Table Of Contents
Zone Creation and Configuration
Overview
What is a Zone?
The Zone "Home Page"
Zone Status Bar
Zone Traffic Summary
Zone Status Summary
Zone Recent Events
Zone Management
Creating Zones and Basic Zone Configuration
Reconfiguring a Zone
Deleting a Zone
Zone Status Icons
Zone Creation and Configuration
This chapter describes how to create and manage zones.
This chapter includes the following sections:
•
Overview (What is a Zone)
•The Zone "Home Page"
•Zone Management (creating zones and basic zone configuration)
•Zone Status Icons
Overview
What is a Zone?
A zone is a network element protected by the Guard against DDoS attacks. A zone can be a network server, client or router; a network link or subnet or an entire network; an individual Internet user or a company doing business using the Internet; an Internet Service Provider (ISP), or any combination of or variant on these. The Guard can protect different zones simultaneously, as long as their network address ranges don't overlap.
A "Zone" on the guard is the definition of a zone element, configured so that the Guard can protect it from DDoS attacks. A zone on the Guard is assigned with a name, and referred to by the assigned name. A zone configuration on the Guard includes the following:
•Zone basic configuration—A zone's basic configuration includes the zone's name and description, the zone's network address and operation definitions and basic networking characteristics such as the zone's bandwidth. See the "Zone Management" section in this chapter for further details.
•The Zone's Detection Policy—The policies are the mechanisms that measure a particular traffic flow and take action against the flow as a result of threshold violation. The protection policies are constructed from policy templates, that provide the constructing guiding rules, in two learning phases (see "Protecting Zones," for further details). The action taken by the policies could range from merely notifying to directing the traffic to various Guard anti-spoofing or anti-zombie mechanisms and even dropping malicious traffic (see "Advanced Zone Procedures," for further details).
•The Zone's filters—The zone's filters are the mechanism that directs the diverted traffic to the required protection modules. The Guard enables you to set its preferred filter configurations and thus design a variety of possibilities for customized traffic direction and anti-DDoS attack mechanisms. See "Advanced Zone Procedures," for further details.
•Zone Diversion - To protect the target host (zone) using the Cisco Guard, traffic destined to the host must be diverted to the Cisco Guard. This step includes traffic forwarding methods configuration per zone's IP address. Zone diversion configuration is configured via the Guard routing configuration and is not part of the zone configuration file. For information about Zone Diversion configuration, refer to Appendix A, "Diversion Configuration," in the Cisco Guard User Guide.
The Zone "Home Page"
The zone's "home page" (Figure 4-1) provides a summary of the zone's status.
To navigate to this screen perform one of the following:
•From the navigation pane under the All Zones list, click the zone's name.
•If the zone is currently in protect mode, from the navigation pane under the Protected Zones list, click the zone's name.
•On the zone pages, select Zone from the location view.
•From the zone list (Guard Summary > Zones > Zone list), click the zone name.
The zone "home page" is divided into four sections:
•Zone status bar
•Zone Traffic summary
•Zone status summary
•Zone recent events
In addition, the zone's home page has short cuts, displayed as buttons below the zone status bar.
•Protect—Switches the zone to protection mode. This is a shortcut to selecting Protection> Protect from the Zone's main menu. This button is present only if the zone is in stand by.
•Deactivate—Deactivates the zone's detection state. This is a shortcut to selecting Protection > Deactivate from the Zone's main menu.
This button is present only if the zone is in protection mode.
•Report—Provides a shortcut to the current attack report. This is a shortcut to selecting Diagnostics > Attack reports from the Zone's main menu and clicking on the current attack (the attack with an end time of "attack in progress"). This shortcut is available only if there is a current attack in progress. See "Zone Statistics and Diagnostics," for further details.
Figure 4-1 Zone "home page"
Zone Status Bar
The zone's status bar provides a quick reference for the zone's status. It provides details on the following:
•The zone's name.
•The zone's operation mode—The operation mode appears in brackets. It indicates whether the zone is in auto protection mode or in interactive protection mode. The operation mode is displayed only if the zone is active. See the "Zone Management" section in this chapter for further details.
•The Zone's status—The zone's status indicates the zone's protection or learning mode. The zone's status can be one of the following: protected, inactive, constructing policy and tuning thresholds. See the "Zone Status Summary" section in this chapter for further details.
•Indication on new recommendations—If the zone is in interactive mode, the zone's status bar will include an indication on new recommendations. See the "Interactive Recommendations Mode" section in "Protecting Zones," for further details.
Zone Traffic Summary
The zone's traffic summary graph displays the zone related traffic rate, in bits per second (bps), in the past two hours. Legitimate traffic passed by the Guard to the zone, is displayed in green. Malicious traffic that was destined to the zone is displayed in red.
Below the graph, the following information is provided:
Parameter
|
Description
|
Min
|
Indicates the minimum traffic rate in bits per second (bps) measured in the past two hours
|
Max
|
Indicates the maximum traffic rate in bits per second (bps) measured in the past two hours
|
Avg
|
Indicates the average traffic rate in bits per second (bps) measured in the past two hours
|
Cur
|
Indicates the current traffic rate in bits per second (bps)
|
The information is displayed separately for legitimate traffic and malicious traffic.
Zone Status Summary
The zone's status summary provides the following information:
•The number of active Dynamic filters.
Active dynamic filters provides a link to the Dynamic filters page. See the "Dynamic Filters" section in "Protecting Zones," for further details.
•The number of pending Dynamic filters.
The number of pending dynamic filters is greater than 1 when the zone is in interactive protection mode and there are new recommendations.
Pending dynamic filters provides a link to the recommendations page. See the "Dynamic Filters" section in "Protecting Zones," for further details on dynamic filters. See the "Interactive Recommendations Mode" in "Protecting Zones," for further details on recommendations.
•Last attack time—The date and time of the last attack on the zone.
•Activation time—The date and time that protection was activated.
Zone Recent Events
The recent events table displays the recent events issues by the zone. These events are also displayed in the zone event log and the Guard event log. The events displayed in this table have a minimum severity level of notify.
Zone Management
Creating Zones and Basic Zone Configuration
To protect a zone against DDoS attacks, the zone's network characteristics must be configured on the Guard.
Figure 4-2 Zones Sub-menu
To create a new zone, perform one of the following:
•From the Guard's main menu select Zones > Create Zone.
•From the Guard's main menu select Zones > Zone list and click Add.
•From the Zone's main menu select Main > Create Zone.
•From the Zone's main menu select Main > Save as.
This action copies the current zone basic configuration to a new zone. It is equivalent to the CLI command zone with the option copy-from-this. Refer to Chapter 4, "Zone Configuration," in the Cisco Guard User Guide for further details.
The Zone Form appears.
The zone's basic configuration includes the following:
Parameter
|
Description
|
Name
|
The zone name.
|
Description
|
A description of the zone.
|
From Template
|
A template that defines the zone configuration. The Template could be one of the following:
•DEFAULT—The Guard default zone template.
•TCP_NO_PROXY—A template designed for a zone for which no TCP proxy is to be used. This template may be used if the zone is moderated according to IP addresses such as an Internet Relay Chat (IRC) server-type zone. Refer to Chapter 9, "Advanced Policy Procedures," in the Cisco Guard User Guide for further details.
•Bandwidth Limited Link Templates—Templates designed and specifically tailored for On-Demand protection of large subnets segmented according to zones with known bandwidth. Protection for the zone should be assumed for the attacked subnet or range. It is recommended to define such a zone on the Detector with protect-ip-state of only-dest-ip (See Protect-IP state in the Cisco Traffic Anomaly Detector Web-Based Management (WBM) User Guide for further details).
The following Bandwidth Limited Link templates are available for 128K, 1M, 4M, and 512K links respectively:
–LINK_128K
–LINK_1M
–LINK_4M
–LINK_512K
Note Learning Phase 1, policy construction, cannot be performed for these templates.
|
Operation mode
|
Indicates the mode used for zone Dynamic filters activation. The mode can be one of the following:
•Automatic—The dynamic filters will be activated automatically.
•Interactive—The interactive mode enables you to define the action taken for each Dynamic filter. The Dynamic filters the policies recommend will appear as recommendations. You will specify whether to accept or reject each Dynamic filter.
See the "Interactive Recommendations Mode" section in "Protecting Zones," for further details.
|
Max. Rate
|
The amount of traffic (in the units specified from the drop-down list) allowed to pass to the zone. The amount is specified by an integer. The value should be configured according to the traffic volume the zone can handle.
|
Burst
|
The highest traffic peak allowed to pass to the zone. The peak is specified by an integer. The units are bits, kilo-bits, kilo-packets, mega-bits, and packets in correspondence to the rate units specified from the drop-down list.
Note The drop-down list defines the units for both the Max. rate and the burst.
|
Flex filter
|
(Optional) Configure the flex filter. See the "Flex Filter Configuration" section in "Advanced Zone Procedures," for further details.
|
Filter Action
|
(Optional) Configure the Flex filter action. The following options are available:
•disable—The Flex filter is disabled.
•count—The Flex filter is used to count the specified flow.
•drop—The Flex filter is used to drop the specified flow.
Choose the action from the drop-down list.
|
Protection-end Timer
|
The timeout that specifies when protection may be terminated by the Guard.
The Guard verifies whether an attack has ended by checking on added Dynamic filters. If, for a predefined span of time, there are no Dynamic filters in use and no new Dynamic filter is added, the Guard terminates the protection.
Define this timeout from seconds to infinite.
|
Filter-rate termination threshold
|
The threshold that specifies, along with the Malicious-rate termination threshold, when Dynamic filters may be inactivated by the Guard.
Define this threshold in packets per second (pps).
See note below for further details.
|
Malicious-rate termination threshold
|
The threshold that specifies, along with the Filter-rate termination threshold, when Dynamic filters may be inactivated by the Guard.
Define this threshold in packets per second (pps).
See note below for further details.
|
IP address
|
The zone's IP address.
|
Mask
|
The zone's address mask. Choose the address mask from the drop-down list.
|
Note Dynamic filter termination
Once the Dynamic filter timeout expires, the Guard determines whether the Dynamic filter is to be inactivated when one of the following applies:
•The total Zone Malicious traffic rate (equaling the sum of the spoofed and dropped traffic) is less than or equal to the Malicious-rate termination threshold.
•The Filter-rate termination threshold is equal to or greater than both the following:
–The Dynamic filter's current traffic rate
–The Dynamic filter's average traffic rate during a user-configured time span (defined by the policy's Timeout parameter)
See sections"Configuring the Policy Operational Parameters" in "Zone Traffic Learning and Policy Construction," and "Dynamic Filter Termination" in "Protecting Zones," for further details on the Dynamic filter timeout.
Note It is recommended to set the bandwidth value to the highest bandwidth measured entering the zone. If unknown, leave the default burst and Max. rate blank and choose the units from the drop-down list to be unlimited.
Note After creating a zone, the zone's configuration is displayed in two tables. Additional IP addresses and subnets may be entered by clicking the Add button at the bottom of the IP table. This procedure should repeat per each zone IP address or s ubnet mask.
Additional IP addresses and subnets may be entered or deleted while the zone is active.
Reconfiguring a Zone
To reconfigure an existing zone:
1. From the Zone's menu select Configuration > General.
2. Click Config.
Deleting a Zone
To delete a zone:
1. From the Guard's main menu select Zones > Zone list.
2. Select the appropriate zone check box.
3. Click Delete.
Zone Status Icons
For illustration purposes, the zone's status is displayed by different icons. Each status is displayed by a different icon. These icons are used in the navigation pane and in the zone's status bar.
Table 4-1 Zone status icons
|
Standby zone.
|
|
Zone in one of the learning phases.
|
|
Zone in protect mode.
|
|
Indicates that new recommendations are available for the zone. This icon is displayed in addition to the zone icon.
|
