Table Of Contents
Operating and Monitoring Events on the Guard
Guard Summary (Home) Page
Viewing Guard Diagnostics
Counters
Event Log
Configuring Access Control
Managing User Authentication
Creating Users
Users List
Changing a Password
Configuring Authorization
Assigning Privilege Levels
Operating and Monitoring Events on the Guard
This chapter describes how to use Web-Based Management (WBM) to operate and monitor events on the Cisco Guard.
This chapter includes the following sections:
•
Guard Summary (Home) Page
•Viewing Guard Diagnostics
•Configuring Access Control
For information on managing and creating zones, see "Creating and Configuring Zones."
Note You can only configure the Guard, network and diversion using CLI. Refer to the Cisco Guard User Guide for further details.
Guard Summary (Home) Page
The Guard's Summary (Home) page (Figure 3-1) provides a summary of the current Guard activity. It appears automatically after connecting to the Guard WBM.
You can also reach the Guard Summary Home page from a number of locations on the interface (Figure 1-1):
•Select Guard Summary from the navigation pane.
•Select Home from the information area.
•Select Home from the navigation path displayed in the zone pages.
Figure 3-1 Guard Summary (Home) Page
The Guard Summary includes two sections:
•Guard Summary—Provides a graphical summary of the traffic that was handled by the Guard over the last two hours in bits per second (bps). Legitimate traffic passed by the Guard to the protected zones appears in green. Malicious traffic handled by the Guard appears in red.
Table 3-1 describes the information that appears below the graph.
Table 3-1 Field Descriptions for Guard Summary Graph
Field
|
Description
|
Min
|
The minimum traffic rate measured during the last two hours in bits per second (bps).
|
Max
|
The maximum traffic rate measured during the last two hours in bits per second (bps).
|
Avg
|
The average traffic rate measured during the last two hours in bits per second (bps).
|
Cur
|
The current traffic rate in bits per second (bps).
|
The information appears separately for legitimate traffic and for malicious traffic.
•Currently Protected Zones—Provides a list of the currently protected zones and a short summary of the status of each one of them. The zones appear in the attack order. The most recently attacked zone appears at the top of the list.
Table 3-2 describes the fields for currently protected zones.
Table 3-2 Field Descriptions for Currently Protected Zones
Fields
|
Description
|
Zone
|
The zone name. The zone name also provides a link to the zone's home page.
|
Activation Time
|
The date and time that zone protection was activated.
|
Attack Start Time
|
The date and time the most recent attack on the zone was detected.
|
Legitimate Rate
|
The current rate of legitimate traffic passed by the Guard to the zone in bits per second (bps).
|
Malicious Rate
|
The current rate of malicious traffic, to the zone in bits per second (bps).
|
Thumbnail of the Zone traffic summary
|
A graph displaying a summary of the traffic to the zone in the last half hour. The traffic rate appears in bits per second (bps). Legitimate traffic rate appears in green. Malicious traffic rate appears in red.
|
Viewing Guard Diagnostics
The Guard provides diagnostic information to assist with troubleshooting and monitoring events.
To view the Guard's diagnostics, select Diagnostics from the main menu.
The following diagnostics are available:
•Counters
•Event Log
Counters
The Guard Global Current Counters report (Figure 3-2) provides more information than that displayed in the Guard summary.
To display the Guard global counters, select Diagnostics > Counters from the main menu.
The following counters appear:
•Legitimate—Legitimate traffic forwarded by the Guard to the zones.
•Malicious—Malicious traffic destined to the zone. Malicious traffic is the sum of Dropped packets and Spoofed packets (which also include the Zombie packets).
•Received—Packets received and handled by the Guard. Received packets are the sum of legitimate traffic and malicious traffic.
•Dropped—Packets that were identified by the Guard as part of an attack and dropped.
•Replied—Packets to which replies were sent to the initiating client as part of the anti-spoofing or anti-zombie mechanisms in order to verify whether they are part of authentic traffic or part of an attack.
•Spoofed—Packets that were identified by the Guard as Spoofed packets and were not forwarded to the zone. Spoofed packets are replied (bounced) packets to which no replies were received. Spoofed packets include zombie packets.
Figure 3-2 Guard Global Counters/Rates
Table 3-3 describes the fields for each of the counters.
Table 3-3 Field Descriptions for Counters in Counter Report
Field
|
Description
|
Shown in Graph
|
Specifies whether the counter is shown in the graph.
|
Packets
|
The total number of packets since the Guard was reactivated.
|
Bits
|
The total number of bits since the Guard was reactivated.
|
pps
|
The current traffic rate measured in packets per second.
|
bps
|
The current traffic rate measured in bits per second.
|
By default, the graph displays the legitimate and malicious traffic over the last two hours, measured in bits per second (bps). You can show additional counters in the graph and change the time period and graph type.
To change the graph settings, perform these steps:
Step 1 Check the boxes to display more counters in the graph.
Step 2 Choose a time period for the graph from the drop-down list.
Step 3 Choose a unit type from the drop-down list.
Step 4 Click Update Graph (see Figure 3-3) to update the graph with the new settings.
A legend identifying the counters appears below the graph and the minimum, maximum and average rates for each counter appear for the time period and rate units selected.
For a detailed explanation on interpreting the significance of the counters, refer to the Cisco Guard User Guide.
Event Log
The Event log (Figure 3-3) displays monitoring and troubleshooting information for events that relate to the protected zones and to Guard operation.
To display the event log, select Diagnostics > Event log from the Guard's main menu.
Figure 3-3 Event Log
Table 3-4 shows the possible severity levels for events.
Table 3-4 Event Severity Levels
Event Level
|
Description
|
Emergencies
|
System is unusable
|
Alerts
|
Immediate action required
|
Critical
|
Critical condition
|
Errors
|
Error condition
|
Warnings
|
Warning condition
|
Notifications
|
Normal but significant condition
|
Informational
|
Informational messages
|
Debugging
|
Debugging messages
|
To filter events according to their severity level, check the boxes next to the severity levels and click Filter Events.
Note The event logs only display zone related events with a severity level of Emergency, Alert, Critical, Error, Warning and Notification. See "Zone Statistics and Diagnostics," for further details on zone event logs.
Configuring Access Control
Access control is the way you control who is allowed access to the network server and what services they are allowed to use once they have access. Authentication and Authorization network security services provide the primary framework through which you set up access.
•Authentication—The way a user is identified prior to being allowed access the system and system services.
•Authorization—The process of determining what a user is allowed to perform once access to a system is obtained. This is usually done once the user is authenticated and begins to manipulate the system.
Managing User Authentication
The Guard initially has a preconfigured user name with administrator privileges, which enables you to create new users. User definition enables you to divide the Guard user community into domains, and to assign passwords as required for secure management access.
The Administrator can set which authentication method the Guard uses when a user tries to log into the Guard. Local authentication uses locally configured login passwords for authentication. This is the default authentication method.
Creating Users
A user with Administrator privileges can configure local users.
To create a new user, select Users > Create user from the main menu.
Define the parameters in Table 3-5 for each user.
Table 3-5 User Parameter Description
Parameter
|
Description
|
User name
|
The User's user name.
|
Initial password
|
6-24 characters long with no spaces.
|
Type
|
The user's privilege level. Choose a value from the drop-down list to assign a privilege level.
|
You can also create a new user by clicking Add on the Users List page.
Users List
To view the list of users defined on the Guard, select Users > Users list from the main menu.
The list of users is divided into two categories:
•System users—Users defined by the system. System users cannot be deleted. The system users are admin and riverhead.
•Users—Users defined by the operator.
To delete a user, check the box next to the user name and click Delete.
To add a user click Add.
The privilege level is displayed for each user (see Table 3-6).
To reconfigure a user, click on the user name and change the parameters.
Changing a Password
To change the password, perform these steps:
Step 1 From the Guard's main menu select Users > Change password. The Change Password window appears.
Step 2 Enter the existing password in the Old Password box.
Step 3 Enter a new password in the New Password box, re-enter the new password to verify your choice and click OK.
Step 4 If you enter an invalid password or the new password is not verified correctly, an error message appears. Click Go Back to try again.
Users that have Administrator privileges can configure and change the password for all users defined on the Guard.
To reconfigure or change the passwords of users, other than the current user, perform these steps:
Step 1 From the main menu select Users > Users list and click on the user name.
Step 2 Click Config.
Step 3 Enter the new password and click OK.
Configuring Authorization
Access to Guard services depends on the user privilege level. You can limit the services available to a user. The Guard checks the user's profile, which is located in the local user database, to verify the user's access rights. Once authorized, the user is granted access to the requested service only if the information in the user's profile allows it.
Local authorization uses locally configured user profiles for command group access control. Authorization is defined for all commands at the specific privilege level. This is the default authorization method.
Assigning Privilege Levels
The Guard is pre-configured with the Administrator's privilege level, enabling you to define the different user types. Defining users enables you to divide the Guard user community into groups with different access privileges.
Table 3-6 shows the privilege levels and the corresponding operations.
Table 3-6 User Privilege Levels
User Group
|
Command Group
|
Administrator (Admin)
|
Full access to all operations.
|
Configuration (Config.)
|
Full access to all operations except the operations relating to user definition, deletion, and modification.
|
Dynamic
|
Access to monitoring and diagnostics operations, detection, and learning related operations. Users with Dynamic privileges can also configure the Flex and Dynamic filters (see the note below).
|
Show
|
Access to monitoring and diagnostics operations.
|
We recommend that only users with Administrator and Configuration privileges configure filters. Users with lower privileges can add and remove dynamic filters.
The user name admin grants Administrator privileges. The user name riverhead grants Dynamic privileges. The Cisco Traffic Anomaly Detector uses this user name for remote activation of the Guard.
The privilege level is assigned to the user when it is initially created. See the "Creating Users" section for more details.
To change the user privilege level delete the user from the Users List and add the user again.
