of the Guard module services. By default, all Guard module services, except SSH, are disabled.
Step 2
permit {internode-comm | snmp-server | snmp-trap | ssh | wbm} ip-address-general [ip-mask]Table 4-2 provides the arguments for the permit command.
Table 4-2 Arguments for the permit Command
The service to be accessed and operated. See Table 4-1 for a description of the Guard module services.
The IP address from which to permit access. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2). Use an asterisk (*) to permit access from all IP addresses.
(Optional) The IP subnet mask. Enter the subnet mask in dotted-decimal notation (for example, enter 255.255.255.0). The default subnet mask is 255.255.255.255.
Caution
The following example shows how to activate a service:
user@GUARD-conf# service wbmuser@GUARD-conf# permit wbm 192.168.10.35Configuring Access Control Using AAA
Authentication, Authorization, and Accounting (AAA) is a method for controlling who is allowed to access the Guard module and what services are allowed after access. AAA provides the following features:
•
•
•
The Guard module is preconfigured with the following system user accounts:
•
•
You cannot delete system user accounts.
User definition allows you to divide the Guard module user community into domains and to assign passwords for secure management access. We recommend that you create new user accounts and avoid using the system user accounts after initial configuration so that you can monitor user actions.
The following sections describe how to configure access control:
•
Configuring Authentication
You can configure which authentication method that the Guard module uses when a user tries to log into the Guard module or requests a higher privilege level (using the enable command). The Guard module offers the following authentication options:
•
•
If you configure a user only on a TACACS+ server, you must also configure authorization on the TACACS+ server for that user, or the user has access to show commands only.
You can configure a sequential authentication list. The authentication list defines the authentication methods used to authenticate a user, enables you to designate one or more methods to be used for authentication, and provides a backup if the initial method fails.
The Guard module uses the first authentication method that is on the sequential authentication list to authenticate users; if that authentication method does not respond, the Guard module selects the second authentication method on the list. Authentication fails only if both authentication methods do not succeed to authenticate the user.
You can configure a distributed authentication scheme and define users in several authentication databases. The Guard module uses the first TACACS+ server to authenticate users. If the authentication returns a rejection, the Guard module scans the TACACS+ server list and the alternative authentication method (local), if one exists. Authentication fails only if all the authentication methods on the list fail. This option is valid only if you do not configure the first-hit option.
Note
This section contains the following topics:
•
•
Configuring Authentication Methods
To configure the authentication method that the Guard module uses, perform the following steps:
Step 1
Step 2
aaa authentication {enable | login} {local | tacacs+} [tacacs+ | local]Table 4-3 provides the keywords for the aaa authentication command.
If you access the Guard module from a console session, it uses the local user database for authentication regardless of the defined authentication method.
To change the authentication method, reenter the command.
The following example shows how to configure authentication on entering a higher privilege level. The primary authentication method is configured to TACACS+, and the secondary authentication method is configured to the local user database.
user@GUARD-conf# aaa authentication enable tacacs+ localConfiguring Local Authentication
The Guard module initially has a preconfigured username with administration privileges, which allows you to create new users. A user definition allows you to divide the Guard module user community into domains and to assign passwords for secure management access.
To enable authentication of CLI users with a TACACS+ server, see the "Configuring Authentication" section.
This section contains the following topics:
•
•
Adding a User
To add a user to the Guard module local database, use the following command in configuration mode:
username username {admin | config | dynamic | show} [password]
Table 4-4 provides the arguments and keywords for the username command.
The following example shows how to configure a new user and set the password:
user@GUARD-conf# username Robbin config 1234Users enter passwords in clear text but the Guard module configuration file displays passwords in an encrypted manner. This example displays the Guard module configuration file (running-config):
username Richard config encrypted 840xdMk3The encrypted keyword in the previous example indicates that the password is encrypted.
To display the list of users configured on the Guard module, use the show running-config or show guard commands.
To display a list of the users currently logged into the CLI, use the show users command.
Changing Your Password
You can change your own password. Administrators can change their own password and the passwords of other users (see the "Changing the Passwords of Other Users" section).
To change your own password, perform the following steps:
Step 1
passwordStep 2
Step 3
The password must be an alphanumeric, 6 to 24 character string, with no spaces. The password is case sensitive. The system prompts you to confirm the new password by typing it again.
The following example shows how to change your password:
user@GUARD# passwordOld Password: <old-password>New Password: <new-password>Retype New Password: <new-password>Changing the Passwords of Other Users
You must have administration user privileges to change the password of other users.
To change the password of a user, perform the following steps:
Step 1
password username-passwordThe username-password argument is the user whose password you are changing.
Step 2
The password must be an alphanumeric, 6 to 24 character string, with no spaces. The password is case sensitive. The system prompts you to confirm the new password by typing it again.
The following example shows that the administrator changes the password of the user Jose:
user@GUARD# password JoseNew Password: <new-password>Retype New Password: <new-password>Deleting a User from the Local User Database
When you delete a user from the local user database, the associated user cannot access the Guard module if authentication is performed using the local user database only.
To delete a user from the Guard module local user database, use the no username username command.
The following example shows how to delete a user from the local user database:
user@GUARD-conf# no username RobbinConfiguring Authorization
You can limit the services available to a user. When you enable authorization, the Guard module verifies the user profile, which is located either in the local user database or on a TACACS+ security server. The user is permitted access to the requested service only if the information in the user profile allows it.
You can configure which authorization method the Guard module uses when a user tries to execute a command. The Guard module offers the following authorization options:
•
Two types of TACACS+ authorization are supported:
–
–
TACACS+ authorization enables you to specify access rights for each command.
Caution
•
Guard module local authorization can be performed when communication to the TACACS+ server fails.
You can configure a sequential authorization list that defines the methods for authorizing a user, allows you to designate one or more methods to be used for authorization, and provides a backup if communication to the initial method fails.
The Guard module uses the first method listed to authorize users; if that method does not respond, the Guard module selects the second authorization method. The authorization fails only if both authorization methods do not succeed.
To configure the Guard module to consider an authentication rejection as final and stop further searching with other TACACS+ servers or the local user database, you can configure the TACACS+ server attributes. See the "Configuring the TACACS+ Server Attributes" section for more information.
This section contains the following topics:
•
•
•
Configuring Local Authorization
Access to Guard services depends on the user privilege level. You can limit the services available to a user. The Guard module checks the user profile to verify the user access rights. Once authorized, the user is granted access to the requested service only if the information in the user profile allows it. See Table 3-1 for information on user privilege levels.
This section contains the following topics:
•
•
Assigning Privilege Levels with Passwords
You can set passwords that restrict access to user privilege levels. After you specify the privilege level and the password, you can give the password to the users who need to access this level. You cannot move to another user privilege level before you configure a password for that user privilege level.
To set a local password to control access to a privilege level, use the following command in configuration mode:
enable password [level level] [password]
Table 4-5 provides the arguments for the enable password command.
The following example shows how to assign a password to the user privilege level admin:
user@GUARD-conf# enable password level admin <password>Moving between User Privilege Levels
Authorized users can move between user privilege levels.
To move between user privilege levels, perform the following steps:
Step 1
enable [level]The level argument specifies the user privilege level. This level can be one of the following:
•
•
•
•
The default level is admin.
Step 2
The following example shows how to switch to the admin privilege level:
user@GUARD> enable adminEnter enable admin Password: <password>To return to the lower privilege level (show), use the disable command.
Configuring Authorization Methods
To configure the authorization method, perform the following steps:
Step 1
Step 2
•
•
You can configure a sequential list of authorization methods. Enter the aaa authorization command for each method. To remove an authorization method, use the no form of the command.
Table 4-6 provides the arguments and keywords for the aaa authorization command.
We recommend that you do not configure authorization for show privilege level commands because it may affect performance.
Note
The following example shows how to configure authorization for commands that require config privilege level. The primary authorization method is configured to TACACS+, and the secondary authorization method is configured to the local user database.
user@GUARD-conf# aaa authorization commands config tacacs+ local
Caution
TACACS+ Server Sample Configuration
You can specify authorization for each command in the TACACS+ server database.
The following example shows you how to configure authorization on a TACACS+ server for the user Zoe:
user=Zoe {cmd = protect {permit .*}cmd = "no protect" {permit .*}cmd = learning {deny policy*}cmd = "no learning" {deny .*}cmd = dynamic-filter {permit .*}cmd = "no dynamic-filter" {permit .*}cmd = flex-filter {deny .*}cmd = "no flex-filter" {deny .*}}Disabling Tab Completion of Zone Names
To limit access to zone configuration to authorized users only, disable tab completion for the names of the zones. This setting applies to all commands in which you specify the zone name.
When you enter commands in global or configuration mode, such as the zone command, no zone command, show zone command, and deactivate command, the Guard module no longer displays or completes the zone name. You must enter the complete zone name to configure a zone, change the zone operation mode, or display zone statistics.
The Guard module sends the tab-complete zone-list command to the TACACS+ server when you disable tab completion of zone names. Configure authorization for the tab-complete zone-list command on the TACACS+ server to enable tab completion of zone names to authorized users.
The following example shows how to disable tab completion of zone names for all the zone commands:
user@GUARD-conf# aaa authorization commands zone-completion tacacs+To enable tab completion of zone names, use the no form of the command.
Configuring Accounting
Accounting management allows you to track the services that users are accessing and save the accounting information on a TACACS+ server. You can enable accounting of requested services for billing, reporting, or security purposes. By default, the Guard module is configured with accounting management disabled.
To configure accounting, perform the following steps:
Step 1
Step 2
aaa accounting commands {show | dynamic | config | admin} stop-only {local | tacacs+}Table 4-7 provides the keywords for the aaa accounting command.
Table 4-7 Keywords for the aaa accounting Command
show | dynamic | config | admin
Defines accounting for the specified privilege level (see Table 3-1 for information on user privilege levels).
stop-only
Records the action when the command execution terminates.
tacacs+
Uses a TACACS+ server database to record accounting information.
local
Does not save accounting information.
To configure accounting for more than one privilege level, enter the aaa accounting command for each privilege level for which accounting is required.
We recommend that you enable accounting management only for the config user privilege level because it may affect performance.
Use the no form of the command to remove the accounting management for a privilege level.
The example shows how to configure accounting for commands that require config privilege level on a TACACS+ server.
user@GUARD-conf# aaa accounting commands config stop-only tacacs+Configuring the TACACS+ Server Attributes
You must configure the TACACS+ server attributes to enable authentication, authorization, or accounting with a TACACS+ server.
Caution
To configure the TACACS+ server attributes, perform the following steps:
Step 1
See the "Configuring a TACACS+ Server IP Address" section for more information.
Step 2
See the "Configuring the TACACS+ Server Encryption Key" section for more information.
Step 3
See the "Configuring the TACACS+ Search Method" section for more information.
Step 4
See the "Configuring the TACACS+ Server Connection Timeout" section for more information.
Step 5
See the "Displaying TACACS+ Server Statistics" section for more information.
The Guard module user privilege levels relate to the TACACS+ privilege numeration as follows:
•
•
•
•
Configuring a TACACS+ Server IP Address
You can configure the Guard module to use a sequential list of TACACS+ servers for authentication, authorization, and accounting. The Guard module uses the TACACS+ server listed to authenticate or authorize users or send an accounting event; if that server does not respond, the Guard module selects the second server. Authentication or authorization fails only if all servers listed do not respond.
Alternatively, you can configure the Guard module to use only the first TACACS+ server on the list to authenticate users (see the "Configuring the TACACS+ Search Method" section for more information).
You must define the IP address of each TACACS+ server on the list. You can define a maximum of nine TACACS+ servers.
To add a TACACS+ server to the list and assign its IP address, use the following command in configuration mode:
tacacs-server host ip-address
The ip-address argument specifies the IP address of the TACACS+ server.
The TACACS+ servers are added to the list in the order in which you enter them. You can add a maximum of nine servers to the list.
The following example shows how to add a server to the TACACS+ server list:
user@GUARD-conf# tacacs-server host 192.168.33.45Configuring the TACACS+ Server Encryption Key
You must configure the encryption key to access a TACACS+ server. The key must match the key on the TACACS+ servers. The key cannot contain spaces.
To configure the server encryption access key, use the following command in configuration mode:
tacacs-server key tacacs-key
The argument tacacs-key is an alphanumeric string.
Note
The following example shows how to set the TACACS+ server encryption key to MyKey:
user@GUARD-conf# tacacs-server key MyKeyConfiguring the TACACS+ Search Method
To configure the Guard module to consider an authentication rejection as final and stop further searching with other TACACS+ servers and the local user database, use the tacacs-server first-hit command. The Guard module performs user authentication using only the first TACACS+ server on the server list to respond. If the first TACACS+ server does not respond, the Guard module selects the next server on the list. The Guard module regards the first user authentication approval or rejection received as final and stops attempting to authenticate the user with other TACACS+ servers or with the local user database.
If you do not configure the TACACS+ search method to regard an authentication rejection as final by entering the tacacs-server first-hit command, the Guard module, by default, tries all TACACS+ servers in its list to authenticate a user. When you enable the first-hit search method for user authentication by entering the no tacacs-server first-hit command, the Guard module uses the first TACACS+ server listed to authenticate the user. If the first server does not respond or fails to authenticate the user, the Guard module selects the next server on the list. User authentication fails if all the TACACS+ servers on the list either do not respond or fail to authenticate the user and you have not configured a local authentication method. The TACACS+ search method is applicable for authentication only and does not affect authorization or accounting.
To configure the Guard module to use only the first TACACS+ server on the list to authenticate users, use the tacacs-server first-hit command in configuration mode.
To disable the first-hit search method and enable the Guard module to try all TACACS+ servers in its list to authenticate a user, use the no tacacs-server first-hit command in configuration mode.
The following example shows how to configure the TACACS+ search method so that the Guard module uses only the first TACACS+ server on the list to authenticate users:
user@GUARD-conf# tacacs-server first-hitConfiguring the TACACS+ Server Connection Timeout
You can configure the amount of time that the Guard module waits for a reply from the TACACS+ server. When the timeout ends, the Guard module either attempts to establish a connection with the next TACACS+ server (if a server was configured) or falls back to local AAA (if a fallback was configured). Authentication and authorization fail if no fallback method is configured.
Note
To configure the TACACS+ server connection timeout, use the following command in configuration mode:
tacacs-server timeout timeout
The timeout argument specifies the amount of time (in seconds) that the Guard module waits for a TACACS+ server to reply. The default timeout is 0.
The following example shows how to configure the TACACS+ server connection timeout to 600 seconds:
user@GUARD-conf# tacacs-server timeout 600
Tip
Displaying TACACS+ Server Statistics
You can display statistical information for the TACACS+ servers. The Guard module provides statistical data for each server.
To display TACACS+ related statistics, use the show tacacs statistics command in configuration mode.
To clear the TACACS+ statistics, use the clear tacacs statistics command in configuration mode.
Table 4-8 displays the fields in the show tacacs statistics command output.
Establishing Communication with the Cisco Traffic Anomaly Detector Module
You can establish a secure communication channel between the Guard module and a Cisco Traffic Anomaly Detector Module (Detector module) to enable the following tasks:
•
•
The Detector module establishes a connection with the Guard module to exchange the keys and certificates that are required to secure the communication channel. The Detector module then closes the connection and establishes the communication channel when it needs to activate the Guard module, synchronize a zone configuration with the Guard module, or poll the Guard module.
The Guard module supports two types of communication channels:
•
•
The Detector module keeps a list (called remote Guard lists) of Guard modules that it activates to protect a zone and synchronize zone information with these Guard modules. The Detector module establishes a communication channel with each of the Guard modules configured in the remote Guard lists. The Detector module establishes an SSH2 communication channel with each Guard module, before establishing an SSL communication channel. If you configure an SSL remote Guard list and an SSH remote Guard list, you do not need to establish the SSH2 communication channel.
This section contains the following topics:
•
•
Configuring SSL Communication Channels
The Guard module and Detector module use a Secure Sockets Layer (SSL) connection for the communication channel. SSL provides secure connections through a combination of authentication and data encryption and relies upon digital certificates, private-public key exchange pairs, and Diffie-Hellman key agreement parameters for this level of security. SSL encrypts the data so that only the intended recipient can decipher the data.
Each Guard module and Detector module authenticates the device attempting to communicate with it over the communication channel using a digital certificate and other device-specific information, such as the device IP address.
To ensure a secure connection, the Detector module generates a private-public key pair and distributes its public key to the Guard modules listed in the remote Guard lists.
After you enable the communication channel service on the Guard module, you establish the communication channel from the Detector module. The Detector module first establishes an SSH2 communication channel with the user riverhead on the Guard module. The Detector module then uses the secure SSH2 communication channel to exchange the SSL connection keys.
This section contains the following topics:
•
•
Enabling SSL Communication Channels
To enable an SSL communication channel, perform the following steps on both the Guard module and the Detector module:
Caution
Step 1
The arguments ip-address-general and ip-mask define the IP address of the Detector modules that you want to permit access to the Guard module.
Note
Step 2
Step 3
The arguments ip-address-general and ip-mask define the IP address of the Detector modules that you want to permit access to the Guard module.
Note
Regenerating SSL Certificates
The key that identifies the Guard module and the Detector module in the SSL certificates is associated with the IP addresses.
You must regenerate new SSL certificates for the Guard module and the Detector module on both ends of a communication channel when you:
•
•
Before you can generate new SSL certificates, you must delete the current certificates on both devices.
To display the current SSL certificates, use the show internode-comm certs command.
To regenerate the current SSL certificates, perform the following procedure:
Step 1
cert remove cert-host-ipThe cert-host-ip argument specifies the IP address of the Guard module. Enter an asterisk (*) to delete the SSL certificates of all Guard modules.
Step 2
cert remove cert-host-ipThe cert-host-ip argument specifies the IP address of the Detector module. Enter an asterisk (*) to delete the SSL certificates of all Detector modules that have established communication channels with the Guard module.
The following example shows how to delete an SSL certificate:
user@GUARD-conf# cert remove 10.56.36.4Step 3
From the Detector module, use the following command in configuration mode to delete Guard module SSH host keys:
no host-keys ip-address-generalThe ip-address-general argument specifies the IP address of the remote device.
Step 4
Configuring SSH Communication Channels
When detecting traffic anomalies, the Detector module either logs the event, or activates a Guard module to protect the zone using an SSH communication channel. When using an SSH communication channel, the Detector module cannot perform the following tasks:
•
•
•
To ensure a secure SSH2 communication channel, the Detector module generates a private-public SSH key pair and distributes the public SSH key to the Guard modules listed in the remote Guard lists.
After you enable the SSH communication channel, you must establish the SSH communication channel from the Detector module.
This section contains the following topics:
•
•
Enabling an SSH2 Communication Channel
To enable an SSH2 communication channel between a Guard module and a Detector module, permit access to the SSH service on the Guard module from the Detector module IP address by entering the permit ssh command.
Caution
After you enable the SSH communication channel, you must establish the SSH communication channel from the Detector module.
If you replace (swap out) a Guard module device, you must regenerate the SSH2 communication channel. See the "Regenerating SSH2 Communication Channel Keys" section.
Regenerating SSH2 Communication Channel Keys
If you replace a Guard module device, perform the following steps to regenerate a communication channel:
Step 1
The ip-address-general argument specifies the IP address of the remote device.
To display the host keys listed on the Guard module, use the show host-keys command.
Step 2
•
•
To display the Detector module public SSH key, use the show public-key command on the Detector module.
To add the Detector module public SSH key to the list of SSH keys that the Guard module maintains, use the key add command on the Guard module. See the "Adding SSH Keys" section for more information.
Managing SSH Keys
The Guard module supports SSH for secure remote login. You can add a list of SSH keys to enable secure communication from a remote device to the Guard module without entering a login and password.
The following sections describe how you can manage the Guard module SSH key list:
Adding SSH Keys
To enable an SSH connection without entering a login and password, add the remote connection SSH public key to the Guard module SSH key list.
Enter the following command in configuration mode:
key add [user-name] {ssh-dsa | ssh-rsa} key-string comment
Table 4-9 provides the arguments and keywords for the key add command.
The following example shows how to add an SSH RSA key:
user@GUARD-conf# key add ssh-rsa 14513797528175730. . .user@Guard module.comDeleting SSH Keys
You can remove an SSH key from the list. If you remove the SSH key, you must authenticate the next time that you establish an SSH session with the Guard module.
To remove an SSH key from the Guard module, use the following command in configuration mode:
key remove [user-name] key-string
Table 4-10 provides the arguments for the key remove command.
The following example shows how to view a user key so that it can be cut and pasted into the key remove command:
user@GUARD-conf# show keys Lilacssh-rsa 2352345234523456... user@Guard module.comuser@GUARD-conf# key remove Lilac 2352345234523456...Configuring the Keys for SFTP and SCP Connections
Secure FTP (SFTP), which is layered on top of SSH2, and Secure Copy (SCP), which relies on SSH, provide a secure and authenticated method for copying files. SFTP and SCP use public key authentication and strong data encryption, which prevents login, data, and session information from being intercepted or modified in transit.
To configure the keys for SFTP and SCP connections, perform the following actions:
Step 1
If the key exists, skip Step 2 and proceed to Step 3.
If no key exists, proceed to Step 2.
Step 2
If an SSH2 key pair already exists, the following message appears:
/root/.ssh/id_rsa already exists.Overwrite (y/n)?Type y to regenerate the key.
The Guard module creates the public-private key pair. To display the Guard module public key, use the show public-key command in configuration mode.
Step 3
For example, if you are connecting to an network server that is installed on a Linux operating system with the username user account, add the Guard module public key to the /home/username/.ssh/authorized_keys2 file.
Make sure that the key is copied as a single line. If the key is copied as two lines, delete the new line character at the end of the first line.
Note
Changing the Hostname
You can change the hostname of the Guard module. The change takes effect immediately, and the new hostname is automatically integrated into the CLI prompt string.
To change the Guard module hostname, use the following command in configuration mode:
hostname name
The name argument specifies the new hostname.
The following example shows how to change the hostname of the Guard module:
user@GUARD-conf# hostname CiscoGuardadmin@CiscoGuard-conf#Enabling SNMP Traps
You can enable the Guard module to send SNMP traps and notify you of significant events that occur on the Guard module. In addition, you can configure the Guard module SNMP trap generator parameters and define the scope of the SNMP trap information that the Guard module reports.
A trap is logged in the Guard module event log and displayed in the event monitor when a trap condition occurs, regardless of whether the SNMP agent sends the trap.
To configure the Guard module to send SNMP traps, perform the following steps:
Step 1
service snmp-trapStep 2
snmp trap-dest ip-address [community-string [min-severity]]Table 4-11 provides the arguments for the snmp trap-dest command.
To delete SNMP trap generator parameters, use the no snmp trap-dest command. Enter an asterisk (*) to remove all SNMP trap destination parameters.
The following example shows that traps with a severity level equal to or higher than errors are sent to the destination IP address 192.168.100.52 with the SNMP community string of tempo:
user@GUARD-conf# snmp trap-dest 192.168.100.52 tempo errorsTable 4-12 lists the SNMP traps that the Guard module generates.
Table 4-12 SNMP Traps
rhExcessiveUtilizationTrap
EMERGENCY
The Guard module cannot add new dynamic filters because more than 150,000 dynamic filters are active concurrently in all the Guard module zones.
rhExcessiveUtilizationTrap
EMERGENCY
The anomaly detection engine memory limit was reached (higher than 90 percent).
rhGeneralTrap
EMERGENCY
The Guard module failed to activate zone protection by using the packet activation method, and will send subsequent traps with an ALERT severity level.
rhGeneralTrap
EMERGENCY
The Guard module failed to activate diversion.
rhGeneralTrap
EMERGENCY
The Guard module restored diversion.
rhGeneralTrap
ALERT
The Guard module failed to activate zone protection by using the packet activation method, and a trap with an EMERGENCY severity level was already generated.
rhGeneralTrap
ALERT
The disk space is 80 percent.
rhExcessiveUtilizationTrap
CRITICAL
The Gigabit interface link utilization in bps1 is above 85 percent.
rhExcessiveUtilizationTrap
CRITICAL
The memory utilization is above 85 percent.
rhExcessiveUtilizationTrap
CRITICAL
The accelerator card CPU utilization is above 85 percent.
rhDynamicFilterTrap
ERROR
The number of pending dynamic filters is 1000, and new pending dynamic filters will be discarded.
rhZoneGenericTrap
ERROR
The Guard module failed to synchronize the zone configuration.
rhGeneralTrap
ERROR
The Guard module failed to activate zone protection as follows:
•
•
The Guard module deactivates zone protection and the learning process.
rhDynamicFilterTrap
WARNING
The Guard module failed to add dynamic filters.
•
rhExcessiveUtilizationTrap
WARNING
The Guard module has more than 135,000 dynamic filters that are active concurrently in all the zones. When the number of active dynamic filters reaches 150,00, the Guard module cannot add new dynamic filters.
rhGeneralTrap
WARNING
The disk space is 75 percent.
rhPolicyConstructionTrap
WARNING
The policy construction phase of the learning process has failed.
rhProtectionTrap
WARNING
The Guard module failed to start zone protection.
rhReloadTrap
WARNING
The Guard module has restarted. The trap contains a MIB2 warm-start or cold-start trap and information on what caused the Guard module to restart.
rhReloadTrap
WARNING
The Guard module has shutdown. The trap contains a a MIB2 warm-start or cold-start trap and information on what caused the Guard module to shutdown.
rhThresholdTuningTrap
WARNING
The threshold tuning phase of the learning process has failed.
rhAttackTrap
NOTIFICATIONS
An attack has started.
rhAttackTrap
NOTIFICATIONS
An attack has ended.
rhPolicyConstructionTrap
NOTIFICATIONS
The policy construction phase of the learning process has been started.
rhPolicyConstructionTrap
NOTIFICATIONS
The policy construction phase of the learning process has been accepted.
rhPolicyConstructionTrap
NOTIFICATIONS
The policy construction phase of the learning process has been stopped.
rhProtectionTrap
NOTIFICATIONS
The zone protection has started.
rhProtectionTrap
NOTIFICATIONS
The zone protection has ended.
rhThresholdTuningTrap
NOTIFICATIONS
The threshold tuning phase of the learning process has been started.
rhThresholdTuningTrap
NOTIFICATIONS
The threshold tuning phase of the learning process has been accepted.
rhThresholdTuningTrap
NOTIFICATIONS
The threshold tuning phase of the learning process has been stopped.
rhZoneGenericTrap
NOTIFICATIONS
The Guard module has started to synchronize the zone configuration.
rhZoneTrap
NOTIFICATIONS
A new zone has been created.
rhZoneTrap
NOTIFICATIONS
A zone has been deleted.
rhDynamicFilterControlTrap
INFO
The number of attack-detection events that the Guard module did not send for a specific policy.
rhDynamicFilterControlTrap
INFO
The Guard module has more than 1000 active dynamic filters, and will not send traps for dynamic filters that it deletes.
rhDynamicFilterTrap
INFO
A dynamic filter has been added.
rhDynamicFilterTrap
INFO
A dynamic filter has been deleted.
rhDynamicFilterTrap
INFO
A pending dynamic filter has been added.
1 bps = bits per second
Configuring SNMP Community Strings
You can access the Guard module SNMP server and retrieve information as defined by the Management Information Base 2 (MIB2) and the Cisco Riverhead proprietary MIB. The community string acts like a password and permits read access from the Guard module SNMP agent. You can configure the Guard module SNMP community string and enable access to the SNMP agent from clients in different organizational units and with different community strings.
To add an SNMP community string, use the following command in configuration mode:
snmp community community-string
The community-string argument specifies the desired Guard module community string. Enter an alphanumeric string from 1 to 15 characters. The string cannot contain spaces. The Guard module default community string is riverhead. You can specify as many community names as you want. To delete a community string, use the no community string command. Enter an asterisk (*) to remove all SNMP community strings.
The following example shows how to configure the SNMP community string:
user@GUARD-conf# snmp community tempoConfiguring the Login Banner
The login banner is the text that appears on screen before user authentication when you open an SSH session, a console port connection, or a WBM session to the Guard module.
You can configure a login banner to warn users against unauthorized access, to describe what is considered the proper use of the system, and to warn users that the system is being monitored to detect improper use and other illicit activity.
The Guard module displays the login banner in the following locations:
•
•
This section contains the following topics:
•
Configuring the Login Banner from the CLI
You can create a single or multiple message banner by using the login-banner command. If you enter more than one login banner, the new login banner is appended to the existing login banner as a new line.
To configure the login banner, use the following command in configuration mode:
login-banner banner-str
The banner-str argument specifies the banner text. The maximum string length is 999 characters. If you use spaces in the expression, enclose the expression in quotation marks (" ").
To display the login banner, use the show login-banner command.
The following example shows how to configure and display the login banner:
user@GUARD-conf# login-banner "Welcome to the Cisco Anomaly Guard Module"user@GUARD-conf# login-banner "Unauthorized access is prohibited."user@GUARD-conf# login-banner "Contact sysadmin@corp.com for access."user@GUARD-conf# show login bannerWelcome to the Cisco Anomaly Guard ModuleUnauthorized access is prohibited.Contact sysadmin@corp.com for access.Importing the Login Banner
You can import a text file from a network server to replace the existing login banner by entering one of the following commands in global mode or in configuration mode:
•
•
The maximum length of each line in the file that you import is 999 characters.
Because Secure FTP (SFTP) and Secure Copy (SCP) rely on SSH for secure communication, if you do not configure the key that the Guard module uses before you enter the copy command with the sftp or scp option, the Guard module prompts you for the password. See the "Configuring the Keys for SFTP and SCP Connections" section for more information on how to configure the key that the Guard module uses for secure communication.
Table 4-13 provides the arguments and keywords for the copy login-banner command.
The following example shows how to import the login banner from an FTP server:
user@GUARD-conf# copy ftp login-banner 10.0.0.191 /root/login-banner <user> <password>Deleting the Login Banner
If you no longer want to display a message before user authentication, delete the login banner.
To delete the login banner, use the no login-banner command in configuration mode.
The following example shows how to delete the login banner:
user@GUARD-conf# no login-bannerConfiguring the WBM Logo
To customize your end-user interface, you can add a company logo (or any customized logo) to the WBM web pages.
The new logo appears in the following places:
•
•
The new logo must be in GIF format. We recommend that the size of the new logo is as follows: width = 87 and height = 41 pixels.
This section contains the following topics:
Importing the WBM Logo
To import a new logo from a network server, use the following command in global mode or in configuration mode:
•
•
Because Secure FTP (SFTP) and Secure Copy (SCP) rely on SSH for secure communication, if you do not configure the key that the Guard module uses before you enter the copy command with the sftp or scp option, the Guard module prompts you for a password. See the "Configuring the Keys for SFTP and SCP Connections" section for more information on how to configure the key that the Guard module uses for secure communication.
Table 4-14 provides the arguments and keywords for the copy wbm-logo command.
The following example shows how to import the WBM logo file from an FTP server:
user@GUARD-conf# copy ftp wbm-logo 10.0.0.191 /root/WBMlogo.gif <user> <password>Deleting the WBM Logo
To delete the WBM logo, use the no wbm-logo command in configuration mode.
The following example shows how to delete the login banner:
user@GUARD-conf# no wbm-logoConfiguring the Session Timeout
The session timeout is the amount of time that a session remains active when there is no activity. If there is no activity for the configured time, a timeout occurs, and then you must log in again. The session timeout is disabled by default.
The session timeout applies to the CLI only and does not apply to the WBM.
You can configure the number of minutes until the Guard module disconnects an idle session automatically by entering the following command in configuration mode:
session-timeout timeout-val
The timeout-val argument specifies the number of minutes until the Guard module disconnects an idle session automatically. Valid values are from 1 to 1440 minutes (one day).
The following example shows how to configure the Guard module to disconnect an idle session after 10 minutes:
user@GUARD-conf# session-timeout 10To prevent the Guard module from disconnecting idle sessions automatically, use the no session-timeout command.
To display the value of the session timeout, use the show session-timeout command.
