Table Of Contents
Creating and Configuring Zones
Overview
The Zone Home Page
Zone Status Bar
Zone Traffic Summary
Zone Status Summary
Zone Recent Events
Managing Zones
Reconfiguring a Zone
Deleting a Zone
Zone Status Icons
Creating and Configuring Zones
This chapter describes how to create and manage zones and includes the following sections:
•
Overview
•The Zone Home Page
•Managing Zones
•Zone Status Icons
Overview
A zone is a network element that the Guard protects against DDoS attacks. A zone can be a network server, client or router; a network link or subnet or an entire network; an individual Internet user or a company; an Internet Service Provider (ISP), or any combination the above. The Guard can protect different zones simultaneously, as long as their network address ranges do not overlap.
•Basic zone configuration—includes the zone's name and description, the zone's network address and operation definitions and basic networking characteristics such as the zone's bandwidth. See the "Managing Zones" section for further details.
•Protection policy—policies are the mechanisms that measure a particular traffic flow and take action against the flow as a result of threshold violation. The protection policies are constructed from policy templates, that provide the guiding rules. The policies are constructed in two learning phases. See "Protecting Zones," for further details. Action taken by the policies can range from merely notifying, to directing the traffic to Guard anti-spoofing or anti-zombie mechanisms and even dropping malicious traffic. See "Configuring Zone Filters and Policy Templates," for further details.
•Filters—the zone's filters are the mechanism that directs the diverted traffic to the required protection modules. You can set the filter configurations and design different possibilities to customize traffic direction and anti-DDoS attack mechanisms. See "Configuring Zone Filters and Policy Templates," for further details.
•Diversion—to protect the target host (zone) using the Guard, traffic destined to the host must be diverted to the Guard. You configure zone diversion via the Guard routing configuration and not as part of the zone configuration file. For information about configuring zone diversion, refer to the Cisco Guard User Guide.
The Zone Home Page
The zone's home page (Figure 4-1) provides a summary of the zone's status.
You can navigate to this page in a number of ways:
•Select the zone from the All Zones list in the navigation pane.
•If the zone is currently in protect mode, select the zone under the Protected Zones list in the navigation pane.
•On the zone pages, select Zone from the navigation path.
•Select the zone from the zone list (Guard Summary > Zones > Zone list).
The zone home page is divided into four sections:
•Zone Status bar
•Zone Traffic summary
•Zone Status summary
•Zone Recent events
The following buttons appear beneath the zone status bar in certain circumstances.
•Protect—Switches the zone to protection mode. This is equivalent to selecting Protection> Protect from the zone's main menu and is only available if the zone is in standby.
•Deactivate—Deactivates the zone's detection state. This is equivalent to selecting Protection > Deactivate from the zone's main menu and is only available if the zone is in protection mode.
•Report—Links to the current attack report. This is equivalent to selecting Diagnostics > Attack reports from the zone's main menu and clicking on the current attack (the attack with an end time of attack in progress). It is only available if there is a current attack in progress. See "Zone Statistics and Diagnostics," for further details.
Figure 4-1 Zone Home Page
Zone Status Bar
The zone's status bar provides a quick reference to the status of the zone and includes the following information:
•The zone's name.
•The zone's operation mode—the operation mode appears in brackets. It indicates whether the zone is in auto protection mode or in interactive protection mode. The operation mode only appears if the zone is active. See the "Managing Zones" section for further details.
•The zone's status—the zone's status indicates the protection or learning mode of the zone and have one of the following values: protected, inactive, constructing policy and tuning thresholds. See the "Zone Status Summary" section for further details.
•Indication of new recommendations—If the zone is in interactive mode, the zone's status bar includes an indication that there are new recommendations. See "Interactive Recommendations Mode" section for further details.
Zone Traffic Summary
The zone's traffic summary graph displays the zone related traffic rate over the last two hours in bits per second (bps). Legitimate traffic passed by the Guard to the zone, appears in green. Malicious traffic that was destined to the zone appears in red.
Table 4-1 describes the fields that appear below the zone traffic summary graph.
Table 4-1 Field Descriptions for Fields below Zone Traffic Summary Graph
Field
|
Description
|
Min
|
The minimum traffic rate measured over the last two hours in bits per second (bps).
|
Max
|
The maximum traffic rate measured over the last two hours in bits per second (bps).
|
Avg
|
The average traffic rate measured over the last two hours in bits per second (bps).
|
Cur
|
The current traffic rate in bits per second (bps).
|
The information appears separately for legitimate traffic and malicious traffic.
Zone Status Summary
The zone's status summary provides the following information:
•The number of active Dynamic filters.
Active dynamic filters provides a link to the Dynamic filters page. See "Dynamic Filters" section for further details.
•The number of pending Dynamic filters.
The number of pending dynamic filters is greater than 1 when the zone is in interactive protection mode and there are new recommendations.
Pending dynamic filters provides a link to the recommendations page. See the "Dynamic Filters" section for further details on dynamic filters. See the "Interactive Recommendations Mode" section for further details on recommendations.
•Last attack time—The date and time of the last attack on the zone.
•Activation time—The date and time that protection was activated.
Zone Recent Events
The recent events table displays the recent events in the zone with a minimum severity level of notify. These events also appear in the zone event log and the Guard event log.
Managing Zones
To protect a zone against DDoS attacks, you must configure the zone's network characteristics on the Guard.
To create a new zone, perform one of the following:
•From the Guard's main menu select Zones > Create Zone.
•From the Guard's main menu select Zones > Zone list and click Add.
•From the zone's main menu select Main > Create Zone.
•From the zone's main menu select Main > Save as.
This copies the current basic zone configuration to a new zone. It is equivalent to the CLI command zone with the option copy-from-this. Refer to the Cisco Guard User Guide for further details.
Table 4-2 describes the zone's basic configuration fields.
Table 4-2 Field Descriptions for Zone Configuration
Field
|
Description
|
Name
|
The zone name.
|
Description
|
A description of the zone.
|
From Template
|
A template that defines the zone configuration. The Template can be one of the following:
•DEFAULT—The Guard default zone template.
•TCP_NO_PROXY—A template designed for a zone for which no TCP proxy is to be used. This template can be used if the zone is moderated according to IP addresses such as an Internet Relay Chat (IRC) server-type zone. Refer to the Cisco Guard User Guide for further details.
•Bandwidth Limited Link Templates—Templates designed for on-demand protection of large subnets segmented according to zones with known bandwidth. You should assume protection for the zone for the attacked subnet or range. We recommend that you define such zones with protect-ip-state of only-dest-ip. See Protect-IP state in the Cisco Traffic Anomaly Detector Web-Based Management (WBM) User Guide for further details.
The following Bandwidth Limited Link templates are available for 128K, 1M, 4M, and 512K links respectively:
–LINK_128K
–LINK_1M
–LINK_4M
–LINK_512K
You cannot perform policy construction for these templates.
|
Operation mode
|
Indicates the mode used for activating zone Dynamic filters. Possible values are:
•Automatic—The dynamic filters will be activated automatically.
•Interactive—The interactive mode enables you to define the action taken for each Dynamic filter. The Dynamic filters recommended by the policies, appear as recommendations. You can specify whether to accept or reject each Dynamic filter.
See "Interactive Recommendations Mode" section for further details.
|
Max. Rate
|
The amount of traffic allowed to pass to the zone, displayed as an integer. The rate is measured in bits, kilo-bits, kilo-packets, mega-bits, or packets. Configure the value according to the traffic volume the zone can handle.
|
Burst
|
The highest traffic peak allowed to pass to the zone. The peak is an integer. The units are bits, kilo-bits, kilo-packets, mega-bits, or packets and are the same as the rate units.
|
Flex filter
|
(Optional) Configure the flex filter. See the"Configuring Flex Filters" section for further details.
|
Filter Action
|
(Optional) Configure the Flex filter action. Possible values are:
•disable—The Flex filter is disabled.
•count—The Flex filter is used to count the flow.
•drop—The Flex filter is used to drop the flow.
|
Protection-end Timer
|
The time after which protection can be terminated by the Guard.
The Guard verifies whether an attack has ended by checking on Dynamic filters that have been added. The Guard stops the protection if no Dynamic filters are in use and no new Dynamic filter has been added over a predefined period of time.
Possible values can range from seconds to infinite.
|
Filter-rate termination threshold
|
The threshold, that together with the Malicious-rate termination threshold, specifies when the Guard can inactivate Dynamic filters.
Define this threshold in packets per second (pps).
See the note on Dynamic filter termination for further details.
|
Malicious-rate termination threshold
|
The threshold, that together with the Filter-rate termination threshold, specifies when the Guard can inactivate Dynamic filters.
Define this threshold in packets per second (pps).
See the note on Dynamic filter termination for further details.
|
IP address
|
The zone's IP address.
|
Mask
|
The zone's address mask. Select the address mask from the drop-down list.
|
Note We recommend that you set the bandwidth value to the highest bandwidth measured entering the zone. If unknown, leave the default burst and Max. rate blank and choose unlimited units from the drop-down list.
After a zone is created, the configuration is displayed in three tables.
To change the zone's basic configuration, click the Config button below the first table and enter the parameters in the Zone Form.
To change the Flex filter configuration, click Config below the second table with the Flex filter information and enter the parameters in the Zone Form. See the "Configuring Flex Filters" section.
To add additional IP addresses and subnets, click the Add button under the third (IP) table. You should repeat this for each zone IP address or subnet mask. You can enter or delete additional IP addresses and subnets while the zone is active.
Note Dynamic filter termination
Once the Dynamic filter timeout expires, the Guard determines whether to inactivate the Dynamic filter when one of the following applies:
•The total malicious traffic rate (equaling the sum of the spoofed and dropped traffic) is less than or equal to the Malicious-rate termination threshold.
•The Filter-rate termination threshold is equal to or greater than both the following:
–The Dynamic filter's current traffic rate
–The Dynamic filter's average traffic rate during a user-configured time span (defined by the policy's Timeout parameter)
See sections "Configuring Parameters" section in for further details on the Dynamic filter timeout.
Reconfiguring a Zone
To reconfigure an existing zone, select Configuration > General from the zone's main menu and click the Config button below the first table.
Deleting a Zone
To delete a zone, select Zones > Zone list from the Guard's main menu, select the check box for the zone and click Delete.
Zone Status Icons
Icons represent the zone's status and appear in the navigation pane and in the zone's status bar. Table 4-3 describes the zone status icons.
Table 4-3 Zone Status Icons
Icon
|
Status
|
|
Standby zone.
|
|
Zone in one of the learning phases.
|
|
Zone in protect mode.
|
|
Indicates that new recommendations are available for the zone. This icon appears in addition to the zone icon.
|
