Table Of Contents
Configuring Zones
Overview
Basic Zone Configuration
Creating a Zone
Duplicating a Zone
Learning the Zone Traffic Characteristics
Constructing Policies
Terminating the Policy Construction Phase
Tuning Thresholds
Terminating the Threshold Tuning Phase
Protecting the Zone
Defining Protection Termination
On-Demand Protection
Analyzing the Zone Traffic
Viewing Zone Counters
Viewing the Zone Status
Configuring Zones
This chapter describes how to create and manage zones. These procedures are required to set the Guard to protect the zone.
This chapter contains the following major sections:
•
Overview
•Basic Zone Configuration
•Learning the Zone Traffic Characteristics
•Protecting the Zone
•On-Demand Protection
•Analyzing the Zone Traffic
Overview
The zone configuration process consists of the following steps:
Step 1 Basic zone configuration—The basic configuration includes creating a zone and configuring the zone's name and description, the zone's network address and operation definitions, and basic networking characteristics such as the zone's bandwidth. See the "Basic Zone Configuration" section for further details.
Step 2 Configuring diversion —To protect the target host (zone), traffic to this host must be diverted to the Guard. The diversion is configured globally, via the Guard routing configuration. You must make sure that the global diversion configuration covers that of the new zone. This step includes configuring traffic forwarding methods. See "Diversion Configuration" for further details.
Step 3 Learning the zone traffic and adjusting policies—Create protection policies. The policies are the mechanisms that measure a particular traffic flow and take action against the flow as a result of threshold violation. The Guard creates the protection policies using templates, in a two-phase process of learning the zone traffic. Alternatively, you can use on-demand protection. See the "Learning the Zone Traffic Characteristics" section for further details.
Step 4 Configuring the Guard filters—Configuring the various zone filters. These are the mechanism that direct the diverted traffic to the required protection modules. You can configure the filters and design a variety of possibilities for customized traffic direction and anti-DDoS attack mechanisms. See "Configuring Zone Filters," for further details.
Step 5 Protecting the zone—After learning the zone traffic characteristics, the Guard is ready to protect the zone. You can wait for an external indication (from the Detector or any other means) of an attack before setting the Guard to protect the zone, or command the Guard to protect the zone right after configuring the zone. During the zone protection process, the Guard diverts the zone traffic and applies its protection policies. See the "Protecting the Zone" section for further details.
Basic Zone Configuration
When creating a new zone, you can create a zone based on system-defined templates or use an existing zone as a template. The template defines the zone initial configuration. This configuration is used for on-demand protection (protection for which learning was not performed). See the "On-Demand Protection" section for further details.
To create a new zone and configure its basic characteristics, perform the following steps:
Step 1 Create a new zone based on system-defined templates. See the "Creating a Zone" section.
OR
Create a zone based on an existing zone. See the "Duplicating a Zone" section.
Note To change the configuration of an existing zone enter the zone configuration mode. Use the zone zone-name command.
Step 2 Define the zone's IP address. You must define this to enable the Guard to perform traffic learning and protection.
When initially defined, the zone IP address must be inserted when the zone is not in protect mode. However, a zone's subnet or its additional IP addresses can be added when the zone is in protect mode.
To add additional IP addresses, enter this command more than once. You can add up to 100 IP entries (specific IP address or subnet) for each zone.
Enter the following:
ip address ip-addr [ip-mask]
Table 5-1 provides the arguments for the ip address command.
Table 5-1 Arguments for the ip address Command
Parameter
|
Description
|
ip-addr
|
The zone IP address. The zone can also be a subnet.
|
ip-mask
|
(Optional) The IP mask. The default subnet mask is 255.255.255.255.
|
Step 3 Define the bandwidth allowed to pass to the zone according to the traffic amount the zone can handle (Optional).
Note We recommend to set the bandwidth value to the highest bandwidth measured entering the zone. If you do not known it, leave the default bandwidth value (no-limit).
Enter the following:
rate-limit {no-limit | rate burst-size rate-units}
Table 5-2 provides the arguments for the rate limit command.
Table 5-2 Arguments for the rate limit Command
Parameter
|
Description
|
no-limit
|
The zone is defined with no rate limit.
|
rate
|
An integer greater than 64 that specifies the amount of traffic that is allowed to pass to the zone. The units are specified by the rate-units parameter. The rate limit can be up to ten times greater than the burst limit.
|
burst
|
An integer greater than 64 that specifies the highest traffic peak allowed to pass to the zone. The units are bits, kilo-bits, kilo-packets, mega-bits, and packets in correspondence to the rate units that are specified by the rate-units parameter. The burst limit can be up to eight times greater than the rate limit.
|
units
|
The rate units. The units are:
•bps—Bits per second
•kbps—Kilo bits per second
•kpps—Kilo packets per second
•mbps—Mega bits per second
•pps—Packets per second
|
Step 4 (Optional) Add a description to the zone for identification purposes. Enter the following:
The string length is limited to a maximum of 80 characters.
To modify a zone's description re-enter the zone description. The new description overrides the former.
For example:
admin@GUARD-conf-zone-scannet# ip address 192.168.100.34
255.255.255.252
admin@GUARD-conf-zone-scannet# rate-limit 1000 2300 pps
admin@GUARD-conf-zone-scannet# description This zone is used for
demonstration purposes
Note To display the configuration file of the newly configured zone, use the show running-config command at the zone prompt.
Creating a Zone
To create a zone based on system-defined templates, enter the following:
zone new-zone-name [template] [interactive]
After executing the command, the Guard enters the configuration mode of the new zone. If you enter the name of an existing zone, the Guard enters the specific zone configuration mode.
Table 5-3 provides the arguments and keywords for the zone command.
Table 5-3 Arguments and Keywords for the zone Command
Parameter
|
Description
|
new-zone-name
|
The name of a new zone. The name is an alphanumeric string up to 63 characters. The string must start with a letter, can contain underscores but cannot contain any spaces.
|
template
|
(Optional) A template that defines the zone configuration. The default is to create the zone using the Guard DEFAULT zone template.
See Table 5-4 for further details.
|
interactive
|
Sets the operation mode of the new zone to interactive. In this mode the Dynamic filters the policies produce appear as recommendations. You must decide whether or not to activate each Dynamic filter. See "Interactive Recommendations Mode," for further details.
|
Table 5-4 displays the Guard zone templates.
Table 5-4 Guard Zone Templates
Template
|
Description
|
DEFAULT
|
The Guard default zone template. The Guard uses this template in the TCP proxy anti-spoofing mechanism. This mechanism changes the packets' source IP address to the Guard's TCP proxy address. You can use this template if you do not use ACLs (IP based access list), access policy or load balancing policy based on incoming IP address for the zone network.
|
TCP_NO_PROXY
|
This template is designed for a zone for which no TCP proxy is to be used. You can use this template if the zone is moderated according to IP addresses such as an Internet Relay Chat (IRC) server-type zone or if you do not have knowledge of the type of services running on the zone.
|
Bandwidth-limited Link Templates
|
Templates designed for on-demand protection of large subnets segmented according to zones with a known bandwidth. Protection for these zone should be assumed for the attacked subnet or range. We recommend that you define such a zone on the Detector with a protect-ip-state of only-dest-ip.
The following bandwidth-limited link templates are available for 128K, 1M, 4M, and 512K links respectively:
LINK_128K
LINK_1M
LINK_4M
LINK_512K
Note You cannot perform learning policy-construction for these templates.
|
Note To display the zone templates, use the show templates command. To display the template default policies, use the show templates template-name policies command.
For example:
admin@GUARD-conf# zone scannet interactive
admin@GUARD-conf-zone-scannet#
Duplicating a Zone
You can create a new zone based on an existing one.
To duplicate a zone, perform one of the following:
•Enter the following at the Configuration prompt:
zone new-zone-name copy-from base-zone-name
The argument base-zone-name specifies the name of the zone that is used as a template for the new zone.
For example:
admin@GUARD-conf#zone scanserver copy-from scannet
admin@GUARD-conf-zone-scanserver#
OR
•Enter the following at the relevant zone prompt:
zone new-zone-name copy-from-this
The configuration of the new zone is copied from the configuration of the current zone.
For example:
admin@GUARD-conf-zone-scannet# zone mailserver copy-from-this
admin@GUARD-conf-zone-mailserver#
The argument new-zone-name specifies the name of the new zone. The zone name is an alphanumeric string up to 63 characters. The string must start with a letter, can contain underscores but cannot contain any spaces.
After executing the command, the Guard enters the configuration mode of the new zone.
Learning the Zone Traffic Characteristics
During the Learning phases, the Guard learns the zone's traffic characteristics. The results are translated into protection policies. These instruct the Guard protection system how to regard the zone traffic flows. The Guard Learning phase begins with the Guard traffic diversion mechanisms that divert the routine zone traffic to the Guard.
Note You must configure diversion before initiating the learning process. Configure zone diversion using the Guard routing configuration. See "Zone Traffic Diversion" for further details.
The Policy Templates are the Guard's tools for constructing the policies. These define the types of zone policies to be created according to traffic characteristics. The policy templates also define the Maximum Services and Minimum Threshold for each service policy in accordance to the guiding parameters provided (see "Configuring Policy Templates and Policies," for further details).
Note If there is an attack on the zone before the learning phases have been completed and the Guard has not yet adopted its protection policy, abort the learning, define a new zone (see the "Creating a Zone" section) with the same IP addresses and use this new zone for on-demand protection. See the "On-Demand Protection" section for further details.
The learning process consists of two phases, during which the Guard learns the zone's traffic and adapts itself to the particular characteristics:
1. Constructing Policies—In this phase, the Guard creates the zone policies using the Policy Templates. The traffic flows transparently through the Guard enabling it to discover the main services the zone uses.
2. Tuning Thresholds—In this phase, the Guard tunes the policies to fit the zone services traffic rates. The traffic flows transparently through the Guard, enabling it to tune the thresholds for the services it discovered while constructing the zone policies.
Note During the learning process, the Guard drops packets if one of the following fields in the packet equals zero:
•Source IP address
•Protocol number
•UDP source or destination port
•TCP source or destination port
The Guard learns the zone's traffic characteristics to acquire a basis on which to compare zone traffic and trace any anomalies that might, in turn, become malicious.
Once the policies are created, you can add and delete policies, or change policy parameters such as thresholds, services, time-outs and actions.
The action a policy takes can range from simple notification, to directing the traffic to various Guard protection mechanisms, or to dropping malicious traffic.
Constructing Policies
In this phase, the Guard creates the zone policies using the Policy Templates. The traffic flows transparently through the Guard enabling it to discover the main services the zone uses. You can configure the policy construction guiding rules. See "Configuring Policy Templates and Policies." for further details.
Note Policy Construction cannot be performed for zones based on the bandwidth-limited link templates: LINK_128K, LINK_1M, LINK_4M and LINK_512K.
To construct the zone policies, perform the following steps:
Step 1 Enter the following:
learning policy-construction
Tip Check that the Guard is diverting the zone traffic. Wait at least ten seconds after initiating the policy construction phase and issue the show rates details command. Verify that the value of the Received traffic rate is greater than zero. A value of zero indicates a diversion problem.
Step 2 After a sufficient period of time, terminate the policy construction phase and decide how to handle the newly constructed policies.
Note We recommend letting the Policy Construction phase continue for at least two hours before proceeding to the next phase.
See the next section, "Terminating the Policy Construction Phase" for further details.
For example:
admin@GUARD-conf-zone-scannet# learning policy-construction
Timesaver You can issue policy learning commands for several zones at the same time. Issue the command at the Global prompt and use an asterisk (*) as a wildcard. For example, to initiate policy construction for all zones, enter learning policy-construction * at the Global prompt. To accept the results of the policy construction phase for all Guard zones with names that begin with scan (such as scannet, scanserver and so on), type no learning scan* accept at the Global prompt.
Terminating the Policy Construction Phase
There are three ways to terminate the policy construction phase:
•Accept the suggested policies—To accept the Guard's suggested policies, enter the following at the relevant zone prompt:
The Guard erases previously learned policies and thresholds.
After accepting the newly constructed policies, you can manually add or remove policies or change the policy parameters. See "Configuring Policy Templates and Policies." for further details.
•Reject the suggested policies—To reject the Guard's suggested policies, type the following at the relevant zone prompt:
In this case, the Guard stops the process and erases all its learned data. As a result, the Guard reverts back to its default settings (in the case of a new zone) or to the zone traffic configurations prior to the learning phase.
•View the suggested policies—You can view the outcome of the learning process before making a decision. See the "Creating Snapshots and Comparing Policies" section for further details.
For example:
admin@GUARD-conf-zone-scannet# no learning accept
Tuning Thresholds
In this stage, the Guard further analyses the zone traffic and defines thresholds for the policies constructed during the previous phase. The Guard sets default values for the policy operational parameters (Timeout and Action). See "Configuring Policy Templates and Policies," for information on how to configure the values of the operational parameters.
To tune the policy thresholds, perform the following steps:
Step 1 Enter the following at the relevant zone prompt:
learning threshold-tuning
Step 2 After a sufficient period of time, terminate the threshold-tuning phase and decide how to handle the newly constructed policies.
Note We recommend that you run the threshold-tuning phase during peak traffic time (the busiest day) for a minimum of 24 hours.
See the next section, "Terminating the Threshold Tuning Phase" for further details.
For example:
admin@GUARD-conf-zone-scannet# learning threshold-tuning
Timesaver You can issue policy learning commands for several zones at the same time. Issue the command at the Global prompt and use an asterisk (*) as a wildcard. For example, to initiate policy construction for all zones, enter learning threshold-tuning * at the Global prompt. To accept the results of the policy construction phase for all Guard zones with names that begin with scan (such as scannet, scanserver and so on), enter no learning scan* accept at the Global prompt.
Use the show policies statistics command to view the learning results.
See the "Viewing Policies" section for further details.
Terminating the Threshold Tuning Phase
There are three ways to terminate the threshold-tuning phase:
•Accept the suggested policies—To accept the Guard's suggested policies, type the following at the relevant zone prompt:
The Guard erases previously learned thresholds.
After accepting the newly constructed policies, you can manually change the policy parameters. See "Configuring Policy Templates and Policies." for further details.
•Reject the suggested policies—To reject the Guard's suggested thresholds, type the following at the relevant zone prompt:
In this case, the Guard stops the threshold-tuning phase and reverts to the results from the policy-construction phase and previous threshold. This results in a situation whereby newly constructed policies have thresholds that are tuned for on-demand protection or that were obtained according to past traffic characteristics.
•View the suggested policies—You can view the outcome of the learning process before making a decision. See the "Creating Snapshots and Comparing Policies" section for further details.
For example:
admin@GUARD-conf-zone-scannet# no learning accept
Protecting the Zone
Before activating the Guard's protection for a zone, we recommend that you let the Guard study the zone's traffic patterns. The learning process allows the Guard to learn the traffic patterns of each zone and to create sets of recommended thresholds according to statistical analysis of the traffic.
Note In case there is an attack on the zone before the learning phases have been completed and the Guard has not yet adopted its protection policy, the Guard has on-demand protection. The Guard's default thresholds for a new zone enable effective on-demand protection. See the "On-Demand Protection" section for further details.
The Guard's protection can be activated in two operation modes:
•Automatic protection mode—The Dynamic filters are activated without user intervention.
•Interactive protection mode—Dynamic filters are activated manually, in an interactive mode. See "Interactive Recommendations Mode," for further details.
You can wait for an external indication (from the Detector or any other means) of an attack before setting the Guard to protect the zone, or command the Guard to protect the zone right after configuring the zone. During the zone protection process, the Guard diverts the zone traffic and applies its protection policies.
Protection termination may be defined according to Dynamic filter inactivity timeout. See the "Defining Protection Termination" section for further details.
You can choose to protect a zone in one of the following ways:
•Protect the overall zone.
Enter the following at the relevant zone prompt:
protect
OR
•Protect an IP-specific zone that is a part of the zone address range. In this case, a new zone is created. The name of the new zone consists of the first 30 characters of the major zone, an underscore, and the specific IP address. If a zone by the same name already exists, the Guard activates protection for the existing zone instead of creating another zone by the same name.
Enter the following:
protect zone-name ip-addr
The argument zone-name specifies the name of the specific zone and the argument ip-addr specifies the specific IP address within the zone's address range.
Note To remove this zone, use the no form of the zone command.
For example:
admin@GUARD# protect scannet 192.168.5.6
creating zone scannet_192.168.5.6
Tip Check that the Guard is diverting the zone traffic. Wait at least ten seconds and issue the show rates command. Verify that the value of at least one of the rates is greater than zero. If the value of all rates equals zero, this indicates a diversion problem.
Defining Protection Termination
Protection termination may be defined according to Dynamic filter inactivity timeout. If for a predefined span of time, there are no Dynamic filters in use and no new Dynamic filters are added, the Guard assumes the attack on the zone has ended and terminates the protection (See the "Deactivating Dynamic Filters" section for information on how the Guard decides when to remove Dynamic filters). You can define this timeout from seconds to infinite.
Enter the following:
protection-end-timer {time-seconds | forever}
Table 5-5 provides the arguments and keywords for the protection-end-timer command.
Table 5-5 Arguments and Keywords for the protection-end-timer Command
Parameter
|
Description
|
time-seconds
|
An integer greater than 60 that specifies the protection timeout measured in seconds.
|
forever
|
An indefinite timeout.
|
The default is forever. If you do not change the default value, you must deactivate protection manually.
On-Demand Protection
You can protect a zone with out performing learning in case of an immediate need such as a zone under attack. The system-defined zone templates include predefined protection policies and User filters that are suited to protect a zone that has not finished the learning process. The default thresholds of these templates are tuned so that the Guard's anti-spoofing mechanisms are activated quickly if the Guard identifies traffic abnormality in the zone's traffic.
Since the Guard has no knowledge of the zone traffic patterns, the thresholds used to block (drop) source IP addresses are set to relative high values. This implies that on-demand protection requires user intervention when mitigating non-spoofed attacks. You must monitor the zone legitimate and malicious traffic rates and view the Guard mitigation actions.
To initiate on-demand protection, perform the following steps:
Step 1 Create a new zone. Enter the following:
zone new-zone-name [template] [interactive]
See the "Creating a Zone" section for further details.
Step 2 Activate protection. Enter the following:
See the "Protecting the Zone" section for further details.
Step 3 Analyze the zone's traffic patterns. See the "Analyzing Zone Traffic Patterns" section for further details.
Analyzing the Zone Traffic
You can display an overview of the zone status or the zone rates or counters.
Viewing Zone Counters
You can use the following commands to analyze zone traffic:
•show rates—Displays the average traffic rates of the Malicious and the Legitimate counters.
•show rates details—Displays the average traffic rates for all Guard counters.
•show rates history—Displays the average traffic rates of the Malicious and the Legitimate counters for every minute, in the past 24 hours,
•show counters—Displays the Guard Malicious and Legitimate counters.
•show counters details—Displays all Guard counters.
•show counters history—Displays the values of the Malicious and the Legitimate counters for every minute in the past hour.
The rate units are in bits per second (bps) and in packets per second (pps).
Note Zone rates are only available when the zone is in learning or protect mode.
The Guard measures the total traffic and computes the average traffic rate. A rate with the value of cleared indicates a time when the zone was not protected.
The counters units are in packets and in Kilo bits. The counters are set to zero when protection is initiated.
Table 5-6 The Guard Counters
Counter
|
Description
|
Malicious
|
Malicious traffic destined to the zone. Malicious traffic is the sum of dropped packets and spoofed packets (which also include the zombie packets).
|
Legitimate
|
Legitimate traffic forwarded by the Guard to the zones.
|
Received
|
Packets received and handled by the Guard. Received packets are the sum of legitimate traffic and malicious traffic.
|
Forwarded
|
Legitimate traffic forwarded by the Guard to the zones.
|
Dropped
|
Packets that were identified by the Guard as part of an attack and dropped.
|
Replied
|
Packets to which replies were sent to the initiating client as part of the anti-spoofing or anti-zombie mechanisms in order to verify whether they are part of authentic traffic or part of an attack.
|
Spoofed
|
Packets that were identified by the Guard as spoofed packets and therefore not forwarded to the zone. Spoofed packets are replied packets (see Replied counter above for further details) for which no replies were received. Zombie packets are also included in the spoofed packets counter
|
Invalid zone
|
Diverted traffic that is not destined to any one of the Guard's protected zones.
|
Table 5-6 displays the Guard counters.
For example:
admin@GUARD-conf-zone-scannet# show rates
Viewing the Zone Status
You can display an overview of a particular zone to get a general picture of the zone and its current status. Use the show command to display an overview of the zone. The overview includes the following information:
•Zone status—Indicates whether the zone is currently protected, is in one of the learning phases, or is inactive.
•Zone basic configuration—Describes the basic zone configuration such as, operation mode (automatic or interactive), thresholds and timers and IP addresses. See the "Basic Zone Configuration" section for more details.
•Zone filters—Includes the Flex filter configuration, the number of Dynamic filters and the User filter configuration. If the zone is in interactive mode, the overview displays the number of recommendations. See the "Configuring the Flex Filter" section and the "Configuring User Filters" section for further details.
•Zone traffic rates—Displays the zone legitimate and malicious traffic rates. See the "Viewing Zone Counters" section for further details.
For example:
admin@GUARD-conf-zone-scannet# show
