-
Cisco Anomaly Guard Module Configuration Guide (Software Version 5.1)
-
Index
-
Preface
-
Product Overview
-
Configuring the Guard Module on the Supervisor Engine
-
Initializing the Guard Module
-
Configuring the Guard Module
-
Configuring Traffic Diversion
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Learning the Zone Traffic Characteristics
-
Protecting Zones
-
Using Interactive Protect Mode
-
Understanding Attack Reports
-
Using Guard Module Diagnostics Tools
-
Performing Maintenance Tasks
-
Analyzing Guard Module Mitigation
-
Table Of Contents
Learning the Zone Traffic Characteristics
Understanding the Learning Process
Understanding the Phases of the Learning Process
Verifying the Results of the Learning Process
Understanding the Protect and Learn Function
Synchronizing the Zone Learning Process Results with a Cisco Traffic Anomaly Detector Module
Configuring Learning Parameters
Configuring the Threshold Selection Method
Tuning Zone Policy Thresholds and Enabling Zone Protection Simultaneously
Using Snapshots to Verify the Results of the Learning Process
Copying Policies to the Zone Configuration
Learning the Zone Traffic Characteristics
This chapter describes how to use the Guard module learning process to analyze zone traffic characteristics to create and fine-tune the policies that the Guard module uses for zone protection.
This chapter contains the following topics:
•
Understanding the Learning Process
•
•
•
•
•
Understanding the Learning Process
The learning process creates a baseline of normal traffic patterns, when no current attack is occurring on the network. The Guard module uses this baseline as a reference point to help detect the existence of anomalies in the zone traffic. These reference points are called policies.
After an initial learning process of constructing policies, you can activate the learning process and zone protection simultaneously. At the same time, the Guard module tunes the policy thresholds and monitors the policy thresholds for traffic anomalies. This process enables the Guard module to protect the zone, while constantly updating the policy thresholds according to the zone traffic characteristics, and prevents the Guard module from learning malicious traffic thresholds.
To learn the zone traffic characteristics, the zone traffic must be diverted to the Guard module. You must configure diversion before initiating the learning process, or divert the zone traffic to the Guard module manually using an external device. You can configure zone diversion using routing configuration of the Guard module.
See Chapter 5, "Configuring Traffic Diversion," for more information.
Note
If there is an attack on the zone before the learning process has been completed, use on-demand protection to protect the zone if one of the following conditions apply:
•
•
•
See the "Activating On-Demand Protection" section on page 10-3 for more information.
You can enter learning-related commands for several zones at the same time. Enter the command in global mode and use an asterisk (*) as a wildcard. For example, to initiate the policy construction phase for all zones, enter the learning policy-construction * command in global mode. To accept the results of the policy construction phase for all Guard module zones with names that begin with scan (such as scannet and scanserver), enter the no learning scan* accept command in global mode.
This section contains the following topics:
•
•
Understanding the Phases of the Learning Process
The learning process consists of these two phases:
•
The policy templates are the Guard module tools for constructing the policies. These templates define the types of zone policies that the Guard module creates. The policy templates also define the maximum number of services that the Guard module monitors closely and the minimum threshold that triggers the Guard module to create new policies. To change the rules for constructing zone policies, you must change the policy template parameters before you initiate the policy construction phase. See Chapter 8, "Configuring Policy Templates and Policies," for more information.
You cannot perform the policy construction phase for zones that you created using the GUARD_LINK zone templates.
•
You can activate the threshold tuning phase and activate zone protection simultaneously (the protect and learn function) to prevent the Guard module from learning malicious traffic thresholds. You can set the Guard module to constantly tune the zone policies and define the intervals in which the Guard module updates the policy thresholds.
Note
The Guard module learns the zone traffic characteristics to create a baseline of zone traffic and trace any anomalies that might become malicious. The Guard module does not modify the current zone policies during the learning process and updates the policies when you decide to accept the results of one of the learning phases only. After the policies are created, you can add and delete policies or change policy parameters such as thresholds, services, timeouts, and actions.
Verifying the Results of the Learning Process
You can save the current results of either learning phase at any stage during the learning process and review it later by using the snapshot command. Taking a snapshot of the learning process allows you to view the policy information that the Guard module has created up to the point of the snapshot and decide whether to not to accept the results of the learning process. Saving the results of the learning phase in a snapshot does not affect the zone configuration. You can update the zone configuration with the policy information in a snapshot.
Understanding the Protect and Learn Function
After an initial learning process of constructing policies, you can activate the learning process and enable zone protection simultaneously using the protect and learn function. The Guard module tunes the policy thresholds and monitors the policy thresholds for traffic anomalies. The protect and learn function enables the Guard module to protect the zone, constantly update the policy thresholds based on the zone traffic characteristics, and prevents the Guard module from learning malicious traffic thresholds.
Before you activate the protect and learn function, you can configure when and how the Guard module accepts the results of the learning process by configuring the learning parameters.
See the "Tuning Zone Policy Thresholds and Enabling Zone Protection Simultaneously" section for more information.
Synchronizing the Zone Learning Process Results with a Cisco Traffic Anomaly Detector Module
When a Cisco Traffic Anomaly Detector Module (Detector module) detects an attack on the zone, it stops the learning process, activates the Guard module to protect the zone, and then resumes learning the zone traffic when the attack ends. This process enables you to continuously adjust the zone policy thresholds to the traffic, but avoid having to constantly divert the zone traffic to the Guard module. You can configure a Detector module to constantly learn the zone traffic and update the Guard module with the zone policies.
Note
To synchronize the learning process results with a Detector module, you must perform the following tasks:
1.
2.
Create the zone on the Detector module using a Guard zone template.You can synchronize the zone configuration with the Detector module manually or configure the Detector module to synchronize the zone configuration with the Guard module automatically. See the "Synchronizing a Guard Module with Cisco Traffic Anomaly Detector Module Zone Configuration" section on page 6-13 for more information.
Constructing Policies
Use the policy construction phase after creating a new zone or anytime that the zone configuration needs updating with new service policies. After performing the policy construction phase, execute the threshold tuning phase to fine-tune the thresholds of each policy.
In the policy construction phase, the Guard module creates the zone policies using the policy templates. The traffic flows through the Guard module enabling it to discover the main services (ports and protocols) that the zone uses. You can configure the policy construction rules. For example, you can prevent the Guard module from creating policies of a certain type by disabling the relevant policy template. To change the rules for constructing zone policies, you must change the policy template parameters before you initiate the policy construction phase. See the "Understanding Policy Templates" section on page 8-4 for more information.
The Guard module sets default values for the policy parameters (timeout, action, and threshold). See Chapter 8, "Configuring Policy Templates and Policies," for information on how to configure the default values for the operational parameters.
The new policies that the Guard module creates in this phase replace the existing policies.
Note
Before you activate the policy construction phase make sure that no attack on the zone is in progress so that the Guard does not construct the policies based on the traffic characteristics of a DDoS attack. Allowing the Guard to learn the traffic characteristics of a DDoS attack and saving the results of the attack as a baseline may prevent the Guard from detecting future attacks because it may view them as normal traffic conditions.
To construct the zone policies, perform the following steps:
Step 1
learning policy-constructionStep 2
Wait at least 10 seconds after initiating policy construction or threshold tuning and enter the show rates details command. Verify that the value of the Received traffic rate is greater than zero. A value of zero indicates a diversion problem.
Step 3
You can save a snapshot of the learning parameters (services, thresholds, and other policy related data) by using the snapshot command at any stage during the policy construction phase, and review it later. You can save a single snapshot or save a periodic snapshot at specified intervals.
For more information, see the "Backing Up Policy Configuration" section on page 8-39.
Step 4
To accept the policies that the Guard module suggested and continue the policy construction phase, use the following command:
learning acceptTo automatically accept the policies that the Guard module suggests at specified intervals, use the following command:
learning-params periodic-action auto-accept learn_params_days learn_params_hours learn_params_minutesSee the "Configuring Learning Parameters" section for more information.
Use the no learning-params periodic-action command to terminate the periodic action.
Step 5
We recommend letting the policy construction phase continue for at least 2 hours before terminating it to allow the Guard module enough time to discover the main services (ports and protocols) that the zone uses.
You can perform one of the following actions:
•
no learning acceptThe Guard module erases previously learned policies and thresholds.
After accepting the newly constructed policies, you can manually add or remove policies. See Chapter 8, "Configuring Policy Templates and Policies," for more information.
•
no learning rejectThe Guard module stops the process and does not save the new policies that it has just learned. The policies of the zone are the policies that the Guard module had prior to initiating the learning process or prior to the last time that you accepted the results of the policy construction phase.
The following example shows how to initiate the policy construction phase and accept the suggested policies at 12-hour intervals. The example also shows how to stop the policy construction phase and accept the suggested policies.
user@GUARD-conf-zone-scannet# learning policy-constructionuser@GUARD-conf-zone-scannet# learning-params periodic-action auto-accept 0 12 0user@GUARD-conf-zone-scannet# no learning acceptTuning Policy Thresholds
In the threshold tuning phase, the Guard module analyzes the zone traffic and defines thresholds for the policies that were constructed during the policy construction phase.
You can set the Guard module to learn the zone traffic while monitoring the last accepted policy thresholds for traffic anomalies. After the Guard module detects an attack on the zone, it stops the threshold tuning phase but continues zone protection to prevent the Guard module from learning malicious traffic thresholds.
The Guard module resumes the learning process after the attack ends. The Guard module waits for a period of time, as defined by the protection-end-timer but no longer than 10 minutes, after the attack has ended before reactivating the learning process. See the"Configuring the Protection Inactivity Timeout" section on page 10-11 for more information.
To tune the policy thresholds, perform the following steps:
Step 1
protect learningWe recommend that you enable the protect and learn function, that is, activate the threshold tuning phase and set the Guard module to perform zone protection at the same time.
If you have already activated zone protection or the threshold tuning phase of the learning process, you can enter both the learning threshold-tuning command and the protect command (the order is not important) to activate the protect and learn function.
If the Guard module detects an attack on the zone, it stops the threshold tuning phase but continues zone protection.
Note
•
•
To deactivate zone protection and the threshold tuning phase simultaneously, use the deactivate command in zone configuration mode.
To activate the threshold tuning phase only, use the learning threshold-tuning command.
Step 2
Wait at least 10 seconds after initiating the policy construction phase or threshold tuning phase and enter the show rates details command. Verify that the value of the Received traffic rate is greater than zero. A value of zero indicates a diversion problem.
Step 3
You can save a snapshot of the learning parameters (services, thresholds, and other policy-related data) by using the snapshot command at any time during the threshold tuning phase. You can review the snapshot later or compare the learning parameters with another snapshot. You can save a single snapshot or save a periodic snapshot at specified intervals.
For more information, see the "Backing Up Policy Configuration" section on page 8-39.
Step 4
You can accept the zone policies that the Guard module suggested and continue the threshold tuning phase once, or define that the Guard module automatically accept the suggested policies at specified intervals to ensure that the zone has the most updated policies and continues to learn the zone traffic.
To accept the policies that the Guard module suggested and continue the threshold tuning phase, use the following command:
learning accept [threshold-selection {new-thresholds | max-thresholds | weighted weight}]See Table 9-2 for a description of the threshold-selection arguments and keywords.
To automatically accept the policies that the Guard module suggests at specified intervals, use the following command:
learning-params periodic-action auto-accept learn_params_days learn_params_hours learn_params_minutesSee the "Configuring Learning Parameters" section for more information.
Use the no learning-params periodic-action command to terminate the periodic action.
Step 5
Note
However, if the Guard module is constantly diverting the zone traffic, we recommend that you keep the protect and learn function active and do not terminate the threshold tuning phase.
You can perform one of the following actions:
•
no learning accept [threshold-selection {new-thresholds | max-thresholds | weighted weight}]See Table 9-2 for a description of the threshold-selection arguments and keywords.
The Guard module erases previously learned thresholds.
After accepting the newly tuned policies, you can manually change the policy parameters. See Chapter 8, "Configuring Policy Templates and Policies," for more information.
•
no learning rejectThe Guard module stops tuning the thresholds and reverts to prior thresholds. This process may result in a situation in which new zone policies have thresholds that were obtained according to past traffic characteristics. We recommend that you enable the threshold tuning phase at a later time or that you configure the thresholds manually.
The following example shows how to initiate the threshold tuning phase and accept the suggested policies at 1-hour intervals. The Guard module then stops the threshold tuning phase and accepts the suggested policies if the threshold values are higher than the current values (the max-thresholds method).
user@GUARD-conf-zone-scannet# learning threshold-tuninguser@GUARD-conf-zone-scannet# learning-params periodic-action auto-accept 0 1 0user@GUARD-conf-zone-scannet# no learning accept threshold-selection max-thresholdsTo display the learning results, use the show policies statistics command. See the "Displaying Policies" section on page 8-34 for more information.
After reviewing the learned thresholds, you may choose to modify some of the results. To avoid overriding these changes by future threshold tuning phases, perform one of the following tasks:
•
•
Configuring Learning Parameters
The learning parameters allow you to configure the learning-related actions that the Guard module can perform and to define how the Guard module handles specific policies. You can define the following parameters:
•
See the "Configuring Periodic Actions" section for more information.
•
See the "Marking the Policies as Tuned" section for more information.
•
See the "Configuring the Threshold Selection Method" section for more information.
•
See the "Setting the Threshold as Fixed" section on page 8-24 for more information.
•
See the "Configuring a Threshold Multiplier" section on page 8-25 for more information.
To display the configuration of the learning parameters, use the show learning-params command in zone configuration mode.
Configuring Periodic Actions
You can set the Guard module to perform one of the following actions at specified intervals:
•
•
See the "Monitoring Policies" section on page 8-34 for more information on snapshots.
To set the periodic action that the Guard module performs, use the following command in zone configuration mode:
learning-params periodic-action {auto-accept | snapshot-only} learn_params_days learn_params_hours learn_params_minutes
Table 9-1 provides the arguments and keywords for the learning-params command.
The value of the interval is the sum of the learn_params_days value, the learn_params_hours value, and the learn_params_minutes value.
The following example shows how set the Guard module to accept the policies at 1-hour intervals:
user@GUARD-conf-zone-scannet# learning-params periodic-action auto-accept 0 1 0Configuring the Threshold Selection Method
You can set the default method that the Guard module uses to generate new thresholds to accept during the threshold tuning phase. You can accept the results of the threshold tuning phase manually, or configure the Guard module to automatically accept the results of the threshold tuning phase at specified intervals.
To configure the threshold selection method, use the following command in zone configuration mode:
learning-params threshold-selection {new-thresholds | max-thresholds | weighted weight}
Table 9-2 provides the arguments and keywords for the learning-params threshold-selection command.
This example shows how to configure the Guard module to accept the suggested policies if the learned threshold values are higher than the current policy threshold values:
user@GUARD-conf-zone-scannet# learning-params threshold-selection max-thresholdsMarking the Policies as Tuned
The Guard module marks the policy threshold status that defines if the policy thresholds are tuned or not, and relates to this status when you enable the protect and learn function. The policy threshold status specifies if the Guard module identifies an attack on the zone when the policy threshold is exceeded.
When a new zone is created, or after you accept the policy construction phase results for a zone, the Guard module marks the zone policy thresholds as untuned. The default thresholds of the zone templates are tuned so that the Guard module activates the antispoofing functions quickly if it identifies traffic anomalies in the zone traffic. When you enable the protect and learn function, the learning process might stop if the current zone traffic is higher than the current policy threshold values. To avoid such situations, if the zone policies are not tuned the Guard module does not detect attacks in the zone traffic when you enable the protect and learn function until the zone policy thresholds are accepted once.
If the zone policies are untuned, the Guard module activates only a threshold selection method of accept-new and ignores previous threshold values when accepting the new policies. If the Guard module accepts the threshold tuning phase results of the learning process for a zone with a threshold selection method other than accept-new, bad policy threshold values may result. See the "Configuring the Threshold Selection Method" section for more information on the threshold selection method.
The Guard module marks the zone policies as untuned in the following situations:
•
•
•
The Guard module marks the zone policies as tuned after accepting the threshold tuning phase results.
You can modify the settings of the zone policies. To mark the zone policies as tuned, use the following command in zone configuration mode:
learning-params threshold-tuned
To mark the zone policies as untuned, use the no form of this command.
You may want to change the status of the zone policies to tuned when one of the following applies:
•
•
You may want to change the status of the zone policies to untuned when one of the following applies:
•
•
•
When the zone policies are marked as untuned, the Guard module does not monitor the current policy thresholds and does not detect attacks on the zone if the policy thresholds are exceeded.
Caution
The following example shows how to mark the status of the zone policies as tuned:
user@GUARD-conf-zone-scannet# learning-params threshold-tunedTuning Zone Policy Thresholds and Enabling Zone Protection Simultaneously
You can activate the learning process and enable zone protection simultaneously by using the protect and learn function. The Guard module tunes the policy thresholds and at the same time monitors the policy thresholds for traffic anomalies. The protect and learn function enables the Guard module toprotect the zone and continuously update the policy thresholds based on the zone traffic characteristics. The protect and learn function also prevents the Guard module from learning malicious traffic thresholds.
Note
When you create a new zone, add or remove a service from the zone policies, or accept the policy construction phase results, the Guard module marks the zone policies as untuned. The Guard module marks the zone policies as tuned only after you accept the results of the threshold tuning phase of the learning process. You can accept the results of the threshold tuning phase manually or configure the Guard module to accept the results automatically by using the learning-params command.
If you enable the learning process and zone protection simultaneously and the status of the zone policies is untuned, the Guard module functions in the following ways until the zone policy thresholds are accepted once:
•
•
When the Guard module identifies an attack on the zone, it stops the learning process but continues to protect the zone; it resumes protecting the zone and learning the zone traffic characteristics when the attack ends.
Before you activate the protect and learn function, you can configure when and how the Guard module accepts the results of the learning process. See the "Configuring Learning Parameters" section for more information.
To activate the learning process and zone protection simultaneously, use the protect learning command or enter both the learning threshold-tuning command and the protect command (the order is not important).
See the "Tuning Policy Thresholds" section and Chapter 10, "Protecting Zones," for more information.
Using Snapshots to Verify the Results of the Learning Process
You can save a snapshot of the learning parameters (services, thresholds, and other policy-related data) at any stage during the learning process and review it later. You can compare the learning parameters of two zones or compare two of the zone snapshots to verify the outcome of the learning process and trace the differences in policies, services, and thresholds.
We recommend that you save a snapshot every few hours during the learning process. If an attack occurs during the learning process, you can use the snapshot policies for the zone. You can take the snapshot manually or configure the Guard module to automatically take a snapshot at specified intervals. The Guard module saves up to 100 snapshots for each zone. New snapshots replace the previous ones.
You can copy zone policies from the snapshot to configure the zone according to previous learning results if necessary.
This section provides information on the following topics:
•
Creating Snapshots
You can save a single snapshot of the zone learning parameters or configure the Guard module to automatically take a snapshot at specified intervals. The Guard module continues the learning process while the snapshot is taken.
To set the Guard module to automatically take a snapshot at specified intervals, see the "Configuring Periodic Actions" section for more information.
To save a single snapshot of the zone learning parameters, use the following command in zone configuration mode:
snapshot [threshold-selection {new-thresholds | max-thresholds | cur-thresholds | weighted calc-weight}]
Table 9-3 provides the arguments and keywords for the snapshot command.
Use the snapshot command to save the results of the zone learning process. The results include the zone policies, services, and thresholds. After you verify the snapshot parameters and compare two snapshots or copy the snapshot parameters to a new zone, you can delete the snapshot.
You can back up the current zone policies using the snapshot threshold-selection cur-thresholds command.
The following example shows how to create a snapshot in which the thresholds are the highest value between the current policy threshold and the new threshold of the learning process:
user@GUARD-conf-zone-scannet# snapshot threshold-selection max-thresholdsTo save a single snapshot in global mode, use the snapshot zone-name [threshold-selection {new-thresholds | max-thresholds | cur-thresholds | weighted weight}] command.
Comparing Learning Results
You can compare the learning results of two snapshots or two zones to trace the differences in policies, services, and thresholds.
This section includes the following topics:
Comparing Snapshots
To compare two snapshots, use the following command in zone configuration mode:
diff snapshots snapshot-id snapshot-id [percent]
Table 9-4 provides the arguments for the diff command.
The following example shows how to display the zone snapshots and compare the two most recent snapshots:
user@GUARD-conf-zone-scannet# show snapshotsID Time1 Feb 10 10:32:042 Feb 10 10:49:123 Feb 10 11:01:50user@GUARD-conf-zone-scannet# diff 2 3To compare snapshots in global mode, use the diff zone-name snapshots snapshot-id snapshot-id [percent] command.
Comparing Zones
To compare the learning parameters of two zones, use the following command in global mode or in configuration mode:
diff zone-name zone-name [percent]
Table 9-5 provides the arguments for the diff command.
The following example shows how to compare the learning parameters of two zones:
user@GUARD# diff scannet scannet-mailserverDisplaying Snapshots
Display a list of the zone snapshots or the snapshot parameters to get a comprehensive view of the zone learning results by entering the following command:
show snapshots [snapshot-id [policies policy-path]]
Table 9-6 provides the arguments and keywords for the show snapshots command.
Table 9-6 Arguments and Keywords for the show snapshots
Commandsnapshots
Displays the zone snapshots. If you do not specify the snapshot ID, the Guard module displays a list of all the zone snapshots.
ID of the snapshot to display. If you do not specify policies, the default is to display a list of all the zone snapshots. To view the snapshot ID, use this command with no arguments.
Group of policies to display. See the "Using Policy Paths" section on page 8-2 for more information.
To compare snapshots in global mode, use the show zone zone-name snapshots [snapshot-id [policies policy-path]] command.
The following example shows how to display a list of the zone snapshots and the policies that are related to dns_tcp in snapshot 2:
user@GUARD-conf-zone-scannet# show snapshotsID Time1 Feb 10 10:32:042 Feb 10 10:49:12user@GUARD-conf-zone-scannet# show snapshots 2 policies dns_tcpThe fields of the show zone zone-name snapshots snapshot-id policies policy-path command output are identical to the fields in the output of the show policies command. See the "Displaying Policies" section on page 8-34 for more information.
Table 9-7 describes the fields in the show snapshots command output.
Table 9-7 Field Descriptions for show snapshots
Command OutputSnapshot ID.
Date and time that the snapshot was taken.
Deleting Snapshots
You can delete old snapshots to free up disk space.
To delete a snapshot, use the following command in zone configuration mode:
no snapshot snapshot-id
The snapshot-id argument specifies the ID of an existing snapshot. Enter an asterisk (*) to delete all the zone snapshots. To view the details of a snapshot, use the show snapshots command.
The following example shows how to delete all the zone snapshots:
user@GUARD-conf-zone-scannet# no snapshot *Copying Policies to the Zone Configuration
You can copy a complete policy configuration or a partial configuration to the current zone.
You can copy the following information:
•
•
To copy the zone policies, use the following command in zone configuration mode:
copy-policies {snapshot-id | src-zone-name [service-path]}
Table 9-8 provides the arguments and keywords for the copy-policies command.
The following example shows how to copy all services that relate to the policy template tcp_connections from the zone webnet to the current zone, scannet:
user@GUARD-conf-zone-scannet# copy-policies webnet tcp_connections/The following example shows how to display a list of the zone snapshots and then copy the policies from the snapshot with ID 2:
user@GUARD-conf-zone-scannet# show snapshotsID Time1 Feb 10 10:32:042 Feb 10 10:49:12user@GUARD-conf-zone-scannet# copy-policies 2Backing Up the Zone Policies
You can back up the current zone policies at all times by using the snapshot threshold-selection cur-thresholds command.
The following example shows how to back up the current zone policies:
user@GUARD-conf-zone-scannet# snapshot threshold-selection cur-thresholds
