Cisco Guard Configuration Guide (Software Version 3.08) - Zone Configurations [Cisco Guard DDoS Mitigation Appliances]

Table Of Contents

Zone Configurations

Basic Zone Configuration

Defining a New Zone

Duplicating a Zone

Removing a Zone

Removing all Zones

Displaying Zone Templates

Entering a Zone Command Level

Describing a Zone

Defining the Zone Bandwidth

Defining the Zone IP Address

Removing a Zone's IP Address

Removing all Zone IP Addresses

Activating the Interactive Recommendation Mode

Deactivating the Interactive Recommendation Mode

Zone Traffic Learning

Learning Phase 1 - Policy Construction

Terminating Learning Phase 1 -Policy Construction

Accepting Learning Phase 1 -Policy Construction

Aborting Learning Phase 1 -Policy Construction

Learning Phase 2 - Threshold Tuning

Terminating Learning Phase 2 - Threshold Tuning

Accepting Learning Phase 2 - Threshold Tuning

Aborting Learning Phase 2 - Threshold Tuning

Learning Phase Verification

Displaying Zone Configuration File

Protecting the Zone

Protecting a Specific Zone

Zone Protection Verification

Ending the Zone Protection

Protection Termination Timer

Zone Configurations

This chapter describes the Zone configuration procedures in the Guard. These procedures are required to set the Guard onto protecting the zone. These include the following procedures:

•Basic Zone Configuration

•Zone Traffic Learning (see Chapter 10, "Advanced Policy Procedures," for further details)

•Protecting the Zone

Basic Zone Configuration

This section describes the initial zone configuration procedures that relate to zone parameters such as: zone name, description, Bandwidth, and zone IP address.

Defining a New Zone

The Guard enables the user to define a new zone based on a variety of templates.

To define a new zone, perform the following:

1. From the Configuration command group level, type the following:
admin@GUARD-conf# zone <new-zone-name> [<template>|copy-from 
<base-zone-name>][interactive] 
Where:

•new-zone-name—A zone name string. An alphanumeric string should start with a letter, hold no spaces, and should be limited to a length of up to 63 characters. The string may contain underscores.

•template—(Optional) A template that defines the zone configuration. Options are:

DEFAULT—The Guard default zone template

TCP_NO_PROXY—A template designed for a zone for which no TCP proxy is to be used. This template may be used if the zone is moderated according to IP addresses such as an Internet Relay Chat (IRC) server-type zone (see Chapter 10, "Advanced Policy Procedures," for further details)

Bandwidth-limited Link Templates—Templates designed and specifically tailored for On-Demand protection of large subnets segmented according to zones with known bandwidth. Protection for the zone should be assumed for the attacked subnet or range. It is recommended to define such a zone on the Detector with protect-ip-state of only-dest-ip (See the "Guard-protection Activation Forms" section in the Cisco Traffic Anomaly Detector User Guide for further details).

The following bandwidth-limited link templates are available for 128K, 1M, 4M, and 512K links respectively:

LINK_128K

LINK_1M

LINK_4M

LINK_512K

Note Learning Phase 1, policy construction, cannot be performed for these templates.

Note If no zone template is specified, the zone will be defined using the Guard DEFAULT zone template.

•base-zone-name—(Optional) The name of a desired zone used as a template for the new zone.

•interactive—(Optional) The operation mode of the new zone is set to interactive. See Chapter 11, "Interactive Recommendations Mode," for further details.

Note Choosing Enter after inserting the new zone name defines a zone by the Guard default zone template.

2. Choose ENTER or the desired option and then choose ENTER.
admin@GUARD-conf# zone scannet DEFAULT interactive 
admin@GUARD-conf-zone-scannet#
Duplicating a Zone

The user may duplicate a desired zone and define a new, identically- configured, zone.

To duplicate a zone, perform the following:

1. From the Zone command group level of the desired zone, type the following:
admin@GUARD-conf-zone-<zone-name># zone <new-zone-name> 
copy-from-this
Where new-zone-name is a zone name string. An alphanumeric string should start with a letter, should hold no spaces, and is limited to a length of up to 63 characters.

2. Choose ENTER. The following prompt appears:
admin@GUARD-conf-zone-scannet# zone mailserver copy-from-this 
admin@GUARD-conf-zone-mailserver#
To duplicate a zone from the Configuration command level, perform the following:

1. From the Configuration command group level, type the following:
admin@GUARD-conf# zone <new-zone-name> copy-from <base-zone-name>
Where:

•new-zone-name—A zone name string. An alphanumeric string should start with a letter should hold no spaces and is limited to a length of up to 19 characters.

•base-zone-name—An existing zone to be used as a template.

2. Choose ENTER. The following prompt appears:
admin@GUARD-conf-zone-<new-zone-name>#
Removing a Zone

The user may remove a desired zone.

Caution Removing a zone eliminates the zone's DDoS protection!

To remove a desired zone, perform the following:

1. From the Configuration command group level, type the following:
admin@GUARD-conf# no zone <zone-name>
Where zone-name is the desired zone name.

2. Choose ENTER.

Note The Guard allows inserting an asterisk (*) as a wildcard at the end of a zone name when removing a zone. Thus, the Guard removes all zones based on the specified zone name.

Removing all Zones

The user may remove all the Guard's zones.

Caution Removing all zones eliminates their DDoS protection!

To remove all zones, perform the following:

1. From the Configuration command group level, type the following:
admin@GUARD-conf# no zone *
2. Choose ENTER.

Displaying Zone Templates

The Guard enables the user to display a specific zone template or all zone templates.

To display all zone templates perform the following:

1. From the Global or the Configuration command group levels, type the following:
admin@GUARD# show templates
2. Choose ENTER. The following sample screen appears:
admin@GUARD#show templates
 DEFAULT
 LINK_1M
 LINK_4M
 LINK_128K
 LINK_512K
 TCP_NO_PROXY
To display a specific zone template, perform the following:

1. From the Configuration command group level, type the following:
admin@GUARD-conf# show templates [<template-name> [policies]]
Where:

•template-name—A zone template. The Guard displays the zone templates when the policies parameter is unspecified. The zone templates are:

DEFAULT—The zone default template

TCP_NO_PROXY—A template designed for a zone for which no TCP proxy is to be used

LINK_128K—A template designed for bandwidth-limited Links

LINK_1M—A template designed for bandwidth-limited Links

LINK_4M —A template designed for bandwidth-limited Links

LINK_512K—A template designed for bandwidth-limited Links

Note By default, the list of zone templates is displayed.

•policies—(Optional) Displays the zone template policies.

2. Choose the desired option and choose ENTER. The following sample screen appears:
admin@GUARD-conf# show templates DEFAULT
Zone is INACTIVE
Operation Mode: AUTOMATIC
Description:
Zone ID: 0
Template: DEFAULT
Protection-End Timer: forever
RATE: 200000 BURST: 200000 UNITS: pps
FLEX-FILTER:
FLEX-FILTER ACTION: disable
**** USER FILTERS ****
Row
Source 
IP
Source Mask
Proto
DPort
 
Frg
Action
Rate
Burst
Units 
RxRate(pps
)
10
*
255.255.255.255
6
80
no
basic/redire
ct
N/A
20
*
255.255.255.255
6
8080
no
basic/redire
ct
N/A
30
*
255.255.255.255
6
8000
no
basic/redire
ct
N/A
40
*
255.255.255.255
6
8008
no
basic/redire
ct
N/A
... ... ...
Entering a Zone Command Level

The user should enter a zone command level to perform zone specific operations and procedures.

To enter a zone command level, perform the following:

1. From the Global or Configuration command group level, type the following:
admin@GUARD-conf# zone <zone-name>
Where zone-name is the desired zone name.

2. Choose ENTER. The following sample prompt line appears:
admin@GUARD-conf# zone scannet 
admin@GUARD-conf-zone-scannet#
Describing a Zone

The user may add a description to a zone for identification purposes.

To add a description to a zone, perform the following:

1. From the Zone command level, type the following:
admin@GUARD-conf-zone-<zone-name># description <string>
Where string is a string describing the zone. The string length is limited to a maximum of 80 characters.

2. Choose ENTER. The following sample prompt appears:
admin@GUARD-conf-zone-scannet# description Scannet Zone used for 
demonstration purposes
admin@GUARD-conf-zone-scannet#
Note To modify a zone's description repeat the zone description procedure. The new description overrides the former.

Defining the Zone Bandwidth

The Guard enables the user to define the bandwidth allowed to pass to the zone according to the traffic amount the zone can handle. The user must specify both the traffic rate-limit and the burst size.

Note It is recommended to set the bandwidth value to the highest bandwidth measured entering the zone. If unknown, leave the default bandwidth value (200000 pps).

To define the zone bandwidth, perform the following:

1. From the Zone command group level, type the following:
admin@GUARD-conf-zone-<zone-name># rate-limit {no-limit|<rate> 
<burst-size> <rate-units>}
Where:

•no-limit—The zone is defined with no rate limit.

•rate—The amount of traffic (in the units specified below) allowed to pass to the zone. The amount is specified by an integer.

•burst-size—The highest traffic peak allowed passing to the zone. The peak is specified by an integer. The units are Bits, kilo-bits, kilo-packets, mega-bits, and packets.

•rate units—The rate units. The units are:

bps—Bits per second

kbps—Kilo bits per second

kpps—Kilo packets per second

mbps—Mega bits per second

pps—Packets per second

2. Choose ENTER.
admin@GUARD-conf-zone-scannet# rate-limit 1000 2300 pps
admin@GUARD-conf-zone-scannet#
Defining the Zone IP Address

The user must define a zone IP address to enable the Guard to perform traffic learning and protection procedures.

To define the zone IP address, perform the following:

1. From the Zone command group level, type the following:
admin@GUARD-conf-zone-<zone-name># ip address <ip-addr> 
[<ip-mask>] 
Where:

•ip-addr—The zone IP address. The zone could also be a subnet.

•ip-mask—(Optional) The zone IP subnet mask.

If no mask is specified the Guard assumes the default subnet mask 255.255.255.255.

2. Choose ENTER. The following prompt appears:
admin@GUARD-conf-zone-scannet# ip address 192.168.100.34
admin@GUARD-conf-zone-scannet#
Note When initially defined, the zone IP address should be inserted when the zone is unprotected. However, a zone's subnet IP address or its additional IP addresses may be added when the zone is in the protected mode.

The zone IP address procedure should repeat per each zone IP address or subnet mask.

Removing a Zone's IP Address

The user may remove a desired zone IP address.

Caution Removing the zone's IP address may compromise the zone's DDoS protection!

To remove a zone's IP address, perform the following:

1. From the desired Zone command group level, type the following:
admin@GUARD-conf-zone-<zone-name># no ip address <ip-addr> 
[<ip-mask>]
Where:

•ip-addr—The desired zone IP address. Use `*' to remove all zone IP addresses.

•ip-mask—(Optional) The zone IP subnet mask.

If no mask is specified the Guard assumes the default subnet mask 255.255.255.255.

2. Choose ENTER.

Removing all Zone IP Addresses

The user may remove all of a desired zone IP addresses.

Caution Removing all zone IP addresses eliminates the zone DDoS protection!

To remove all the zone's IP addresses, perform the following:

1. From the desired Zone command group level, type the following:
admin@GUARD-conf-zone-<zone-name># no ip address *
2. Choose ENTER.

Activating the Interactive Recommendation Mode

The user may activate the interactive recommendations mode for any desired zone and continue to apply the procedure over a number of zones. The user may activate the interactive mode when a zone is defined, or later, either before or after initiating zone protection. The Guard enables the user to apply the interactive recommendations mode from the Configuration or from the desired zone's command group levels. See Chapter 11, "Interactive Recommendations Mode," for further details.

To activate the interactive recommendation mode, perform the following:

1. From the Zone command group level, type the following (sample):
admin@GUARD-conf-zone-<zone-name># interactive
2. Choose ENTER.

To create a new zone with interactive recommendations mode, perform the following:

1. From the Configuration command group level, type the following:
admin@GUARD-conf# zone <new-zone-name> interactive
2. Choose ENTER.

The Guard creates a new zone with the DEFAULT zone template configured for interactive recommendations mode. See the "Defining a New Zone" section for further details.

Deactivating the Interactive Recommendation Mode

The user may deactivate the interactive recommendations mode for any desired zone or zones at any time. Deactivating this mode results in the Guard disregarding any recommendations and assuming an automatic protection functioning such as automatically producing dynamic filters, etc. The user may deactivate the interactive recommendations mode from the desired zone's command group level. See Chapter 11, "Interactive Recommendations Mode," for further details.

To deactivate the interactive recommendation mode, perform the following:

1. From the Zone command group level, type the following (sample):
admin@GUARD-conf-zone-<zone-name># no interactive
2. Choose ENTER.

Zone Traffic Learning

As the user initializes the Learning phase (see the "Learning Phase 1 - Policy Construction" in this chapter) the Guard diverts the traffic to learn its characteristics. The results of this stage will be translated into protection policies.

The Guard's tools for constructing protection policies are the Policy Templates. These define the Guard policies according to the Minimum Threshold and Maximum Services guiding parameters the user provides (this chapter will not cover those advanced procedures, see Chapter 10, "Advanced Policy Procedures," for further details).

Once supplied with the appropriate parameters, the Guard's Policy Templates construct the protection policies based on the learned thresholds. At this stage the user is called to approve (accept) or reject the learned thresholds (see Chapter 10, "Advanced Policy Procedures," for further details).

The Learning phase consists of the following:

•Learning phase 1 -Policy Construction—This is the phase in which the Guard constructs its policies with its user or self-defined Policy Templates. This phase consists of traffic flowing transparently through the Guard, enabling it to discover which services the zone uses. This chapter will detail a procedure that relies on the Guard's Minimum Threshold and Maximum Services default parameters (see Chapter 10, "Advanced Policy Procedures," for further details).

•Learning phase 2 -Threshold Tuning—This is the phase in which the Guard tunes its protection policies thresholds to suite zone traffic (see Chapter 10, "Advanced Policy Procedures," for further details).

Learning Phase 1 - Policy Construction

Note The user is directed through the Guard Learning phases without parameter definitions. For the Learning phases' parameter definitions refer to Chapter 10, "Advanced Policy Procedures."

To begin the first Learning phase, perform the following:

1. From the Global command group level, type the following:
admin@GUARD# learning policy-construction <zone-name>
Where zone-name is the name of the desired zone.

From the Zone command group level, type the following:
admin@GUARD-conf-zone-<zone-name># learning policy-construction
The Guard enables the use of an asterisk (*) as a wildcard denoting either of the following options:

•All of the Guard's zones. Issuing learning policy-construction * means setting policy construction phase for all of the Guard's zones.

•A wildcard denoting zone names (i.e. OBL*).

2. Choose ENTER.

Note We recommend letting the Learning Phase 1 - Policy Construction continue for at least two hours prior to proceeding to the next phase.

Note Policy Construction cannot be performed for zones based on the bandwidth-limited link templates: LINK_128K, LINK_1M, LINK_4M, LINK_512K.

Terminating Learning Phase 1 -Policy Construction

After a sufficient period of time (see the above note) the user ends the Policy Construction phase. The user may accept the Guard's suggested policies or abort the first phase of the Learning process. In this case, the Guard stops the process and erases all its learned data. As a result, the Guard falls back into its default settings (in the case of a new zone) or to the zone traffic configurations it had prior to the initiation of the learning process.

The user may decide to view the learning process outcomes using the snapshot procedure prior to making a decision. See the "Zone and Learning Phase Snapshot" section in Chapter 10, "Advanced Policy Procedures," for further details.

Accepting Learning Phase 1 -Policy Construction

After a sufficient period of time (see the above appropriate note) the user ends the Policy Construction phase. This is performed via accepting the Guard's suggested policies.

To accept the results of the Initial Policy Construction phase, perform the following:

1. From the Global command group level, type the following:
admin@GUARD# no learning <zone-name> accept
From the Zone command group level, type the following:
admin@GUARD-conf-zone-<zone-name># no learning accept
Where zone-name is the name of the desired zone.

Note Note: The Guard enables the use of an asterisk (*) as a wildcard denoting either of the following options:

•All of the Guard's zones. Issuing no learning * accept means ending and accepting the learning phase for all of the Guard's zones.

•A wildcard denoting zone names (i.e. OBL*).

2. Choose ENTER.

Aborting Learning Phase 1 -Policy Construction

The user may decide to abort the first phase of the Learning procedure. In this case the Guard stops the process and erases all its learned data. As a result the Guard falls back into its default settings (in the case of a new-zone) and to the zone traffic configurations it had prior to the learning abortion.

To abort the Policy Construction phase, perform the following:

1. From the Global or Configuration command group levels, type the following:
admin@GUARD# no learning <zone-name> reject
From the Zone command group level, type the following:
admin@GUARD-conf-zone-<zone-name># no learning reject
Where zone-name is the name of the desired zone.

Note The Guard enables the use of an asterisk (*) as a wildcard denoting either of the following options:

•All of the Guard's zones. Issuing no learning reject * means aborting the learning phase for all of the Guard's zones.

•A wildcard denoting zone names (i.e. OBL*).

2. Choose ENTER.

Learning Phase 2 - Threshold Tuning

In this stage the Guard has constructed its protection policies and begins to improve its traffic type thresholds (see Chapter 10, "Advanced Policy Procedures," for further details).

To begin the second learning phase, perform the following:

1. From the Global command group level, type the following:
admin@GUARD# learning threshold-tuning <zone-name> 
From the Zone command group level, type the following:
admin@GUARD-conf-zone-<zone-name># learning threshold-tuning
Where zone-name is the name of the desired zone.

Note The Guard enables the use of an asterisk (*) as a wildcard denoting either of the following options:

•All of the Guard's zones. Issuing learning threshold-tuning * means setting the threshold tuning phase for all of the Guard's zones.

•A wildcard denoting zone names (i.e. OBL*).

2. Choose ENTER.

Note We recommend letting the Learning Phase 2 - Threshold Tuning continue for twenty-four hours prior to the phase ending.

Terminating Learning Phase 2 - Threshold Tuning

After a sufficient period of time (see the above note) the user ends the Threshold Tuning phase.

The user may accept the Guard's suggested policies by issuing the no learning command with the accept option.

The user may decide to abort the second phase of the Learning process by issuing the no learning command with the reject option. The Guard would stop the Threshold Tuning phase and adopt the Policy Construction Phase results and the former thresholds the Guard has. This results in a situation in which newly constructed policies have thresholds that were obtained according to past traffic characteristics.

The user may decide to view the learning process outcomes using the snapshot procedure prior to making a decision. See the "Zone and Learning Phase Snapshot" section in Chapter 10, "Advanced Policy Procedures," for further details.

Accepting Learning Phase 2 - Threshold Tuning

After a sufficient period of time (see the above note) the user ends the Threshold Tuning phase.

To end the Threshold Tuning phase, perform the following:

1. From the Global command group level, type the following:
admin@GUARD# no learning <zone-name> accept
From the Zone command group level, type the following:
admin@GUARD-conf-zone-<zone-name># no learning accept
Where zone-name is the name of the desired zone.

Note The Guard enables the use of an asterisk (*) as a wildcard denoting either of the following options:

•All of the Guard's zones. Issuing no learning * accept means accepting the learning phase results for all of the Guard's zones.

•A wildcard denoting zone names (i.e. OBL*).

2. Choose ENTER.

The Guard is now tuned to the zone traffic characteristics and ready to protect the zone (a procedure launched by issuing the protect command).

Aborting Learning Phase 2 - Threshold Tuning

The user may wish to abort the second phase of the learning procedure. In this case the Guard stops the process and erases the data learned on the second phase. The data gathered on the first learning phase and on the previous learning phase 2 remain unchanged. This results in a situation in which newly constructed policies have thresholds that were obtained according to past traffic characteristics.

To abort the second Learning phase, perform the following:

1. From the Global command group level, type the following:
admin@GUARD# no learning <zone-name> reject
From the Zone command group level, type the following:
admin@GUARD-conf-zone-<zone-name># no learning reject
Where zone-name is the name of the desired zone.

Note The Guard enables the use of an asterisk (*) as a wildcard denoting either of the following options:

•All of the Guard's zones. Issuing no learning * reject means aborting the learning phase for all of the Guard's zones.

•A wildcard denoting zone names (i.e. OBL*).

2. Choose ENTER.

Learning Phase Verification

The user may wish to verify whether the Learning phase has succeeded. This is by launching the Guard to protect the Zone after it completes its learning phases. The indication would be that the Guard is receiving and forwarding packets (this also indicates that the diversion process is functioning (see Appendix B, "Diversion Troubleshooting," for further details).

To verify the status of the Learning Phase, perform the following:

1. From the Zone command group level, type the following
admin@GUARD-conf-zone-<zone-name>#  protect
2. From the Zone command group level, type the following:
admin@GUARD-conf-zone-<zone-name># show counters detail
3. Choose ENTER. The following sample screen appears:
admin@GUARD-conf-zone-scannet# show counters details
                    Packets          KBits
Legitimate traffic: 7240             4072
Malicious  traffic: 0                0
Details:
Received   traffic: 7240             4072
Forwarded  traffic: 7240             4072
Dropped    traffic: 0                0
Replied    traffic: 0                0
Spoofed    traffic: 0                0
Invalid    zone   : 0                0
The sample screen indicates that legitimate traffic is flowing to the Guard. Since it detected no malicious traffic (the Dropped and Replied counters display zero) all the received traffic is forwarded over to the zone. This also indicates that the diversion mechanism is functioning smoothly (see the "Zone Protection Verification" section for further details).

Note If Legitimate traffic = 0 this could indicate a Diversion problem. See Appendix B, "Diversion Troubleshooting."

If the zone came under attack when the show counters details command was issued, then the screen sample would indicate the following:
admin@GUARD-conf-zone-scannet#show counters details
                    Packets          KBits
Legitimate traffic: 47179            26538
Malicious  traffic: 47179            26538
Details:
Received   traffic: 94358            53076
Forwarded  traffic: 47179            26538
Dropped    traffic: 47179            26538
Replied    traffic: 0                0
Spoofed    traffic: 0                0
Invalid    zone   : 0                0
The Malicious Traffic counter indicates an attack. The Details section displays an amount of dropped packets due to the attack.

Displaying Zone Configuration File

The user may display a desired zone's configuration file.

To display a desired zone's configuration file, perform the following:

1. From the Zone command group level, type the following:
admin@GUARD-conf-zone-<zone-name># show running-config 
Where zone-name is the name of the desired zone.

2. Choose ENTER. The following partial sample screen appears:
admin@GUARD-conf-zone-scannet#show running-config
zone scannet DEFAULT
 protection-end-timer forever
 rate-limit 200000 200000 pps
 no flex-filter
 ip address 10.10.10.34
 no bypass-filter *
 no user-filter *
 user-filter 10 basic/redirect *  6 80 no-fragments
 user-filter 20 basic/redirect *  6 8080 no-fragments
 user-filter 30 basic/redirect *  6 8000 no-fragments
 user-filter 40 basic/redirect *  6 8008 no-fragments
 ... ... ...
 policy-template udp_services 5 1.0 enabled
 policy-template tcp_connections -1 -1 enabled
 policy-template dns_udp -1 -1 enabled
 policy-template dns_tcp -1 -1 enabled
 policy-template http -1 1.0 enabled
 ... ... ...
policy dns_tcp/53/analysis/pkts/src_ip 100.0 to-user-filters 600 
active
 policy dns_tcp/53/analysis/pkts/src_net 150.0 to-user-filters 600 
disabled
 policy dns_tcp/53/analysis/syns/dst_ip 20.0 to-user-filters 600 
active
... ... ...
Protecting the Zone

After Learning the zone traffic characteristics, the Guard is ready to protect the zone. The user may wish to wait for the equipment to indicate an attack before setting the Guard on to protecting the zone or command the Guard to protect the zone right after completing the zone configurations. The Guard would then begin diverting the zone traffic and apply its protection policies.

To protect the zone, perform the following:

1. From the Global command group level, type the following:
admin@GUARD# protect <zone-name> [<ip-address>]
2. From the Zone command group level, type the following:
admin@GUARD-conf-zone-<zone-name># protect
Where:

•zone-name—The name of the desired zone.

Note The Guard enables the use of an asterisk (*) as a wildcard denoting either of the following options:

All of the Guard's zones. Issuing protect * means initializing protection over all of the Guard's zones.

A wildcard denoting zone names (i.e. OBL*).

•ip-address—(Optional) The protected zone IP address

3. Choose ENTER.

Protecting a Specific Zone

The user may require the protection of an IP-specific zone that is a part of a more comprehensive zone (i.e. a protected network environment). The Guard is given the IP address of the IP-specific zone. Such a case could, for example, be the protection of a specific zone that is a part of a protected subnet.

To protect a specific zone, perform the following:

1. From the Global command group level, type the following:
admin@GUARD# protect <zone-name> <ip-addr>
Where:

•zone-name—The name of the specific zone

•ip-addr—The IP address of the IP-specific

2. Choose ENTER. The following sample screen appears:
admin@GUARD# protect scannet 192.168.5.6
creating zone scannet_192.168.5.6
The above screen displays a new zone, by a name which consists of the first 30 characters of the major zone, an underscore, and the IP address of the specific zone.

Note If a zone by the same name already exists the Guard would refer to the existing zone instead of creating another zone by the same name. An IP-specific zone is removed by procedure described in the "Removing a Zone" section in this chapter.

Zone Protection Verification

The user may wish now to issue the show counters command to display the zone status to verify that the protection process is functioning properly.

To verify that the zone protection is functioning properly, perform the following:

1. From the Global, or Configuration command group levels, type the following:
admin@GUARD# show zone <zone-name> counters [details|history] 
From the Zone command group level, type the following:
admin@GUARD-conf-zone-<zone-name># show counters [details|history]
Where:

•zone-name—The name of the desired zone.

•details—(Optional) Displays the following counters:

Malicious—The malicious portion of the traffic the Guard received.

Legitimate—The legitimate portion of the traffic the Guard received.

Received—The total traffic the Guard received.

Forwarded—The traffic the Guard forwarded to its zone or zones.

Dropped—The traffic the Guard dropped.

Replied—The traffic the Guard sent in an authentication process.

Invalid zone—Diverted traffic that is not destined to the any of the Guard's protected zones.

The counters display in packets and in Kbits units.

Note By default for both options, the Guard displays the traffic rates for the following counters: Malicious, Legitimate. The counters are measured in packets and in Kbits.

•history—(Optional) Displays the Malicious and Legitimate counter values for every minute in the past hour. The counters are measured in packets and in Kbits.

2. Choose ENTER. The following sample screen appears (when no attack is in progress):
admin@GUARD-conf-zone-scannet#show counters details
                    Packets          KBits
Legitimate traffic: 70               820
Malicious  traffic: 0                0
Details:
Received   traffic: 70               820
Forwarded  traffic: 0                0
Dropped    traffic: 0                0
Replied    traffic: 0                0
Spoofed    traffic: 0                0
Invalid    zone   : 0                0
The sample screen indicates that all the zone received traffic is legitimate and since there are no indications of malicious traffic the Guard sends all the diverted traffic on to the zone. Zone protection is functioning smoothly.

Note In case of suspecting a malfunction other than a diversion problem the user is referred to the "Traffic Blockage Problem" section in Chapter 6, "On-Demand Protection," for further details.

Note When the protect command is issued during an attack, see the "Traffic Analysis" section in Chapter 6, "On-Demand Protection," for further details.

Ending the Zone Protection

The user may wish to end the zone protection.

To end a zone's protection, perform the following:

1. From the Global command group level, type the following:
admin@GUARD# no protect <zone-name>
From the Zone command group level, type the following:
admin@GUARD-conf-zone-<zone-name># no protect
Where zone-name is the name of the desired zone.

Note The Guard enables the use of an asterisk (*) as a wildcard denoting either of the following options:

•All of the Guard's zones. Issuing no protect * means ending protection for all of the Guard's zones.

•A wildcard denoting zone names (i.e. OBL*).

2. Choose ENTER.

To know more about the Guard filter system, filter types, and filter configuration refer to Chapter 9, "Advanced Filter Procedures."

Protection Termination Timer

The Guard verifies whether an attack has ended by checking on any added dynamic filters. If, for a predefined span of time, no new filter is added, the Guard terminates the protection. The user may define this timeout from seconds to infinite.

To define the protection termination time span, perform the following:

1. From the Zone command group level, type the following:
admin@GUARD-conf-zone-<zone-name># protection-end-timer 
{<time-seconds>|forever}
Where:

•time-seconds—A specified protection time span measures in seconds

•forever—An indefinite time span

Note Selecting the forever parameter means that the user will have to manually terminate the Guard protection.

2. Choose ENTER.