-
Cisco Anomaly Guard Module Configuration Guide (Software Version 5.1)
-
Index
-
Preface
-
Product Overview
-
Configuring the Guard Module on the Supervisor Engine
-
Initializing the Guard Module
-
Configuring the Guard Module
-
Configuring Traffic Diversion
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Learning the Zone Traffic Characteristics
-
Protecting Zones
-
Using Interactive Protect Mode
-
Understanding Attack Reports
-
Using Guard Module Diagnostics Tools
-
Performing Maintenance Tasks
-
Analyzing Guard Module Mitigation
-
Table Of Contents
Activating On-Demand Protection
Configuring How the Guard Performs Zone Protection
Configuring the Protection Activation Method
Configuring the Sensitivity for Activating Zone Protection
Configuring the Protection Activation Extent
Configuring the Protection Inactivity Timeout
Protecting an IP Zone that is Part of the Zone Address Range
Protecting an IP Address when the Zone Name is Not Known
Protecting Zones
This chapter describes how to configure and activate the Cisco Anomaly Guard Module (Guard module) to protect a zone. These procedures are required to enable zone protection.
This chapter contains the following sections:
•
Activating On-Demand Protection
•
•
•
•
•
Overview
Before activating zone protection, we recommend that you let the Guard module study the zone traffic patterns or synchronize the zone configuration, including the zone policies, from a Cisco Traffic Anomaly Detector Module (Detector module). The learning process allows the Guard module to learn the traffic patterns of each zone and to create sets of recommended thresholds according to statistical analysis of the zone traffic. You can protect several zones at the same time only if their IP address ranges do not overlap.
You must configure diversion before initiating the learning process or divert the zone traffic to the Guard module manually. Configure zone diversion using the Guard module routing configuration.
See "Configuring Traffic Diversion," for more information.
If the zone is not under attack, you can activate the protect and learn function to enable the Guard module to constantly divert the zone traffic and tune the zone policy thresholds. See the "Synchronizing a Guard Module with Cisco Traffic Anomaly Detector Module Zone Configuration" section on page 6-13 for more information.
You can define the following protection characteristics:
•
•
•
•
Activating On-Demand Protection
In an immediate need such as a zone under attack, you can use system-defined zone templates to protect a zone without enabling the Guard module to learn the zone traffic characteristics. The predefined policies and filters in the zone template can protect a zone that has traffic characteristics that are unknown to the Guard module. The default thresholds of these zone policies are tuned so that the Guard module activates the antispoofing functions quickly if it identifies traffic anomalies in the zone traffic.
Because the Guard module does not know the zone traffic patterns, the thresholds used to block (drop) source IP addresses are set to high values. On-demand protection requires user intervention when mitigating nonspoofed attacks. You must monitor the legitimate and malicious traffic rates of the zone and view the Guard module mitigation actions.
You may require on-demand protection for a zone if there is an attack on the zone and one of the following conditions apply:
•
•
•
To activate on-demand protection, perform the following steps:
Step 1
zone new-zone-name [template-name] [interactive]See the "Creating a New Zone from a Zone Template" section on page 6-6 for more information.
Step 2
ip address ip-addr [ip-mask]See the "Configuring Zone Attributes" section on page 6-9 for more information.
Step 3
protectSee the "Activating Zone Protection" section for more information.
Step 4
Configuring How the Guard Performs Zone Protection
You can configure the Guard to perform zone protection in one of the following ways:
•
•
See "Using Interactive Protect Mode," for more information.
Configuring the Protection Activation Method
The protection activation method defines how the Guard module identifies the zone for which it activates zone protection when it receives an external indication. This indication can be a command from an external device, such as a Detector module, or traffic that is destined to the zone (packet).
The method that the Guard module uses to activate protection can be one of the following:
•
•
•
•
When you configure zones with a protection activation method of packet or packet-or-ip-address:
•
•
•
The Guard module activates the entire zone or a specific IP address range according to the zone activation extent unless the protection activation method is zone-name-only (see "Configuring the Protection Activation Extent" section). If the protection activation method is zone-name-only, the Guard module activates the entire zone.
To configure the protection activation method, use the following command in zone configuration mode:
activation-interface {packet [divert] | ip-address | packet-or-ip-address [divert] | zone-name-only}
The default is zone-name-only. If you create a zone by duplicating an existing zone, the protection activation method is set to the zone-name-only, regardless of the configuration of the source zone. See the "Creating a New Zone by Duplicating an Existing Zone" section on page 6-8.
Table 10-1 provides the keywords for the activation-interface command.
Table 10-1 Keywords for the activation-interface Command
ip-address
Activates zone protection when it receives a command from an external device, such as a Detector module, that consists of an IP address or subnet that is part of the zone. The Guard module scans the zone database and activates the zone that has an address range that includes the received IP address or subnet. If you have configured several zones with an address range that includes the received IP address, the Guard module activates the zone with the longest prefix match (the zone that has the most specific address range that includes the received IP address). The received IP address or subnet must be completely included in the zone IP address range.
packet
Activates zone protection when it receives traffic that is destined to the zone. The Guard module scans the zone database and activates the zone that has an address range that includes the received packet IP address. If you have configured several zones with an address range that includes the received packet IP address, the Guard module activates the zone with the longest prefix match (the zone that has the most specific address range that includes the received packet IP address). The received IP address or subnet must be completely included in the zone IP address range.
Note
packet-or-ip-address
Activates zone protection when it receives traffic (a packet) that is destined to the zone or when it receives a command from an external device, such as the Detector module, that consists of an IP address or subnet that is part of the zone address range. See the ip-address and packet protection activation methods in this table for more information.
zone-name-only
Activates zone protection based on the zone name. A command from an external device, such as a Detector module, to activate zone protection must include the zone name. This activation method is the default.
divert
Sends a BGP1 announcement to the adjacent router to divert the zone traffic from the original path to the Guard module. Use the divert keyword when a Detector module activates zone protection on the Guard module using BGP.
See the Cisco Trafiic Anomaly Detector Module Configuration Guide for more information.
1 BGP = Border Gateway Protocol
The following example shows how to configure the protection activation method so that the Guard module activates protection when it receives a packet that is within the zone IP address range:
user@GUARD-conf-zone-scannet# activation-interface packet
Note
You can create a default zone for the Guard module to protect if the received IP address or packet is not part of any other zone. You can define a default zone only if the network is homogenous and can use the same zone template. You cannot perform the learning process for a default zone. Create the zone with an IP address of 0.0.0.0 and a subnet of 0.0.0.0. Define the activation extent as ip-address (see the "Configuring the Protection Activation Extent" section).
To display the zone activation method, use the show running-config command in zone configuration mode.
Configuring the Sensitivity for Activating Zone Protection
When the methods that the Guard module uses to activate zone protection is packet or packet-or-ip-address, the Guard module activates zone protection only if the received traffic rate to a single IP address is higher than the activation sensitivity. The activation sensitivity is defined globally and applies to all zones.
To change the minimum packet rate that is required to activate zone protection, use the following command in configuration mode:
protect-packet activation-sensitivity min-rate
The min-rate argument defines the minimum packet rate that is destined to a single zone destination IP address that causes the Guard module to activate zone protection. The default is 0 packets per second (pps).
The following example shows how to configure the activation sensitivity to 10 pps:
user@GUARD-conf-zone-scannet# protect-packet activation-sensitivity 10Configuring the Protection Activation Extent
The protection activation extent defines whether to activate zone protection for the entire zone or for a partial zone once the Guard module receives an external indication. This indication can be a command from an external device, such as the Detector module, or traffic that is destined to the zone (packet).
The Guard module supports the following activation extents:
•
•
To configure the activation extent, use the following command in zone configuration mode:
activation-extent {entire-zone | ip-address-only}
Table 10-5 provides the keywords for the activation-extent command.
The following example shows how to use the activation-extent command to configure the activation extent of zone protection for the entire zone:
user@GUARD-conf-zone-scannet# activation-extent entire-zoneTo display the zone activation extent, use the show running-config command.
Understanding Subzones
The Guard module creates a subzone when it activates zone protection for a partial zone (a zone that does not include the complete IP address range of the source zone). The IP address range of the subzone is included in the address range of the source zone.
The subzone configuration is similar to the configuration of the source zone except that the IP address and name are different. The name of the subzone consists of the first 30 characters of the name of the source zone, the IP address and the subnet, concatenated with underscores. If the subzone consists of a single IP address, the subnet is not added. For example, if the name of the source zone is scannet with an address range of 10.10.10.0 and a subnet of 255.255.255.0 and the Guard module activates zone protection for an internal range of IP address 10.10.10.192 and subnet 255.255.255.252, the name of the subzone is scannet_10.10.10.192_255.255.255.252.
The IP address and subnet of the subzone are the IP address and subnet that the Guard module received with the external command or the IP address of the packet that triggered the Guard module to activate zone protection.
The Guard module deletes subzones when it terminates zone protection. The Guard module terminates zone protection for a subzone according to the activation method and the protection termination timeout that are configured for the source zone. The Guard module does not delete a subzone if you have manually terminated zone protection by using the no protect command or the deactivate command.
Note
When the Guard module deletes a subzone, it does not erase the logs and attack reports of the subzone.
To display the logs and reports of the subzone after the Guard module has erased the subzone, use the following commands:
•
•
To display a list of the subzones that were created from the zone, enter the command and press Tab for the sub-zone-name argument.
The following example shows how to display the logs of a subzone that was erased:
user@GUARD-conf-zone-scannet# show logs scannet_10.10.10.192Configuring the Protection Inactivity Timeout
The Guard module can activate or deactivate zone protection and the learning process when the Guard module identifies that an attack on the zone has ended. If the Guard module is protecting a zone, it terminates zone protection when the zone is no longer under attack. If the protect and learn function is enabled, the Guard module deactivates the learning process when it detects an attack on the zone and resumes the learning process when the zone is no longer under attack.
The Guard module verifies whether an attack on the zone has ended according to an inactivity timeout. You can define this timeout from seconds to infinite.
To define the inactivity timeout, use the following command in zone configuration mode:
protection-end-timer {time-seconds | forever}
Table 10-3 provides the arguments and keywords for the protection-end-timer command.
Table 10-3 Arguments and Keywords for the protection-end-timer Command
Timeout in seconds. Enter an integer greater than 60.
Sets an indefinite timeout.
The default is forever. If you do not change the default value, you must deactivate zone protection manually.
The following example shows how to configure the protection inactivity timeout:
user@GUARD-conf-zone-scannet# protection-end-timer 300The Guard module measures the inactivity based on dynamic filter inactivity and dropped traffic. If for a predefined span of time, no dynamic filters are in use and both the following conditions apply, the Guard module assumes the attack on the zone has ended as follows:
•
•
attack-detection zone-malicious-rate threshold
The threshold argument defines the minimum rate of dropped zone packets. If the rate goes lower than this threshold, the Guard module may end zone protection. If the rate exceeds this threshold, the Guard module identifies an attack on the zone and creates an attack report.
If the zone activation method is Packet, the Guard module checks for inactivity based on the received traffic before deactivating a zone. The Guard module deactivates protection only if the previous conditions apply, and no packet to the zone was received.
Activating Zone Protection
You can wait for an external device (such as a Detector module) to detect an attack on the zone before setting the Guard module to protect the zone, or activate the Guard module to protect the zone after configuring the zone. When the Guard module protects a zone, the Guard module diverts the zone traffic to itself and applies its protection policies.
If the zone is under attack before the Guard module has learned the zone traffic characteristics, use on-demand protection to protect the zone. The Guard module default policy thresholds for a new zone enable effective on-demand protection. See the "Activating On-Demand Protection" section for more information.
Note
You can activate zone protection in one of the following ways:
•
•
•
Tip
Protecting the Entire Zone
You can protect the entire zone by entering the following command in zone configuration mode:
protect [learning]
The learning keyword sets the Guard module to protect the zone and tune the policy thresholds. See the "Tuning Policy Thresholds" section for more information.
The following example shows how to activate zone protection:
user@GUARD-conf-zone-scannet# protectProtecting an IP Zone that is Part of the Zone Address Range
You can protect an IP-specific zone that is a part of the zone address range. In this case, the Guard module creates a new zone. The name of the new zone consists of the first 30 characters of the major zone and the specific IP address concatenated by an underscore. If a zone by the same name already exists, the Guard module activates zone protection for the existing zone instead of creating another zone by the same name.
To activate zone protection for an IP-specific zone, use the following command in global mode:
protect zone-name ip-address-general
Table 10-4 provides the arguments for the protect command.
To remove this zone, use the no form of the zone command.
The following example shows how to activate zone protection for IP address 192.168.5.6 that is included in the IP address range of the zone scannet:
user@GUARD# protect scannet 192.168.5.6creating zone scannet_192.168.5.6user@GUARD#Protecting an IP Address when the Zone Name is Not Known
You can protect a specific IP address even if you do not know the name of the zone that the IP address is included in its IP address range by entering the following command in global mode:
protect ip-address-general [subnet-mask]
Table 10-5 provides the arguments for the protect command.
The Guard module activates zone protection for the zone that the IP address is included in its IP address range based on the IP address activation method. See the "Configuring the Protection Activation Extent" section for more information.
The following example shows how to activate zone protection for IP address 192.168.5.6:
user@GUARD# protect 192.168.5.6You can enter the protect-related commands for several zones at the same time. Enter the command in global mode and use an asterisk (*) as a wildcard. For example, to stop zone protection for all zones, enter the no protect * command in global mode. To stop zone protection for all zones with names that begin with scan (such as scannet and scanserver), enter the no protect scan* command in global mode.
Deactivating Zone Protection
When there is no attack on a zone and you rely on another source for detecting zone traffic anomalies, you may want to deactivate zone protection and end traffic diversion to the Guard module.
To deactivate zone protection, use one of the following commands in zone configuration mode:
•
•
The following example show how to deactivate zone protection and the learning process:
user@GUARD-conf-zone-scannet# deactivate
