Cisco Guard Configuration Guide (Software Version 3.08)
Routine Guard Procedures
Download this chapter
Routine Guard ProceduresRoutine Guard Procedures
Download the complete book
Cisco Guard User Guide (Software Version 3.0.8), Book-Length PDFCisco Guard User Guide (Software Version 3.0.8), Book-Length PDF (PDF - 4 MB)
give_us_feedback

Table Of Contents

Routine Guard Procedures

Displaying an Overall Status

Displaying a Zone Status

Displaying a Protected Zone Status

Displaying the Zone Dynamic Filter

Displaying the Zone Log Status

Displaying the Guard and Zone Average Traffic Rates

Displaying the Guard Traffic Counters


Routine Guard Procedures

This chapter describes routine Guard operations designed to verify the proper Guard functioning and the Zone traffic status.

Verifying the Guard proper functioning (whether in protecting or in learning a zone or not) consists of a set of routine procedures. These include the following:

Displaying an Overall Status

Displaying a Zone Status

Displaying a Protected Zone Status

Displaying the Zone Dynamic Filter

Displaying the Zone Log Status

Displaying the Guard and Zone Average Traffic Rates

Displaying the Guard Traffic Counters

The user performs these procedures by issuing the CLI commands and then analyses their displayed content screens.

Displaying an Overall Status

The user is able to display a general picture of the Guard's zone or zones.

To display an overview of the Guard's zone or zones perform the following:

1. From the Global command group level type the following: 

admin@GUARD# show

2. Choose ENTER. The following sample screen appears: 

admin@GUARD# show

Zones in Auto Protection mode:

Zones in Interactive Protection mode:

        scannet

Zones in Threshold Tuning phase:

Zones in Policy Construction phase:

        mailserver

Zones in Standby:

admin@GUARD#

This screen displays an overall picture of the Guard's active zones and their current status.

Displaying a Zone Status

The user is able to display an overall picture of a zone's status. This procedure can be repeated for all the Guard's zones.

To display an overview of a zone or zones status perform the following:

1. From the Zone or Global command group level type the following: 

admin@GUARD# show zone <zone-name>

Where zone-name is a specific zone name.

2. Choose ENTER. The following sample screen appears: 

admin@GUARD-conf-zone-scannet#show

Zone is under POLICY CONSTRUCTION Process

Operation Mode: INTERACTIVE

Activation start time: Oct 15 11:19:42

Description: 

Zone ID: 1006

Template: DEFAULT

Protection-End Timer: forever

RATE: 200000 BURST: 200000 UNITS: pps

FLEX-FILTER:

FLEX-FILTER ACTION: disable

FLEX-FILTER COUNTER: 0

SINGLE IP: 192.168.100.34

                    pps              bps

Received   traffic: 2139             1105470


There are no dynamic filters

There are no recommendations


**** USER FILTERS ****


Row

Src 
IP

Src 
Mask

Proto

DPort

Frg

Action           

Rate   

Burst

Units

RxRate 
(pps)

10

*


6

80

no

basic/ 
redirect




N/A

20

*


6

8080

no

basic/ 
redirect




N/A

100

*


6

53

no

basic/ 
dns-proxy




N/A

130

*


1

*

no

permit

300

300

pps

N/A

170

*


*

*

yes

basic/ 
default




N/A


admin@GUARD-conf-zone-scannet#

The above sample screen displays the status of a zone (scannet) in a Learning phase (policy construction). The Received traffic counter is greater than zero, indicating that diversion is working and thus the Guard can learn the zone's traffic.

Displaying a Protected Zone Status

The user is able to display the status of a protected zone or zones.

Note The show command does not display the protected zone's bypass filters. Issue the show bypass-filters for the bypass filter display (for further details, see the "Bypass Filters" section in Chapter 9, "Advanced Filter Procedures").

To display the status of a protected zone perform the following:

1. From the Zone command group level type the following: 

admin@GUARD-conf-zone-<zone-name># show

2. Choose ENTER. The following sample screen appears: 

admin@GUARD-conf-zone-scannet#show

Zone is PROTECTED

Operation Mode: AUTOMATIC

Activation start time: Oct 15 11:58:11

Description: On-Demand protection Zone

Zone ID: 1006

Template: DEFAULT

Protection-End Timer: forever

RATE: 200000 BURST: 200000 UNITS: pps

FLEX-FILTER:

FLEX-FILTER ACTION: disable

FLEX-FILTER COUNTER: 0

SINGLE IP: 192.168.100.34

                    pps              bps

Legitimate traffic: 2262             1316844

Malicious traffic: 11940            7323050


There are 5 dynamic filters


**** USER FILTERS ****


Row

Source IP

Source Mask

Proto

DPort

Frg

Action

Rate

Burst

Units

RxRate(pps)

10

*


6

80

no

basic/ 
redirect




1919

20

*


6

8080

no

basic/ 
redirect




0


... ... ...

admin@GUARD-conf-zone-scannet#

The screen columns indicate the following:

Row—This column indicates the filter priority.

Source IP—This column indicates the source IP. The source IP may be non-specific. An Asterisk (*) indicates any source IP or more than one source IP was matched for the filter.

Source Mask—This column indicates the source mask. The source mask may be non-specific. i.e. An Asterisk (*) indicates any source mask or more than one source mask was matched for the filter

Proto—This column indicates the protocol well-known number.

DPort—This column indicates the filter-protected destination port

Frg—This column indicates whether the User filter protects against fragmented traffic:. `yes' indicates a protection against fragmented traffic, "no" indicates protection against non-fragmented traffic, and "any" indicates protection against both fragmented and non-fragmented traffic.

Action—This column indicates the action the User filter assumes.

Rate—This column indicates the rate of which the packets were limited. The rate is displayed in the units specified by the Units column.

Burst—This column indicates the traffic burst limit that the filter allows per specified flow. The units are Bits, kilo-bits, kilo-packets, mega-bits, and packets in correspondence to the units specified in the `Units' column.

Units— This column indicates the units by which the rate and the burst rate are displayed.

RxRate(pps)—This column indicates the current traffic rate measured for this User filter in packets per second (pps).

The user may note that there are active Dynamic filters. This is an indication that an attack is in progress and the Guard is protecting the zone.

The user may repeat the procedure for every protected zone.

Displaying the Zone Dynamic Filter

The user may wish to display the status of desired zone or zones' dynamic filters. This is to obtain more information about the current protection activities.

Note Using the show zone command only displays the temporary number of dynamic filters since the number of dynamic filters continuously changes (see Section "Guard Filter System Overview" in Chapter 9, "Advanced Filter Procedures," for further details).

To display the status of a zone Dynamic filters perform the following:

1. From the Zone command group level type the following: 

admin@GUARD-conf-zone-<zone-name># show dynamic-filters


admin@GUARD-conf-zone-scannet# show dynamic-filters


**** DYNAMIC FILTERS ****


ID

Action

ExpTime

Source 
IP

Source 
Mask

Proto

DPort

Frg

RxRate 
(pps)

90

to-user-filters

521

*

1   

*

no 

N/A

91

to-user-filters

525

*


6

*

no

N/A

93

to-user-filters

538

*


17

*

no

N/A

92

to-user-filters

538

*


17

*

no

N/A

95

block-unauthenti
cated-basic

540

*


17

*

no

N/A

94

block-unauthenti
cated-basic

540

*


17

*

no

N/A


admin@GUARD-conf-zone-scannet#

The screen columns indicate the following:

ID—This column indicates the filter priority.

Action—This column indicates the action the Dynamic filter assumes.

ExpTime—This column indicates the amount of time for filter activation. After that, the filter might be erased according to a set of criteria (see section "Advanced Dynamic Filters Configuration" in Chapter 9, "Advanced Filter Procedures," for details).

Source IP—This column indicates the source IP address of the Dynamic filter stream. The source IP may be non-specific. An Asterisk (*) indicates the value is undetermined or more than one value was measured for the filter's parameter.

Source Mask—This column indicates the source mask of the Dynamic filter stream. The source mask may be non-specific. An Asterisk (*) indicates the value is undetermined or more than one value was measured for the filter's parameter.

Proto—This column indicates the protocol well-known number of the Dynamic filter stream.

D Port—This column indicates the filter-protected destination port

Frg—This column indicates whether the User filter protects against fragmented traffic: `yes' indicates a protection against fragmented traffic, "no" indicates protection against non-fragmented traffic, and "any" indicates protection against both fragmented and non-fragmented traffic.

RxRate(pps)—This column indicates the current traffic rate measured for this Dynamic filter in packets per second (pps).

The user may wish to display the detailed status of desired zone or zones' dynamic filters. This is to provide detailed information on the Dynamic filters.

To display the detailed status of a zone Dynamic filters perform the following:

1. From the Zone command group levels type the following: 

admin@GUARD-conf-zone-<zone-name># show dynamic-filters details

2. Choose ENTER. In addition to the information displayed for the show dynamic-filters command, the Guard displays the following information for each Dynamic filter: 

admin@GUARD-conf-zone-scannet#show dynamic-filters details


**** DYNAMIC FILTERS ****


ID

Action

ExpTime

Source 
IP

Source 
Mask

Proto

DPort

Frg

RxRate 
(pps)

101

to-user-
filters

27

*


1

*

no

N/A


Attack flow:   1    *   * 192.168.100.34 * no fragments

   Triggering rate: 8695.65        Threshold: 10.00

   Policy: other_protocols/any/analysis/pkts/protocol

The following information is detailed for each Dynamic Filter:

Attack flow—The mitigated attack flow characteristics. Note that the mitigated attack flow, displayed in the Dynamic Filters table, could be of a wider range than the attack flow. For example, a non-spoofed attack on port 80 will block all TCP traffic from the originating source IP and not only port 80. The attack flow parameters consist of the following accordingly:

Protocol—The protocol number of the attack flow

Source IP—The source IP of the attack flow

Source Port—The source port of the attack flow

Destination IP—The destination IP of the attack flow

Destination Port—The destination port of the attack flow

Fragments—Indicates whether the attack flow contains fragmented traffic:
`fragments' indicates fragmented traffic, `no fragments' indicates non-fragmented traffic, and "any" indicates both fragmented and non-fragmented traffic.

Triggering Rate—The attack flow traffic rate that violated a policy threshold.

Threshold—The policy threshold that was violated by the attack flow.

Policy—Indicates the policy that produced the specified Dynamic filter

A value of "*" for any of the parameters indicates one of the following:

The value is undetermined.

More than one value was measured for the attack flow parameter.

Displaying the Zone Log Status

The user may wish to view the zone log to verify what steps has the Guard been taking.

To check the zone log perform the following:

1. From the Zone group command level type the following: 

admin@GUARD-conf-zone-<zone-name># show log

2. Choose ENTER. The following screen appears: 

admin@GUARD-conf-zone-scannet#show log

Oct 13 12:28:51 scannet, 5 zone-added: Added zone scannet with id 
1006.

Oct 13 12:30:08 scannet, 7 modules-activation: ---- Activating 
Zone ---

Oct 13 12:30:08 scannet, 7 modules-activation: Activating Rate 
Limiter.

Oct 13 12:30:08 scannet, 7 modules-activation: Activating 
Classifier

Oct 13 12:30:08 scannet, 7 modules-activation: Activating Anti 
Spoofing

Oct 13 12:30:08 scannet, 7 modules-activation: Adding Flex filter

Oct 13 12:30:08 scannet, 7 modules-activation: Adding User filters

Oct 13 12:30:08 scannet, 7 modules-activation: Adding Bypass 
filters

Oct 13 12:30:08 scannet, 7 modules-activation: Adding Analysis 
filters

Oct 13 12:30:08 scannet, 7 modules-activation: Starting 
Recognition

Oct 13 12:30:09 scannet, 5 protection-start: Zone activation 
completed successfully.

Oct 13 12:33:06 scannet, 5 attack-start: Attack started.

Oct 13 12:33:06 scannet, 6 Add-Dynamic-Filter: filter-id=1, 
filter-type=to-user-filters, 
policy=tcp_services/any/analysis/syns/dst_ip, filter-src-ip=*, 
filter-src-ip-subnet=*, filter-protocol=6, filter-src-port=* , 
filter-dest-port=* , filter-fragment=no, filter-dest-ip=*, 
attack-src-ip=*, attack-src-ip-subnet=*,attack-protocol=6, 
attack-src-port=* , attack-dest-port=* , attack-fragment=no, 
attack-dest-ip=192.168.100.34, policy-threshold=50.0, 
approximate-triggering-rate=8310.25

... ... ...

Oct 13 12:43:06 scannet, 6 Remove-Dynamic-Filter: filter-id=1, 
filter-type=to-user-filters, issued-by=timeout-expired, 
filter-src-ip=*, filter-src-ip-subnet=*, filter-protocol=6, 
filter-src-port=* , filter-dest-port=* , filter-fragment=no, 
filter-dest-ip=*Oct 13 12:43:06 scannet, 6 Remove-Dynamic-Filter: 
filter-id=2, filter-type=to-user-filters, 
issued-by=timeout-expired, filter-src-ip=*, 
filter-src-ip-subnet=*, filter-protocol=1, filter-src-port=* , 
filter-dest-port=* , filter-fragment=no, filter-dest-ip=*

... ... ...

Oct 13 12:53:07 scannet, 5 attack-ended: Attack ended.

Oct 13 14:38:11 scannet, 7 modules-deactivation: - Deactivating 
Zone --

Oct 13 14:38:11 scannet, 7 modules-deactivation: Stopping 
Recognition

Oct 13 14:38:11 scannet, 7 modules-deactivation: Removing all 
Analysis filters

Oct 13 14:38:11 scannet, 7 modules-deactivation: Removing all 
Bypass filters

Oct 13 14:38:11 scannet, 7 modules-deactivation: Removing all 
dynamic filters

Oct 13 14:38:11 scannet, 7 modules-deactivation: Removing all User 
filters

... ... ...

admin@GUARD-conf-zone-scannet#

The user can view every zone-related Guard action recorded in the zone log. Scanning the log, the user is able to trace the learning and protection activities that were performed in relation to the desired zone. The user is able to repeat the procedure for several zones.

Displaying the Guard and Zone Average Traffic Rates

The Guard enables the user to view the average traffic rates (received, forwarded to zone, replied, and dropped) of the Guard and of any desired zone during learning or protection. The Guard measures the total traffic and computes the average traffic rate. The Guard displays the average rate results of the past 24 hours minute by minute.

Note Issuing the show rates command when the diversion is not activated yields results that are null.

Zone counter rates are only available when the zone is in learning or Protect mode.

To display the Guard or zone average traffic rates perform the following:

1. From the Global, Configuration, or Zone command group levels type the following: 

admin@GUARD-conf-zone<zone-name> # show rates [details|history]

Issuing the command from the Guard command group level provides information on the Guard traffic rates. Issuing the command from the zone command group level provides information on the current zone traffic rates.

Where:

details(Optional) Displays the following counters:

MaliciousThe malicious portion of the traffic the Guard received.

LegitimateThe legitimate portion of the traffic the Guard received.

ReceivedThe total traffic the Guard received.

ForwardedThe traffic the Guard forwarded to its zone or zones.

DroppedThe traffic the Guard dropped.

RepliedThe traffic the Guard sent in an authentication process.

Invalid zoneDiverted traffic that is not destined to the any of the Guard's protected zones.

The counters display in packets and in Kbits units.

historyDisplays the traffic rates for every minute of protection in the 24 hours for the following counters: Malicious, Legitimate. The rates are displayed in bits per second (bps) and in packets per second (pps).

Note By default, the traffic rates for the following counters are displayed: Malicious, Legitimate. The rates are displayed in bits per second (bps) and in packets per second (pps).

The Guard displays clear to denote time periods of unprotected zone. The counters display no traffic during these periods.

2. Choose ENTER. The following sample screen appears: 

admin@GUARD-conf-zone-scannet# show rates details

                    pps              bps

Legitimate traffic: 2159             1241697

Malicious  traffic: 21248            13219949

Received   traffic: 23219            14365217

Forwarded  traffic: 2159             1241697

Dropped    traffic: 13558            9282651

Replied    traffic: 7501             3840868

Invalid    zone   :   0                0

The screen counters are:

Legitimate—Legitimate traffic forwarded by the Guard to the zone.

Forwarded—Traffic forwarded by the Guard to the zone.

Malicious—Malicious traffic, destined to the zone, handled by the Guard. Malicious traffic is the sum of Dropped packets and Spoofed packets (which also include the Zombie packets).

Received—Total packets received, destined to the zone, handled by the Guard. Received packets are the sum of legitimate traffic and malicious traffic.

Dropped—Packets that were identified by the Guard as part of an attack, destined to the zone, and therefore dropped.

Replied—Packets, destined to the zone, to which replies were sent to the initiating client as part of the anti-spoofing or anti-zombie mechanisms in order to verify if they are part of authentic traffic or part of an attack.

Invalid zone—Packets that are not destined directly to the Guard or to any of the zones. This counter is only displayed when issuing the command in the Global command group level.

Following is a sample show rates history screen: 

admin@GUARDconf-zone-scannet# show rates history


Time

Legitimate

(pps)

Legitimate

(bps)

Malicious

(pps)

Malicious

(bps)

Feb 23 
2004 
09:52:26

cleared




Feb 23 
2004 
09:52:20

300

231040

50

38502

Feb 23 
2004 
09:51:50

300

230886

50

38476

Feb 23 
2004 
09:50:50

295

227123

49

37849

Feb 23 
2004 
09:49:50

300

230873

50

38476

Feb 23 
2004 
09:48:50

300

230963

50

38489


admin@GUARD#

Note cleared indicates a time when the zone is unprotected.

Displaying the Guard Traffic Counters

The user is also able to view the Guard and its zones traffic counters during protection. The Guard displays the total traffic that is currently flowing in the same categories described in the section "Displaying the Guard and Zone Average Traffic Rates".

To display the Guard or zone traffic counters perform the following:

1. From the Global, Configuration, or Zone command group levels type the following: 

admin@GUARD# show counters [details |history]

Where:

details—Displays the counted traffic per the following counters: Malicious, Legitimate, Received, Forwarded, Dropped, Replied, Invalid zone. See Section Displaying the Guard and Zone Average Traffic Rates for further counters information.

Note The displayed traffic is in packets.

history—Displays the counted traffic for every minute in the past hour for the following counters: Malicious, Legitimate.

Note By default, the Guard displays the following counters: Malicious, Legitimate.

2. Choose ENTER. The following sample screen appears: 

admin@GUARD# show counters details

                     Packets         Kbits

Legitimate traffic:  1671289        848658

Malicious  traffic:  251549         139034


Details:

Received   traffic:  1944740        1003596

Forwarded  traffic:  1671289        848658

Dropped    traffic:  251470         138994

Replied    traffic:  21981          15943

Invalid    zone   :  0              0