Table Of Contents
Product Overview
User Interface Requirements
Minimum Requirements
Installing Java 2 Runtime Environment
Guard Module Requirements for WBM Operation
Understanding the Cisco Anomaly Guard Module
Understanding DDoS
Understanding Spoofed Attacks
Understanding Nonspoofed Attacks
Understanding Zones
Understanding the WBM Interface
Understanding the WBM Browser Window
Understanding Zone Status Icons
Understanding WBM Navigation Maps
Product Overview
This chapter provides an overview of the Cisco Anomaly Guard Module (Guard module) Web-Based Manager (WBM) that you can use to remotely operate and monitor the Guard module. The WBM is a graphical user interface that communicates with the Guard module by translating its HTML pages into Guard module commands.
This chapter contains the following sections:
•
User Interface Requirements
•Guard Module Requirements for WBM Operation
•Understanding the Cisco Anomaly Guard Module
•Understanding DDoS
•Understanding Zones
•Understanding the WBM Interface
User Interface Requirements
This section describes the minimum requirements for the WBM client and contains the following topics:
•Minimum Requirements
•Installing Java 2 Runtime Environment
Minimum Requirements
The minimum requirements to access and use the WBM on the Guard module are as follows:
•MS Internet Explorer 5.5 (or higher)—Must support HTML, tables, cookies, Javascript, and frames.
•Sun Microsystems Java 2 Runtime Environment (JRE) Standard Edition (SE) version 5.0 or higher—JRE is required to view the real-time counters (see the "Installing Java 2 Runtime Environment" section).
•Monitor resolution—We recommend that your monitor has a minimum resolution of 1024 x 768 pixels.
Installing Java 2 Runtime Environment
You must install JRE to view the real-time counters. To download and install JRE from the Sun Microsystems website, perform the following steps:
Step 1 Open the following URL in your web browser: www.sun.com. The Sun Microsystems home page displays.
Step 2 Navigate to the Downloads > Java SE page and select Java Runtime Environment (JRE) 5.0 Update 11 or higher.
Step 3 Accept the license agreement and download Java Runtime Environment (JRE) 5.0 Update 11 or higher.
Step 4 Run the file that you just downloaded and follow the online installation instructions that Sun Microsystems provides.
Guard Module Requirements for WBM Operation
Before using the WBM, ensure that the Guard module is properly installed as described in the Cisco Anomaly Guard Module Configuration Guide. You must perform the initial configuration process using the CLI. Verify that you have configured the following features on the Guard module to ensure proper operation of the WBM:
•Configure the network interfaces—Configures the Guard module network interfaces. You cannot connect to the Guard module until you configure the Guard module interfaces for operation in your networking environment.
•Configure traffic diversion—Configures traffic diversion so that the Guard module can divert the zone traffic to itself and then inject the legitimate traffic back into the network when you activate zone protection.
•Enable the WBM service and permit access—Enables the WBM service on the Guard module and permits access to the Guard module from the WBM client. The CLI procedures to configure this operation are also included in this guide (see the "Configuring Network Access for the WBM" section).
Understanding the Cisco Anomaly Guard Module
The Guard module is a Distributed Denial of Service (DDoS) attack mitigation device that diverts suspect traffic from its normal network path to itself for cleaning. During the traffic cleaning process, the Guard module identifies and drops the attack packets and forwards the legitimate packets to their targeted network destinations.
Typically, you deploy the Guard module in a distributed upstream configuration at the backbone level. You can install the Guard module in one of the following Cisco products:
•Catalyst 6500 series switch
•Cisco 7600 series router
You define the network elements, or zones, that the Guard module protects against DDoS attacks. When a zone is under attack, the Guard module diverts only the network traffic that is destined for the targeted zone, identifies and drops specific attack packets, and forwards legitimate traffic packets to the zone. The Guard module constantly filters the zone traffic and modifies the attack mitigation process as the attack pattern evolves. When the Guard module determines that the attack on the zone has ended, it stops diverting the zone traffic to itself. By diverting network traffic only when needed, the Guard module can assume its protective role when there is an attack but remain unobtrusively in the network background for the rest of the time.
The Guard module performs the following tasks:
•Traffic learning—Learns the characteristics (services and traffic rates) of normal zone traffic using an algorithm-based process. During the learning process, the Guard module modifies the default zone traffic policies and policy thresholds to match the characteristics of normal zone traffic. The traffic policies and thresholds define the reference points that the Guard module uses to determine when the zone traffic is normal or abnormal (indicating an attack on the zone).
•Traffic protection—Distinguishes between legitimate and malicious traffic and filter the malicious traffic so that only the legitimate traffic is allowed to pass on to the zone.
•Traffic diversion—Diverts the zone traffic from its normal network path to the Guard module learning and protection processes and then returns the legitimate zone traffic to the network.
Understanding DDoS
DDoS attacks deny legitimate users access to a specific computer or network resource. These attacks are launched by individuals who send malicious requests to targets that degrade service, disrupt network services on computer servers and network devices, and saturate network links with unnecessary traffic.
This section contains the following topics:
•Understanding Spoofed Attacks
•Understanding Nonspoofed Attacks
Understanding Spoofed Attacks
A spoofed attack is a type of DDoS attack in which the packets contain an IP address in the header that is not the actual IP address of the originating device. The source IP addresses of the spoofed packets can be random or have specific, focused, addresses. Spoofed attacks saturate the target site links and the target site server resources. It is easy for a computer hacker to generate spoofed attacks in a high volume even from a single device.
Understanding Nonspoofed Attacks
Nonspoofed attacks (or client attacks) are mostly TCP-based with real TCP connections that can overwhelm the application level on the server rather than the network link or operating system.
Client attacks from a large number of clients (or zombies) may overwhelm the server application even without any of the individual clients creating an anomaly. The zombie programs try to imitate legitimate browsers that access the target site.
Understanding Zones
A zone that the Guard module protects can be one of the following elements:
•A network server, client, or router
•A network link, subnet, or an entire network
•An individual Internet user or a company
•An Internet Service Provider (ISP)
•Any combination of these elements
When you create a new zone, you assign a name to it and configure the zone with network addresses. The Guard module configures the zone with a default set of policies and policy thresholds to detect anomalies in the zone traffic.
The Guard module can protect multiple zones simultaneously if the network address ranges do not overlap.
Understanding the WBM Interface
The WBM is a browser-based graphical user interface (GUI) that provides access to Guard module configuration and management functions. Providing a subset of the CLI functionality, the WBM allows you to create and modify zone configurations, manage zone protection, and monitor Guard module and zone operations. Some features of the Guard module, mostly related to the initial installation and configuration of the Guard module, can only be configured using the CLI and cannot be configured using the WBM. See the Cisco Anomaly Guard Module Configuration Guide for information about using the CLI.
This section contains the following topics:
•Understanding the WBM Browser Window
•Understanding Zone Status Icons
•Understanding WBM Navigation Maps
Understanding the WBM Browser Window
Figure 1-1 and Table 1-1 describe the sections of the WBM window.
Figure 1-1 WBM Screen Sections
Table 1-1 WBM Window Sections
Section
|
Function
|
1
|
Main Menu Bar—Displays the main menu for the link that is selected in the navigation pane. The WBM displays one of the following two menu bars in this section:
•Guard Summary menu—Provides access to the following Guard module statistical and configuration options:
–Guard module status and diagnostic tools
–List of defined zones
–User profile manager
To view the Guard module summary menu, click Guard Summary in the navigation pane (3).
•Zone main menu—Provides access to detailed zone information and configuration options.
To view the zone-specific menu, click on a zone that is listed in the navigation area (3).
|
2
|
Navigation Path—Displays the path to the location of the screen that is displayed in the work area (5). To navigate to a specific section of the path, click the desired section of the path.
|
3
|
Navigation Area—Displays the list of links to the Guard summary screen and the zone status screens. Click a link from the list to display the relevant status information in the work area (5). The selected navigation area link is highlighted with a white frame.
To resize the navigation area, drag the frame bar between the navigation and the display areas.
|
4
|
Information Area—Displays information on the username and privilege level of the current user and provides the following links:
•Home—Returns you to the Guard Summary screen.
•Enable—Moves you between user privilege levels.
•Logout—Closes the WBM session (the System Login screen appears).
•About—Displays WBM software information, which includes the software version number, system serial number, and software licensing agreement.
•Cisco Systems icon—Provides a link to the homepage of the Guard module on cisco.com.
|
5
|
Work Area—Displays the information that you choose. To resize the work area, drag the frame bar between the navigation and work areas.
|
Understanding Zone Status Icons
The WBM uses icons to represent the current status of a zone. The status icons appear in the navigation area and in the zone status bar. Table 1-2 describes what each of the status icons represents.
Table 1-2 Zone Status Icons
Icon
|
Status
|
|
Zone is inactive. The Guard module is not learning zone traffic or monitoring zone traffic for anomalies.
|
|
Zone is active and in a phase of the learning process. The Guard module is performing either the policy construction phase or the threshold tuning phase of the learning process.
|
|
Zone is active. The Guard module is either monitoring zone traffic for anomalies or it is monitoring zone traffic for anomalies and learning the zone traffic at the same time.
|
|
Zone is active. The Guard module is monitoring an attack on the zone and new zone protection recommendations are available that require your attention.
|
Understanding WBM Navigation Maps
You can navigate in the screen hierarchy by using either the menus or the navigation path (see section 2 in Table 1-1). The selection items in the menus have a drop-down list. The selection items that are not available in the current view are grayed out.
The tables in this section map the links that are available from the two WBM menu bars:
•Guard Summary menu—Provides access to general Guard module statistical and configuration tools. To view the Guard Summary menu, click Guard Summary in the navigation area or click Home in the Information area. Table 1-2 provides a map of the Guard Summary menu levels.
.
Table 1-2 Guard Summary Menu
Level 1
|
Level 2
|
Level 3
|
Main
|
Summary
|
|
Protect IP
|
|
Diagnostics
|
Counters
|
Guard counters
|
Real-time counters
|
Event log
|
|
Zones
|
Zone list
|
|
Create zone
|
|
Template list
|
|
Compare zone policies
|
|
Users
|
User list
|
|
Create user
|
|
Change password
|
|
•Zone menu—Provides access to zone-specific statistical and configuration tools. To view the zone menu, click on the desired zone listed in the navigation area. Table 1-3 provides a map of the zone menu levels.
Table 1-3 Zone Menu
Level 1
|
Level 2
|
Level 3
|
Main
|
Summary
|
|
Create zone
|
|
Save as . . .
|
|
Diagnostics
|
Counters
|
Zone Counters
|
Real-time counters
|
Event log
|
|
Attack reports
|
Attack Summary
|
HTTP Zombies
|
Statistics
|
Policy statistics
|
Drop Statistics
|
Packet-Dump
|
Start Packet-Dump
|
Stop Packet-Dump
|
Packet-Dump List
|
Protection
|
Protect
|
|
Deactivate
|
|
Dynamic Filters
|
|
Recommendations
|
|
Learning
|
Construct Policies
|
|
Tune Thresholds
|
|
Deactivate
|
|
Stop Learning
|
|
Accept
|
|
Snapshot
|
|
Snapshot List
|
|
Configuration
|
General
|
|
Filters
|
User Filters
|
Bypass Filters
|
Flex-Content Filters
|
Policy Templates
|
View
|
Add Service
|
Remove Service
|
Policies
|
View
|
Compare Policies
|
Learning Parameters
|
