Cisco Traffic Anomaly Detector Web-Based Management Configuration Guide (Software Version 3.08) - Zone Traffic Learning and Policy Construction [Cisco Traffic Anomaly Detectors]

Table Of Contents

Zone Traffic Learning and Policy Construction

Overview

Zone Traffic Learning

Constructing Policies

Terminating the Policy Construction Phase

Tuning Thresholds

Terminating the Threshold Tuning Phase

Zone Policies

Overview

Policy Configuration

Adding a Service

Removing a Service

Configuring the Operational Parameters

Specific IP Threshold Configuration

Snapshot

Compare Policies

Accepting Policy Parameters Selectively

Zone Traffic Learning and Policy Construction

This chapter describes how to create traffic-tailored policies for zones on the Cisco Traffic Anomaly Detector using the Web-Based Management (WBM).

This chapter includes the following sections:

•Overview

•Zone Traffic Learning (constructing policies and tuning policy thresholds using the learning processes)

•Zone Policies

•Snapshot and Compare Policies (a mechanism used to verify the learning process outcome)

•Accepting Policy Parameters Selectively

Overview

The policies are the mechanisms that measure a particular traffic flow and take action against the flow as a result of threshold violation. This action could be either a Guard remote-activation or recording the event in the Detector syslog. The detection policies are constructed from policy templates.

A Policy Template is a collection of policy constructing guiding rules that will be used during the learning phases to construct the zone's policies.

The learning process constitutes two phases, during which the Detector learns the zone's traffic and adopts itself to its particular characteristics:

1. The Policy Construction Phase—In this phase the zone policies are created using the Detector Policy Templates. This phase consists of traffic flowing transparently through the Detector, enabling it to discover the main services used by the zone.

2. The Threshold Tuning Phase—In this phase the policies are tuned to fit the zone services traffic rates. This phase consists of traffic flowing transparently through the Detector, enabling it to tune the thresholds for the services discovered in the policy construction phase.

During this process, the Detector learns the zone's traffic characteristics to acquire a basis to which to compare zone traffic and trace any anomalies that might, in turn, become malicious.

After the policies are created, you may change policy parameters such as thresholds and services.

The action taken by the policies could be either a Guard remote-activation or recording the event in the Detector syslog.

For a comprehensive review of the learning process, refer to Chapter 4, "Zone Configurations," in the Cisco Traffic Anomaly Detector User Guide.

Zone Traffic Learning

During the Learning phases, the Detector learns the zone's traffic characteristics. The results of this stage will be translated into detection policies. The Learning system constructs the Detector detection policies. These instruct the Detector detection system how to regard the zone traffic flows.

Note For the learning phases to take place, port mirroring must be configured on the switch, or the Detector must be connected to a router using an optical splitter.

The Detector's tools for constructing detection policies are the Policy Templates. These define the types of zone policies to be created according to traffic characteristics. The policy templates also define the Maximum Services and Minimum Threshold for each service policy in accordance to the guiding parameters provided (see "Advanced Zone Procedures" for further details).

Figure 6-1 Zone Learning Menu

Constructing Policies

To initiate Learning Phase 1—Policy Construction:

From the Zone's main menu, select Learning > Construct Policies.

Note We recommend letting the Learning Phase 1—Policy Construction continue for at least two hours prior to proceeding to the next phase.

After a sufficient period of time, end the Policy Construction phase.

Terminating the Policy Construction Phase

After a sufficient period of time (see not above), abort the learning process. You may decide how to handle the newly constructed policies.

To accept the Detector's suggested policies:

From the Zone's menu, select Learning > Accept (see Figure 6-1).

In this case, the Detector erases it's previously learned policies and thresholds.

Note After accepting the newly constructed policies, you may manually add or remove policies or change the policy parameters. See the "Adding a Service", "Removing a Service" and "Configuring the Operational Parameters" sections for further details.

To accept the Detector's suggested policies selectively, see the "Accepting Policy Parameters Selectively" section.

To reject the Detector's suggested policies:

From the Zone's menu, select Learning > Abort (see Figure 6-1).

In this case, the Detector stops the process and erases all its learned data. As a result, the Detector falls back into its default settings (in the case of a new zone) or to the zone traffic configurations it had prior to the learning abortion.

To view the learning process outcomes prior to making a decision:

Use the snapshot procedure (see the "Snapshot" section in this chapter for further details).

Tuning Thresholds

During the threshold-tuning phase, the Detector further analyses the zone traffic and defines thresholds for the policies constructed in the policy-construction phase.

The policy operational parameters, timeout and action, are configured by default. You may change the configuration of the policy operational parameters.

To initiate Learning Phase 2—Threshold Tuning:

From the Zone's main menu, select Learning > Tune Threshold.

Note It is recommended to run the threshold-tuning phase for a period of a minimum 24 hours.

Terminating the Threshold Tuning Phase

After a sufficient period of time (see not above), abort the learning process. You may decide how to handle the newly constructed policies.

To accept the Detector's suggested policies:

From the Zone's main menu, select Learning > Accept (see Figure 6-1).

In this case, the Detector erases its previously learned thresholds.

Note After accepting the new thresholds, you may manually change the policy parameters. See the "Configuring the Operational Parameters" section for further details.

To accept the Detector's suggested policies selectively, see the "Accepting Policy Parameters Selectively" section.

To reject the Detector's suggested policies:

From the Zone's main menu, select Learning > Abort (see Figure 6-1).

In this case, the Detector would stop the Threshold Tuning phase and adopt the Policy Construction Phase results and the former thresholds results the Detector has. This results in a situation in which newly constructed policies have thresholds that were obtained according to past traffic characteristics.

To view the learning process outcomes prior to making a decision:

Use the snapshot procedure (see the "Snapshot" section in this chapter for further details).

Zone Policies

Overview

The Detector policy structure consists of sections. Each policy section has a different role in relation to different traffic detection aspects.

To view the zone policies:

From the Zone's main menu select Configuration > Policy.

Figure 6-2 Policy Table

To navigate in the tree hierarchy, click the plus icon (+) or the minus icon (-) next to the tree or branch that you want to expand or collapse. Click the plus icon (+) in the tables header to expand all policy levels.

To open the configuration window, click an item in the tree hierarchy. For example, in Figure 6-2, click 53 to open the service configuration window for the current template.

The term Policy refers to a complete policy path:

<policy-template-name><Service><Level><Type><Key>. For example: dns_tcp/53/analysis/pkts/dst_ip.

The term Policy section refers to a partial policy such as <policy-template-name><Service> or <policy-template-name><Service><Level>. For example, the policy section http or dns_tcp/53.

Tree items can have one of the following statuses:

•Active—marked in bold

•Inactive—marked as grayed out

•Disabled—marked as grayed out and crossed out

Below the zone location bar, a filter bar enables to selectively choose the policies to be displayed according to their state (Active/Inactive/Disabled/All).

The Policy Table parameters consist of the following:

Parameter

Description

Policy Template

Indicates the policy template that was used to construct this policy.

Service

Indicates the services the policy relates to. You may add a service to better tailor the produced policies to the zone specific services. After adding a new service, you may define the threshold manually, however, it is recommended to run the threshold-tuning phase (see the "Tuning Thresholds" section in this chapter for further details) to attune the policies to the zone's traffic. The service 'any' relates to all traffic that does not specifically match other services created from the same policy template.

Note A new service may be added to the following policy templates:

•tcp_services, udp_services—The added service designates a port number.

•other protocols, http—The added service designates a protocol number.

Level

Indicates the detection module used to process the traffic flow (analysis).

Type

Indicates the packet type. The packet types include:

•auth_pkts—Packets that underwent either TCP handshake or UDP authentication.

•auth_tcp_pkts—Packets that underwent TCP handshake.

•auth_udp_pkts—Packets that underwent UDP authentication.

•in_nodata_conns—Zone incoming connections that have no data transfer on the connection (packets without a data payload).

•in_conns—Zone incoming connections.

•in_pkts—Zone incoming DNS query packets.

•in_unauth_pkts—Zone incoming unauthenticated DNS queries.

•out_pkts—Zone incoming DNS reply packets.

•reqs—Request packets with data payload.

•syns—Synchronization packets - TCP SYN flagged packets.

•syn_by_fin—SYN and FIN flagged packets. Verifies the ratio between the number of SYN flagged packets and the number of FIN flagged packets.

•unauth_pkts—Packets that did not undergo TCP handshake.

•pkts—All packet types that do not fall under any other category in the same detection level.

Key

Indicates the key (traffic characteristics) that was used to aggregate the policies. Open the Type branch to view the key. The keys include:

•dst_ip—Traffic destined to a zone IP address.

•dst_ip_ratio—The ratio of SYN and FIN flagged packets destined to a specific IP address.

•dst_port_ratio—The ratio of SYN and FIN flagged packets destined to a specific port.

•global—A summation of all traffic flow as defined by the other policy sections.

•src_ip—Traffic destined to the zone aggregated according to source IP address.

•src_net—Traffic destined to the zone aggregated according to source subnet IP address.

•dst_port—Traffic destined to a specific zone port.

•protocol—Traffic destined to the zone aggregated according to protocol.

•src_ip_many_dst_ips—Traffic from a single IP destined to many zone IP addresses. This is the key used for ip scanning.

•src_ip_many_ports—Traffic from one IP destined to many zone ports. This is the key used for port scanning.

Threshold

Indicates the threshold traffic rate for a specific policy. Once violated, the policy assumes an action. It is adjusted by the threshold-tuning phase in the learning procedure, and can be manually configured.

Action

Indicates the action a policy assumes as a result of a threshold violation. See the "Configuring the Operational Parameters" section below for further details.

Timeout

Indicates the time span limit (that can also be indefinite) for the policy to apply its action.

Policy Configuration

After completing the learning processes, you may wish to view specific policy operational parameters. Displaying these parameters may help you decide whether the policy operational parameters suit the zone's traffic. You may, when required, configure the policy operational parameters to better tailor the policy to the zone's traffic requirements.

To view the zone policies:

From the Zone's main menu, select Configuration > Policy.

To configure a policy or policy section:

Click the required policy in the policy tree.

Adding a Service

The new service is added to all policies that were created from the specified policy template.

To add a service to a policy:

1. Click the required policy in the Policy tree.

The Policy table is displayed.

2. Click Add Service.

The new service is defined with default values. You may define the threshold manually, however, it is recommended to run the threshold-tuning phase (see the "Tuning Thresholds" section in this chapter for further details) to attune the policies to the zone's traffic.

A new service may be added to the following policy templates:

•tcp_services, udp_services—The added service designates a port number.

•other_protocols, http—The added service designates a protocol number.

Removing a Service

You may remove a specific service relating to a desired policy template.

Caution Removing a service prevents the Detector policies from relating to the removed traffic service and may compromise the zone detection.

To remove a service from a policy:

1. Click the service number for the required policy in the Policy tree.

The Service table appears.

2. From the bar, click Remove Service.

Configuring the Operational Parameters

Operational Parameters Overview

Once the zone policies are constructed and the thresholds tuned, you may manually configure the policy operational parameters.

The following Operational parameters may be configured:

Parameter

Description

State

Indicates the state of the policy section. These can be:

•Active—The policy is active.

•Inactive—The policy measures traffic flow but does not take action if the threshold is violated.

•Disabled—The policy is disabled.

Operation mode

Indicates the interactive-status the pending Dynamic filters, created by the policy, assume. See the "Interactive Recommendations Mode" section in "Detecting Traffic Anomalies," for further details.

Note Interactive-Status may be viewed and configured only for zones under detection in interactive mode.

Action

Indicates the actions a policy assumes as a result of a threshold violation. These are:

•remote-activate—A remote Guard or Guards are activated as a result of threshold violation. The remote Guards are defined in the remote-guard list (refer to the "Default Remote Guard List" section in Chapter 3, "Detector Configuration," and the "Zone Remote Guard List" section in Chapter 4, "Zone Configuration," in the Cisco Traffic Anomaly Detector User Guide for further details).

•notify—The policy notifies the user of the threshold violation.

Threshold

Indicates the threshold traffic rate for a specific policy. Once violated, the policy assumes an action to protect the zone. The threshold is measured in packets per second (pps) apart for the following policies:

•tcp_connections—measured in number of connections

•tcp_ratio—measured as the ratio number

Timeout

Indicates the time span for the policy action beyond that the policy terminates the action taken until that policy threshold is violated again.

The policy state may be configured from all policy sections.

The operational parameters action, threshold and timeout can only be configured from the key level.

Configuring the Policy State

The Detector supports the following policy states:

•Disable—The policy does not relate to the traffic flow and so no threshold is obtained. As a result, the policies will have to undergo a new learning threshold-tuning phase to ensure correct thresholds are applied for the policies.

Note When a policy is disabled other policies regard its targeted traffic as theirs and so all policies have to undergo a new learning threshold-tuning phase before the policies are applied in protect mode.

•Inactivate—The policy relates to the traffic and obtains the threshold but launches no action when a threshold is violated. This procedure frees you from the need to pass the policy through a new learning threshold-tuning phase. By default, all the Detector policies are activated.

•Activate—The policy relates to the traffic and issues an action once the thresholds is violated.

Caution Unnecessarily inactivation or disabling may prevent the Detector policies from assuming their protective role and may compromise the zone detection.

Note You may disable a desired policy section before or after any of the Learning Phases. You may deactivate a desired policy section to prevent the policy from issuing actions regarded as unwanted.

Note Running the policy-construction phase after disabling a policy might result in the policy reconfiguration according to traffic flow. This could result in the policy re-activation.

The policy action, timeout and threshold may be changed at every section of the policy path. However, more policies are affected when these parameters are changed at the initial policy sections (e.g. Policy template or Port sections). Configuring these parameters at a high-level policy path hierarchy will change these parameters in all its sub-policy paths.

To change the policy state of a policy section:

1. Click on the desired policy section.

2. Click the required policy state from the policy state bar (see Figure 6-3).

Figure 6-3 Policy Table Section

The policy section table provides additional information on the state and number of policies that are constructed from the current policy section.

To configure the state of a policy (policy path), open the policy details tables. See the "Configuring the Operational Parameters" section for further details.

Configuring the Policy Operational Parameters

Once the zone policies are constructed and the thresholds tuned, you may manually configure the policy operational parameters.

To configure the operational parameters:

1. Open the policy up to the key level.

2. Click on the key of the policy to configure (for example, in Figure 6-2, click on dst-ip or global).

The Policy details tables (Figure 6-4) are displayed.

Figure 6-4 Policy Details Tables

The Policy details includes three tables:

•The policy's definition— Policy Template, service, level, type and key

•The policy's operational parameters—state, action, threshold and timeout

•Specific IP threshold—this table is available only for specified policies (see the "Specific IP Threshold Configuration" section for further details)

To configure the operational parameters:

Click Config.

The Zone Policy Form is displayed. See the "Operational Parameters Overview" section for further information on the operational parameters.

Specific IP Threshold Configuration

In case of known high-volume traffic IP source, you may configure a particular threshold to apply to that IP source address.

In case of a non-homogenous zone (that is, a zone that has more than a single IP defined) for which there is known high-volume traffic only to part of the zone, you may configure a particular threshold to apply to that IP destination address.

Specific IP threshold may be configured for policies with traffic characteristics of destination IP (dst_ip).

For these policy keys, an additional policy details table is available.

To configure a specific IP threshold:

1. Click Add.

2. Enter the IP in the IP box and the threshold in the Threshold box.

3. Click OK.

To delete a specific IP threshold

1. Select the check box next to the specified IP address.

2. Click Delete.

Snapshot

The snapshot, along with the compare policies, is a mechanism used to verify the learning process outcome.

You may save a snapshot of the learning parameters (services, thresholds and other policy related data) at any time of the Learning phase and later review it. The file containing the snapshot learning phase parameters, along with the zone configuration parameters, is saved under a user-defined zone name. Thus, a new zone would be created bearing the configurations and policy parameters (number of services, thresholds, action, timeout, etc.) of the zone at snapshot time.

Note The Detector continues its Learning phases as the snapshot is taken.

To create a snapshot of the zone's learning parameters:

1. From the Zone's main menu, select Learning > Snapshot.

Note The snapshot command is applicable while the zone is in Learning only.

2. Enter the Snapshot's name.

Note The snapshot creates a new zone. After verifying the snapshot parameters, or comparing two snapshots, you may delete the snapshot. Alternatively, you may keep the snapshot and delete the originating zone.

See the "Compare Policies" section to compare the Policy parameters of two snapshots.

See the "Accepting Policy Parameters Selectively" section to selectively accept the snapshot parameters.

Compare Policies

You may compare between the snapshot Learning parameters and the zone Learning parameters. The comparison is held to trace differences in policies, services, and thresholds. You may define the comparator's differing sensitivity.

In case differences are observed, you may change the base zone's policy according to the compared zone policy parameters. This provides a powerful tool that enables you to accept learnt policy parameters selectively (see the "Accepting Policy Parameters Selectively" section for further details).

To compare between two learning parameter files:

1. Perform one of the following:

•From the Zone's main menu, select Configuration > Compare policies.

•From the Detector's main menu, select Zones > Compare Zone policies.

The policy comparison query window appears.

2. Enter the following parameters:

Parameter

Description

Base Zone

The name of the base zone whose learning parameters are compared. The base zone's policies may be changed according to the compared zone's policy parameters.

Compared Zone

The name of the zone or snapshot the learning parameters of the base zone are compared to.

Minimal difference

The traced differing percentage. The Detector will trace any parameters that differ above the defined percentage.

3. Click OK.

The policy comparison tables are displayed (see Figure 6-5).

The policy comparison consists of tables grouped into two sections. These are:

•Difference in services—The services in this section are displayed in two tables:

–Services present only in the base zone policies.

–Services missing from the base zone. These services are defined only in the compared zone.

•Difference in policy parameters—Differences in the policy operational parameters (state, action, threshold, proxy-threshold) are displayed. Each section in the table presents the differences found in a single policy. The upper row presents the policy and the operational parameters of the base zone. The lower row presents the policy and the operational parameters of the compared zone.

Figure 6-5 Policy Comparison

Accepting Policy Parameters Selectively

In case differences are observed while comparing policies, you may change the base zone's policy according to the compared zone policy parameters. This provides a powerful tool that enables you to accept learnt policy parameters selectively.

Figure 6-5 displays the policy comparison tables (see the "Compare Policies" section for further details).

The policy comparison consists of tables grouped into two sections. These are:

•Difference in services—The services in this section are displayed in two tables:

–Services present only in the base zone policies. You may choose to remove these services.

–Services missing from the base zone. These services are defined only in the compared zone. You may choose to add these services to the base zone policies.

To remove services from the base zone policies:

1. Select the check box next to the required services under Services only in <Zone-name>.

2. Click Delete.

To add these services to the base zone policies:

1. Select the check box next to the required services under Services missing from <Zone-name>.

2. Click Add.

•Difference in policy parameters—Differences in the policy operational parameters (state, action, threshold, proxy-threshold) are displayed. Each section in the table presents the differences found in a single policy. The upper row presents the policy and the operational parameters of the base zone. The lower row presents the policy and the operational parameters of the compared zone.

To copy the policy operational parameters from the compared zone to the base zone (from the lower row to the upper row):

1. Select the check box next to the required policies.

2. Click Copy Parameters.

Note Select the checkbox at the table header to select all table entries.

Note The snapshot procedure creates a new zone. After comparing two zones (or snapshots) and modifying the base zone policies, you may choose to delete the compared zone.