Table Of Contents

Zone Traffic Learning and Policy Construction

Overview

Zone Traffic Learning

Constructing Policies

Terminating the Policy Construction Phase

Tuning Thresholds

Terminating the Threshold Tuning Phase

Zone Policies

Overview

Policy Configuration

Adding a Service

Removing a Service

Configuring the Operational Parameters

Specific IP Threshold Configuration

Snapshot

Compare Policies

Accepting Policy Parameters Selectively

Zone Traffic Learning and Policy Construction

---

This chapter describes how to create traffic-tailored policies for zones on the Cisco Guard using the Web-Based Management (WBM).

This chapter includes the following sections:

•Overview

•Zone Traffic Learning (constructing policies and tuning policy thresholds using the learning processes)

•Zone Policies

•Snapshot and Compare Policies (a mechanism used to verify the learning process outcome)

Overview

The policies are the mechanisms that measure a particular traffic flow and take action against the flow as a result of threshold violation. The protection policies are constructed from policy templates.

A Policy Template is a collection of policy constructing guiding rules that will be used during the learning phases to construct the zone's policies.

The learning process constitutes two phases, during which the Guard learns the zone's traffic and adopts itself to its particular characteristics:

1. The Policy Construction Phase—In this phase the zone policies are created using the Guard Policy Templates. This phase consists of traffic flowing transparently through the Guard, enabling it to discover the main services used by the zone.

2. The Threshold Tuning Phase—In this phase the policies are tuned to fit the zone services traffic rates. This phase consists of traffic flowing transparently through the Guard, enabling it to tune the thresholds for the services discovered in the policy construction phase.

During this process, the Guard learns the zone's traffic characteristics to acquire a basis to which to compare zone traffic and trace any anomalies that might, in turn, become malicious.

After the policies are created, you may add and delete policies or change policy parameters such as thresholds, services, timeouts and actions.

The action taken by the policies could range from merely notifying to directing the traffic to various Guard protection mechanisms or even dropping malicious traffic.

For a comprehensive review of the learning process, refer to Chapter 5, "Zone Configurations," in the Cisco Guard User Guide.

For a comprehensive review of the policy procedures, refer to Chapter 9, "Advances Policy Procedures," in the Cisco Guard User Guide.

Zone Traffic Learning

During the Learning phases, the Guard learns the zone's traffic characteristics. The results of this stage will be translated into protection policies. The Learning system constructs the Guard protection policies. These instruct the Guard Protection system how to regard the zone traffic flows. The Guard Learning phase begins with the Guard traffic diversion mechanisms that divert the zone routine traffic to the Guard.

---

Note Diversion must be configured before the learning process is initiated.
zone diversion configuration is configured via the Guard routing configuration. For information regarding zone Diversion configuration, refer to Appendix A, "Diversion Configuration," in the Cisco Guard User Guide.

---

The Guard's tools for constructing protection policies are the Policy Templates. These define the types of zone policies to be created according to traffic characteristics. The policy templates also define the Maximum Services and Minimum Threshold for each service policy in accordance to the guiding parameters provided (see "Advanced Zone Procedures," for further details).

Figure 6-1 Zone Learning Menu

Constructing Policies

In this stage the zone policies are created. Zone traffic flows transparently through the Guard, enabling it to discover the main services used by the zone.

To initiate Learning Phase 1—Policy Construction:

From the Zone's main menu, select Learning > Construct Policies.

---

Note We recommend letting the Learning Phase 1—Policy Construction continue for at least two hours prior to proceeding to the next phase.

---

After a sufficient period of time, end the Policy Construction phase.

Terminating the Policy Construction Phase

After a sufficient period of time (see not above), abort the learning process. You may decide how to handle the newly constructed policies.

To accept the Guard's suggested policies:

From the Zone's menu, select Learning > Accept (see Figure 6-1).

In this case, the Guard erases it's previously learned policies and thresholds.

---

Note After accepting the newly constructed policies, you may manually add or remove policies or change the policy parameters. See the "Adding a Service", "Removing a Service" and "Configuring the Operational Parameters" sections for further details.

---

To accept the Detector's suggested policies selectively, see the "Accepting Policy Parameters Selectively" section.

To reject the Guard's suggested policies:

From the Zone's menu, select Learning > Abort (see Figure 6-1).

In this case, the Guard stops the process and erases all its learned data. As a result, the Guard falls back into its default settings (in the case of a new zone) or to the zone traffic configurations it had prior to the learning abortion.

To view the learning process outcomes prior to making a decision:

Use the snapshot procedure (see the "Snapshot" section in this chapter for further details).

Tuning Thresholds

In this stage, the Guard further analyses the zone traffic and defines threshold for the policies constructed in the previous phase. The other policy operational parameters (the Timeout and Action) are configured by default. The Guard enables to configure its policy operational parameters.

To initiate Learning Phase 2—Threshold Tuning:

From the Zone's main menu, select Learning > Tune Threshold.

---

Note It is recommended to run the threshold-tuning phase during traffic peak time (the busiest day) for a period of a minimum 24 hours.

---

Terminating the Threshold Tuning Phase

After a sufficient period of time (see not above), abort the learning process. You may decide how to handle the newly constructed policies.

To accept the Guard's suggested policies:

From the Zone's main menu, select Learning > Accept (see Figure 6-1).

In this case, the Guard erases it's previously learned thresholds.

---

Note After accepting the new thresholds, you may manually change the policy parameters. See the "Configuring the Operational Parameters" section for further details.

---

To accept the Detector's suggested policies selectively, see the "Accepting Policy Parameters Selectively" section.

To reject the Guard's suggested policies:

From the Zone's main menu, select Learning > Abort (see Figure 6-1).

In this case, The Guard stops the Threshold Tuning phase and adopts the Policy Construction Phase results and the former thresholds results the Guard has. This results in a situation in which newly constructed policies have thresholds that were obtained according to past traffic characteristics.

To view the learning process outcomes prior to making a decision:

Use the snapshot procedure (see the "Snapshot" section in this chapter for further details).

Zone Policies

Overview

The Guard policy structure consists of sections. Each policy section has different role in relating to different traffic protection aspects.

To view the zone policies:

From the Zone's main menu select Configuration > Policy.

Figure 6-2 Policy Table

To navigate in the tree hierarchy, click the plus icon (+) or the minus icon (-) next to the tree or branch that you want to expand or collapse. Click the plus icon (+) in the tables header to expand all policy levels.

To open the configuration window, click an item in the tree hierarchy. For example, in Figure 6-2, click 53 to open the service configuration window for the dns_tcp policy template.

The term Policy refers to a complete policy path:

<policy-template-name><Service><Level><Type><Key>. For example: dns_tcp/53/analysis/pkts/dst_ip.

The term Policy section refers to a partial policy such as <policy-template-name><Service> or <policy-template-name><Service><Level>. For example, the policy section http or dns_tcp/53.

Tree items can have one of the following statuses:

•Active—marked in bold

•Inactive—marked as grayed out

•Disabled—marked as grayed out and crossed out

Below the zone location bar, a filter bar enables to selectively choose the policies to be displayed according to their state (Active/Inactive/Disabled/All).

The Policy Table parameters consist of the following:

Parameter	Description
Policy Template	Indicates the policy template that was used to construct this policy.
Service	Indicates the services the policy relates to. The Guard enables to add a service to better tailor the produced policies to the zone specific services. After adding a new service, you may define the threshold manually, however, it is recommended to run the threshold tuning phase (see the "Tuning Thresholds" section in this chapter for further details) to attune the policies to the zone's traffic. The service `any' relates to all traffic that does not specifically match other services created from the same policy template. Note A new service may be added to the following policy templates: •tcp_services, udp_services, tcp_services_ns—The added service designates a port number. •other protocols—The added service designates a protocol number.
Level	Indicates the Protection module used to process the traffic flow (analysis, basic or strong).
Type	Indicates the packet type. The packet types include: •auth_pkts—Packets that underwent either TCP handshake or UDP authentication. •auth_tcp_pkts—Packets that underwent TCP handshake. •auth_udp_pkts—Packets that underwent UDP authentication. •in_nodata_conns—Zone incoming connections that have no data transfer on the connection (packets without a data payload). •in_conns—Zone incoming connections. •in_pkts—Zone incoming DNS query packets. •in_unauth_pkts—Zone incoming unauthenticated DNS queries. •num_sources—Number of TCP source IPs, destined to the zone, that have been authenticated by the Guard's anti-spoofing mechanisms. •out_pkts—Zone incoming DNS reply packets. •reqs—Request packets with data payload. •syns—Synchronization packets—TCP SYN flagged packets. •syn_by_fin—SYN and FIN flagged packets. Verifies the ratio between the number of SYN flagged packets and the number of FIN flagged packets. •unauth_pkts—Packets that did not undergo TCP handshake. •pkts—All packet types that do not fall under any other category in the same detection level.
Key	Indicates the key (traffic characteristics) that was used to aggregate the policies. Open the Type branch to view the key. The keys include: •dst_ip—Traffic destined to a zone IP address. •dst_ip_ratio—The ratio of SYN and FIN flagged packets destined to a specific IP address. •dst_port_ratio—The ratio of SYN and FIN flagged packets destined to a specific port. •global—A summation of all traffic flow as defined by the other policy sections. •src_ip—Traffic destined to the zone aggregated according to source IP address. •src_net—Traffic destined to the zone aggregated according to source subnet IP address. •dst_port—Traffic destined to a specific zone port. •protocol—Traffic destined to the zone aggregated according to protocol. •src_ip_many_dst_ips—This is the key used for ip scanning. Traffic from a single IP destined to many zone IP addresses. •src_ip_many_ports—This is the key used for port scanning. Traffic from one IP destined to many zone ports.
Threshold	Indicates the threshold traffic rate for a specific policy. Once violated, the policy assumes an action to protect the zone. The threshold is set by default to a value appropriate for on-demand protection. It is adjusted by the threshold-tuning phase in the learning procedure, and can be manually configured.
Action	Indicates the action a policy assumes as a result of a threshold violation. See the "Configuring the Operational Parameters" section below for further details.
Timeout	Indicates the minimum time span for the policy to apply its action. Once the timeout expires, the Guard runs a procedure in order to determine whether or not to deactivate a dynamic filter that was produced by the policy (see the "Dynamic Filter Termination" section in "Protecting Zones," for further details).

Policy Configuration

After completing the learning processes, you may wish to view specific policy operational parameters. Displaying these parameters may help you decide whether the policy operational parameters suit the zone's traffic. You may, when required, configure the policy operational parameters to better tailor the policy to the zone's traffic requirements.

To view the zone policies:

From the Zone's main menu, select Configuration > Policy.

To configure a policy or policy section:

Click the required policy in the policy tree.

Adding a Service

The new service is added to all policies that were created from the specified policy template.

To add a service to a policy:

1. Click the required policy in the Policy tree.

The Policy table is displayed.

2. Click Add Service.

The new service is defined with default values. You may define the threshold manually, however, it is recommended to run the threshold-tuning phase (see the "Tuning Thresholds" section in this chapter for further details) to attune the policies to the zone's traffic.

---

Note A new service may be added to the following policy templates:

•tcp_services, udp_services, tcp_services_ns—The added service designates a port number.

•other_protocols, http—The added service designates a protocol number.

---

Removing a Service

You may remove a specific service relating to a desired policy template.

---

Caution Removing a service prevents the Guard policies from relating to the removed traffic service and may compromise the zone protection.

---

To remove a service from a policy:

1. Click the service number for the required policy in the Policy tree.

The Service table appears.

2. From the bar, click Remove Service.

Configuring the Operational Parameters

Operational Parameters Overview

Once the zone policies are constructed and the thresholds tuned, you may manually configure the policy operational parameters.

The following Operational parameters may be configured:

Parameter	Description
State	Indicates the state of the policy section. These can be: •Active—The policy is active. •Inactive—The policy measures traffic flow but does not take action if the threshold is violated. •Disabled—The policy is disabled.
Operation mode	Indicates the interactive-status the pending Dynamic filters, created by the policy, assume. See the "Interactive Recommendations Mode" section in "Protecting Zones," for further details. Note Interactive-Status can be viewed and configured only for protected zones in interactive mode.
Action	Indicates the actions a policy assumes as a result of a threshold violation. These are: •block-unauthenticated—The policy adds a filter that blocks traffic that was not authenticated by the anti-spoofing mechanism. •filter/strong—The policy adds a filter directing the traffic to the Strong protection module mechanisms. •to-user-filters—The policy adds a filter directing the traffic to the user filters. •filter/drop—The policy adds a filter directing the traffic to the Drop protection module to be dropped. •notify—The policy notifies the user of the threshold violation. •redirect/zombie—The policy adds a filter that enhances authentication for all User filters with an action of redirect.
Threshold	Indicates the threshold traffic rate for a specific policy. Once violated, the policy assumes an action to protect the zone. The threshold is measured in packets per second (pps) apart for the following policies: •tcp_connections—measured in number of connections •tcp_ratio—measured as the ratio number
Timeout	Indicates the minimum time span for the policy to apply its action. Once the timeout expires, the Guard runs a procedure in order to determine whether or not to deactivate a dynamic filter that was produced by the policy (see the "Dynamic Filter Termination" section in "Protecting Zones," for further details).

The policy state may be configured from all policy sections.

The operational parameters action, threshold and timeout can only be configured from the key level.

Configuring the Policy State

The Guard supports the following policy states:

•Disable—The policy does not relate to the traffic flow and so no threshold is obtained. As a result, the policies will have to undergo a new learning threshold-tuning phase to ensure correct thresholds are applied for the policies.

---

Note When a policy is disabled other policies regard its targeted traffic as theirs and so all policies would have to undergo a new learning threshold-tuning phase before the policies are applied in protect mode.

---

•Inactivate—The policy relates to the traffic and obtains the threshold but launches no action when a threshold is violated. This procedure frees you from the need to pass the policy through a new learning threshold-tuning phase. By default, all the Guard policies are activated.

•Activate—The policy relates to the traffic and issues an action once the thresholds is violated.

---

Caution Unnecessarily inactivation or disabling may prevent the Guard policies from assuming their protective role and may compromise the zone protection.

---

---

Note You may disable a desired policy section before or after any of the Learning Phases.

You may deactivate a desired policy section to prevent the policy from issuing actions regarded as unwanted.

---

---

Note Running the policy-construction phase after disabling a policy might result in the policy reconfiguration according to traffic flow. This could result in the policy re-activation.

---

The policy action, timeout and threshold may be changed at every section of the policy path. However, more policies are affected when these parameters are changed at the initial policy sections (such as Policy template or Port sections). Configuring these parameters at a high-level policy path hierarchy will change these parameters in all its sub-policy paths.

To change the policy state of a policy section:

1. Click on the desired policy section.

2. Click the required policy state from the policy state bar (see Figure 6-3).

Figure 6-3 Policy Table Section

The policy section table provides additional information on the state and number of policies that are constructed from the viewed policy section.

To configure the policy's state, open the policy details tables. See the "Configuring the Operational Parameters" section for further details.

Configuring the Policy Operational Parameters

Once the zone policies are constructed and the thresholds tuned, you may manually configure the policy operational parameters.

To configure the operational parameters:

1. Open the policy up to the key level.

2. Click on the key of the policy to configure (for example, in Figure 6-2, click on dst-ip, global, src_ip or src_net).

The Policy details tables (Figure 6-4) are displayed.

The Policy details includes three tables:

•The policy's definition— Policy Template, service, level, type and key

•The policy's operational parameters—state, action, threshold and timeout

•Specific IP threshold—this table is available only for specified policies (see the "Specific IP Threshold Configuration" section for further details)

Figure 6-4 Policy Details Tables

To configure the operational parameters:

Click Config.

The Zone Policy Form is displayed. See the "Operational Parameters Overview" section for further information on the operational parameters.

Specific IP Threshold Configuration

In case of known high-volume traffic IP source, you may configure a particular threshold to apply to that IP source address.

In case of a non-homogenous zone (that is, a zone that has more than a single IP defined) for which there is known high-volume traffic only to part of the zone, you may configure a particular threshold to apply to that IP destination address.

Specific IP threshold can be configured for policies with traffic characteristics of source IP and subnet with the action of drop and a policy with traffic characteristic of destination IP with the actions of to-user, strong, notify, and drop (that is, Policies with a key of src_ip, dst_ip and src_net).

For these policy keys, an additional policy details table is available.

To configure a specific IP threshold:

1. Click Add.

2. Enter the IP in the IP box and the threshold in the Threshold box.

3. Click OK.

To delete a specific IP threshold

1. Select the check box next to the specified IP address.

2. Click Delete.

Snapshot

The snapshot, along with the compare policies, is a mechanism used to verify the learning process outcome.

You may save a snapshot of the learning parameters (services, thresholds and other policy related data) at any time of the Learning phase, and later review it. The file containing the snapshot learning phase parameters, along with the zone configuration parameters, is saved under a user defined zone name. Thus, a new zone would be created bearing the configurations and policy parameters (number of services, thresholds, action, timeout, etc.) of the zone at snapshot time.

---

Note The Guard continues its Learning phases as the snapshot is taken.

---

To create a snapshot of the zone's learning parameters:

1. From the Zone's main menu, select Learning > Snapshot.

---

Note The snapshot command is applicable while the zone is in Learning only.

---

2. Enter the Snapshot's name.

---

Note The Snapshot creates a new zone. After verifying the snapshot parameters, or comparing two snapshots, you may choose to delete the snapshot. Alternatively, you may keep the snapshot and delete the originating zone.

---

See the "Compare Policies" section to compare the Policy parameters of two snapshots.

See the "Accepting Policy Parameters Selectively" section to selectively accept the snapshot parameters.

Compare Policies

You may compare between the snapshot Learning parameters and the zone Learning parameters. The comparison is held to trace differences in policies, services, and thresholds. You may define the comparator's differing sensitivity.

In case differences are observed, you may change the base zone's policy according to the compared zone policy parameters. This provides a powerful tool that enables you to accept learnt policy parameters selectively (see the "Accepting Policy Parameters Selectively" section for further details).

To compare between two learning parameter files:

1. Perform one of the following:

•From the Zone's main menu, select Configuration > Compare policies.

•From the Guard's main menu, select Zones > Compare Zone policies.

The policy comparison query window appears.

2. Enter the following parameters:

Parameter	Description
Base Zone	The name of the base zone whose learning parameters are compared. The base zone's policies may be changed according to the compared zone's policy parameters.
Compared Zone	The name of the zone or snapshot the learning parameters of the base zone are compared to.
Minimal difference	The traced differing percentage. The Detector will trace any parameters that differ above the defined percentage.

3. Click OK.

The policy comparison tables are displayed (see Figure 6-5).

Figure 6-5 Policy Comparison

The policy comparison consists of tables grouped into two sections. These are:

•Difference in services—The services in this section are displayed in two tables:

–Services present only in the base zone policies.

–Services missing from the base zone. These services are defined only in the compared zone.

•Difference in policy parameters—Differences in the policy operational parameters (state, action, threshold, proxy-threshold) are displayed. Each section in the table presents the differences found in a single policy. The upper row presents the policy and the operational parameters of the base zone. The lower row presents the policy and the operational parameters of the compared zone.

Accepting Policy Parameters Selectively

In case differences are observed while comparing policies, you may change the base zone's policy according to the compared zone policy parameters. This provides a powerful tool that enables you to accept learnt policy parameters selectively.

Figure 6-5 displays the policy comparison tables (see the "Compare Policies" section for further details).

The policy comparison consists of tables grouped into two sections. These are:

•Difference in services—The services in this section are displayed in two tables:

–Services present only in the base zone policies. You may choose to remove these services.

–Services missing from the base zone. These services are defined only in the compared zone. You may choose to add these services to the base zone policies.

To remove services from the base zone policies:

1. Select the check box next to the required services under Services only in <Zone-name>.

2. Click Delete.

To add these services to the base zone policies:

1. Select the check box next to the required services under Services missing from <Zone-name>.

2. Click Add.

•Difference in policy parameters—Differences in the policy operational parameters (state, action, threshold, proxy-threshold) are displayed. Each section in the table presents the differences found in a single policy. The upper row presents the policy and the operational parameters of the base zone. The lower row presents the policy and the operational parameters of the compared zone.

To copy the policy operational parameters from the compared zone to the base zone (from the lower row to the upper row):

1. Select the check box next to the required policies.

2. Click Copy Parameters.

---

Note Select the checkbox at the table header to select all table entries.

---

---

Note The snapshot procedure creates a new zone. After comparing two zones (or snapshots) and modifying the base zone policies, you may choose to delete the compared zone.

---