Cisco Guard Web-Based Management Configuration Guide (Software Version 3.1(0)) - Learning Zone Traffic and Constructing Policies [Cisco Guard DDoS Mitigation Appliances]

Table Of Contents

Learning Zone Traffic and Constructing Policies

Overview

Learning Zone Traffic

Constructing Policies

Terminating the Policy Construction Phase

Tuning Thresholds

Terminating the Threshold Tuning Phase

Zone Policies

Setting Screen Filters

Configuring Policies

Adding a Service

Removing a Service

Configuring Parameters

Configuring a Specific IP Threshold

Snapshot

Comparing Policies

Accepting Policy Parameters Selectively

Learning Zone Traffic and Constructing Policies

This chapter describes how to create policies that are adapted to the traffic for zones on the Cisco Guard using Web-Based Management (WBM).

This chapter includes the following sections:

•Overview

•Learning Zone Traffic

•Zone Policies

•Snapshot

•Comparing Policies

Overview

The policies are the mechanisms that measure a particular traffic flow and take action against the flow as a result of threshold violation. The protection policies are constructed from policy templates.

A policy template is a collection of rules that are used during the learning phases to construct the zone's policies.

The learning process consists of two phases, during which the Guard learns the zone's traffic and adapts itself to the particular characteristics:

1. The Policy Construction Phase—In this phase, the zone policies are created using the Guard Policy Templates. The traffic flows transparently through the Guard enabling it to discover the main services used by the zone.

2. The Threshold Tuning Phase—In this phase, the policies are tuned to fit the zone services traffic rates. The traffic flows transparently through the Guard, enabling it to tune the thresholds for the services discovered during the policy construction phase.

The Guard learns the zone's traffic characteristics to acquire a basis on which to compare zone traffic and trace any anomalies that might, in turn, become malicious.

Once the policies are created, you can add and delete policies, or change policy parameters such as thresholds, services, timeouts and actions.

Policy actions can range from simple notification, to directing the traffic to various Guard protection mechanisms, or to dropping malicious traffic.

Refer to the Cisco Guard User Guide for more detailed information.

Learning Zone Traffic

During the learning phases, the Guard learns the zone's traffic characteristics. The results are translated into protection policies. The learning system constructs the Guard protection policies. These tell the Guard protection system how to regard the zone traffic flows.

The Guard learning phase begins with the Guard traffic diversion mechanisms that divert the routine zone traffic to the Guard.

Note You must configure diversion before initiating the learning process. For information regarding zone diversion configuration, refer to the Cisco Guard User Guide.

The policy templates are the tools that the Guard uses to construct policies. They define the types of zone policies to be created according to traffic characteristics. The policy templates also define the Maximum Services and Minimum Threshold for each service policy according to the parameters defined. See "Configuring Zone Filters and Policy Templates," for further details.

Figure 6-1 Zone Learning Menu

Note During the learning process, the Guard drops packets if one of the following fields in the packet equals zero:

•Source IP address

•Protocol number

•UDP source or destination port

•TCP source or destination port

Constructing Policies

During this stage, the Guard creates the zone policies. Zone traffic flows transparently through the Guard, enabling it to discover the main services used by the zone.

To initiate the first learning phase—Policy Construction—perform these steps:

Step 1 Select the relevant zone.

Step 2 Select Learning > Construct Policies from the zone's main menu.

Step 3 After a sufficient period of time, terminate the policy construction phase and decide how to handle the newly constructed policies.

We recommend that you let the Policy Construction phase continue for at least two hours before proceeding to the next phase.

Terminating the Policy Construction Phase

There are three ways of terminating the policy construction phase:

1. Accepting suggested policies — To accept the suggested policies, select Learning > Accept from the zone's main menu or click Accept (see Figure 6-1). The Guard erases previously learned policies and thresholds. You can also accept the suggested policies selectively. See the "Accepting Policy Parameters Selectively" section.

Note After accepting the newly constructed policies, you can manually add or remove policies or change the policy parameters. See the "Adding a Service", "Removing a Service" and "Configuring Parameters" sections for further details.

2. Rejecting suggested policies — To reject the suggested policies, select Learning > Abort from the zone's main menu. The Guard stops the process, erases all the learned data, and reverts back to the default settings, in the case of a new zone, or to the zone traffic configurations prior to the learning phase.

3. Viewing suggested policies — To view the outcome of the learning process before making a decision, select Learning > Snapshot from the zone's main menu. See the "Snapshot" section for further details.

Tuning Thresholds

During this stage, the Guard further analyses the zone traffic and defines thresholds for the policies that were constructed during the previous phase. You can configure the Guard's policy parameters.

To initiate the second learning phase—Threshold Tuning— perform these steps:

Step 1 Select the relevant zone.

Step 2 Select Learning > Tune Threshold from the zone's main menu.

Step 3 After a sufficient period of time, terminate the tune threshold phase and decide how to handle the newly constructed policies.

We recommend that you run the threshold-tuning phase for at least 24 hours.

Terminating the Threshold Tuning Phase

There are three ways of terminating the threshold tuning phase:

1. Accepting suggested policies — To accept the suggested policies, select Learning > Accept (see Figure 6-1) from the zone's main menu.The Guard erases previously learned thresholds. You can also accept only certain. See the "Accepting Policy Parameters Selectively" section.

Note After accepting the new thresholds, you can manually change the policy parameters. See the "Configuring Parameters" section for further details.

2. Rejecting suggested policies — To reject the suggested policies, select Learning > Abort (see Figure 6-1) from the zone's main menu. The Guard stops the Threshold Tuning phase and adopts the results from the Policy Construction Phase and previous thresholds results. Newly constructed policies have thresholds that were obtained according to past traffic characteristics.

3. Viewing suggested policies — To view the outcome of the learning process before making a decision, select Learning > Snapshot from the zone's main menu. See the "Snapshot" section for further details.

Zone Policies

To view the zone policies, choose Configuration > Policy from the zone's main menu. Figure 6-2 appears.

Figure 6-2 Policy Table

describes the fields in the Policy Table.

Table 6-1 Field Descriptions for Policy Table

Field

Description

Policy Template

The policy template that was used to construct the policy.

Service

The services the policy relates to. A service is either an application port or a protocol. You can add services to better tailor the policies produced for the specific zone services. See the "Adding a Service" section.

The service any relates to all traffic that does not specifically match other services created from the same policy template.

Level

The module used to process the traffic flow. There are three modules:

•Analysis

•Basic

•Strong

Type

The packet type. Possible values are:

•auth_pkts—Packets that underwent either TCP handshake or UDP authentication.

•auth_tcp_pkts—Packets that underwent TCP handshake.

•auth_udp_pkts—Packets that underwent UDP authentication.

•in_nodata_conns—Zone incoming connections that have no data transfer on the connection (packets without a data payload).

•in_conns—Zone incoming connections.

•in_pkts—Zone incoming DNS query packets.

•in_unauth_pkts—Zone incoming unauthenticated DNS queries.

•num_sources—Number of TCP source IPs, destined to the zone, that have been authenticated by the Guard's anti-spoofing mechanisms.

•out_pkts—Zone incoming DNS reply packets.

•reqs—Request packets with data payload.

•syns—Synchronization packets—TCP SYN flagged packets.

•syn_by_fin—SYN and FIN flagged packets. Verifies the ratio between the number of SYN flagged packets and the number of FIN flagged packets.

•unauth_pkts—Packets that did not undergo TCP handshake.

•pkts—All packet types that do not fall under any other category in the same detection level.

Key

The key (traffic characteristics) that was used to aggregate the policies.

Double-click the key name to view details. Possible values are:

•dst_ip—Traffic destined to a zone IP address.

•dst_ip_ratio—The ratio of SYN and FIN flagged packets destined to a specific IP address.

•dst_port_ratio—The ratio of SYN and FIN flagged packets destined to a specific port.

•global—A summation of all traffic flow as defined by the other policy sections.

•src_ip—Traffic destined to the zone aggregated according to source IP address.

•src_net—Traffic destined to the zone aggregated according to source subnet IP address.

•dst_port—Traffic destined to a specific zone port.

•protocol—Traffic destined to the zone aggregated according to protocol.

•src_ip_many_dst_ips—This is the key used for IP scanning. Traffic from a single IP destined to many zone IP addresses.

•src_ip_many_ports—This is the key used for port scanning. Traffic from one IP destined to many zone ports.

State

The state of the policy. Possible values are:

Active — The policy is active.

Inactive — The policy measures traffic flow but does not take any action if the threshold is violated.

Disabled — The policy is disabled.

Action

The action a policy takes as a result of a threshold violation. See the "Configuring Parameters" section for further details.

Threshold

The threshold traffic rate for a specific policy. When this threshold is violated, the policy takes an action. By default, the threshold is set to a value appropriate for on-demand action. This value can be adjusted after threshold-tuning in the learning phase, and can also be configured manually.

Proxy Threshold

Thresholds for clients identified as HTTP proxies.

Threshold List

The number of entries in a threshold list for a particular policy. - indicates that it is not possible to configure the threshold for the particular policy.

Timeout

The minimum time for the policy to apply its action. Once the timeout expires, the Guard runs a procedure in order to determine whether or not to deactivate a dynamic filter that was produced by the policy.

Setting Screen Filters

Each section in the policy's structure plays a different role with regards traffic protection. For easier management, you can set screen filters to display a partial policy with only those sections that are of interest.

To set a screen filter, click Set Screen Filter in the Policies screen, select the values of the parameters from the drop-down lists in the Policy Filter and click OK.

A partial list of the policies, meeting the criteria that you specified, is displayed. Details of the selected path, state and action are displayed in the Screen Filter frame.

Note If you change one of the parameters, all the parameters that are listed below it are automatically cleared and you must enter new values.

Configuring Policies

After completing the learning processes, you can view specific policy operational parameters. Displaying these parameters helps you decide whether the policy parameters suit the zone's traffic. You can configure a single policy or a group of policies. If necessary, you can configure the parameters to better tailor the policy to the zone's traffic requirements.

To configure a zone policy, perform these steps:

Step 1 Select the relevant zone.

Step 2 Select Configuration > Policy from the zone's main menu.

Step 3 Check the boxes for the required policies in the list and click Config Selection.

Step 4 Enter the relevant parameters in the Zone Policies Parameter Form.

The policy characteristics, as described in , are displayed in the form. If you have selected a group of policies with different characteristics, the parameters in the form have a value multiple. Table 6-2 describes the definable parameters.

Table 6-2 Zone Policies Parameter Form

Parameter

Description

State

The state of the policy. Possible values are:

•active—The policy relates to the traffic and issues an action once the threshold is violated.

•inactive—The policy relates to the traffic and obtains the threshold but takes no action when a threshold is violated.

•disabled—The policy does not relate to the traffic flow and so no threshold is obtained.

Action

Select an action that the policy should take as a result of a threshold violation. Possible values are:

•notify—The policy notifies the user of the threshold violation.

•block-unauthenticated—The policy adds a filter that blocks traffic that was not authenticated by the anti-spoofing mechanism.

•to-user-filters—The policy adds a filter directing the traffic to the user filters.

•filter/strong—The policy adds a filter directing the traffic to the Strong protection module mechanisms.

•filter/drop—The policy adds a filter directing the traffic to the Drop protection module to be dropped.

•redirect/zombie—The policy adds a filter that enhances authentication for all User filters with an action of redirect.

Threshold multiplier

A factor by which the threshold is increased or decreased.

Timeout

The minimum time span for the policy to apply its action. The timeout is measured in seconds and must be an integer.

Adding a Service

You can manually add services that were not discovered during policy construction to better tailor the policies produced. The new policies for this service are added to the policies that were created from the policy template. You can add a new service to the following policy templates:

•http

•other protocols

•tcp_services

•tcp_services_ns

•udp_services

Note For http, tcp_services, tcp_services_ns and udp_services, the added service designates a port number. For other_protocols, the added service designates a protocol number.

To add a service to a policy, perform these steps:

Step 1 Select the relevant zone.

Step 2 Select Configuration > Add service from the zone's main menu.

OR

Select Configuration > Policy from the zone's main menu and click Add service.

Step 3 Select a policy template from the list and click Next.

Step 4 Enter the new service in the Add Service Form and click OK.

The new service is defined with default values. You can define the threshold manually. However, we recommend that you run the threshold-tuning phase to tune the policies to the zone's traffic. See the "Tuning Thresholds" section for further details.

Removing a Service

You can remove a specific service related to a policy template.

To remove a service from a policy, perform these steps:

Step 1 Select the relevant zone.

Step 2 Select Configuration > Remove service from the zone's main menu.

OR

Select Configuration > Policy from the zone's main menu and click Remove service.

Step 3 Select the policy template, with the service you want to remove, from the list and click Delete.

Step 4 A warning message is displayed. Click OK if you are sure that you want to remove the service.

Caution Removing a service prevents the Guard policies from relating to the traffic service that was removed and may compromise the zone protection.

Configuring Parameters

After the zone policies have been constructed and the thresholds tuned, you can manually configure the parameters. Table 6-3 describes the parameters that can be configured.

Table 6-3 Zone Policy Parameters

Parameter

Description

State

The state of the policy section. Possible values are:

•Active—The policy relates to the traffic and issues an action once the threshold is violated.

•Inactive—The policy relates to the traffic and obtains the threshold but takes no action when a threshold is violated. By default, all the Guard policies are activated.

•Disabled—The policy does not relate to the traffic flow and so no threshold is obtained. As a result, the policies have to undergo a new learning threshold-tuning phase to ensure that correct thresholds are applied for the policies.

Operation mode

The interactive-status that the pending Dynamic filters, created by the policy, assume. See "Interactive Recommendations Mode" section for further details.

You can only view and configure Interactive-Status for protected zones in interactive mode.

Action

The actions a policy can take as a result of a threshold violation. Possible values are:

•notify—The policy notifies the user of the threshold violation.

•block-unauthenticated—The policy adds a filter that blocks traffic that was not authenticated by the anti-spoofing mechanism.

•to-user-filters—The policy adds a filter directing the traffic to the user filters.

•filter/strong—The policy adds a filter directing the traffic to the Strong protection module mechanisms.

•filter/drop—The policy adds a filter directing the traffic to the Drop protection module to be dropped.

•redirect/zombie—The policy adds a filter that enhances authentication for all User filters with an action of redirect.

Threshold

The threshold traffic rate for a specific policy. Once violated, the policy takes an action to protect the zone. The threshold is measured in packets per second (pps) except for the following policies:

•tcp_connections—measured in number of connections

•tcp_ratio—measured as the ratio number

Timeout

The minimum time for the policy to apply its action. Once the timeout expires, the Guard runs a procedure in order to determine whether or not to deactivate a dynamic filter that was produced by the policy.

To configure parameters, perform these steps:

Step 1 Check the boxes for the required policy templates in the list and click Config Selection.

OR

Select a Key and click Config.

Step 2 Select a state from the drop-down list in the form displayed and click OK.

Unnecessary deactivation or disabling can prevent the Guard policies from assuming their protective role and can compromise the zone protection. When a policy is disabled, other policies regard its targeted traffic as belonging to them. All policies have to undergo a new learning threshold-tuning phase before the policies are applied in protect mode. Running the policy-construction phase after disabling a policy can result in policy reconfiguration according to traffic flow. This could result in the policy being reactivated.

Configuring a Specific IP Threshold

In cases of known high-volume traffic from an IP source, you can configure a threshold to apply to the specific IP source address.

In cases of a non-homogenous zone (that is, a zone that has more than a single IP defined) where there is known high-volume traffic only to part of the zone, you can configure a threshold to apply to the specific IP destination address.

You can only configure specific IP thresholds for certain policies:

•Policies with traffic characteristics of source IP and subnet with the action of drop.

•Policies with traffic characteristic of destination IP with the actions of to-user, strong, notify, and drop.

To configure a specific IP threshold perform these steps:

Step 1 In the Policy details page, click Add.

Step 2 Enter the IP address and the threshold in the form displayed and click OK.

To delete a specific IP threshold, check the box next to the IP address and click Delete.

Snapshot

Snapshot is used to verify the outcome of the learning process together with Compare Policies.

You can save a snapshot of the learning parameters (services, thresholds and other policy related data) at any stage during the learning phase, and review it later. You save the file with the snapshot learning phase parameters and the zone configuration parameters with a new zone name, thus creating a new zone with the configuration and policy parameters (such as, number of services, thresholds, action, timeout) of the zone at the time the snapshot was taken.

Note The Guard continues the learning phases while the snapshot is taken.

To create a snapshot of the zone's learning parameters, perform these steps:

Step 1 Select the relevant zone.

Step 2 Select Learning > Snapshot from the zone's main menu

Note The Snapshot command is only available when the zone is in a learning phase.

Step 3 Enter the a name for the snapshot and click OK.

The Snapshot creates a new zone. After you have verified the snapshot parameters, or compared two snapshots, you can delete the snapshot. Alternatively, you can decide to keep the snapshot and delete the original zone.

See the "Comparing Policies" section to compare the policy parameters of two snapshots.

See the "Accepting Policy Parameters Selectively" section to selectively accept the snapshot parameters.

Comparing Policies

You can compare the snapshot learning parameters to the zone learning parameters. The comparison traces differences in policies, services, and thresholds. You can define the sensitivity of the comparison.

When differences are found, you can change the base zone's policy according to the policy parameters in the compared zone. This is a powerful tool that enables you to accept learned policy parameters selectively. See the "Accepting Policy Parameters Selectively" section for further details.

To compare between two learning parameter files perform these steps:

Step 1 From the zone's main menu, select Configuration > Compare policies.

OR

From the Guard's main menu, select Zones > Compare Zone policies.

Step 2 Enter values for the parameters in the Policies Comparison query and click OK. Table 6-4 describes the parameters.

Table 6-4 Policies Comparison Parameters

Parameter

Description

Base Zone

The name of the base zone for which the learning parameters are being compared. The base zone's policies can be changed according to the parameters in the compared zone.

Compared Zone

The name of the zone or snapshot that the learning parameters of the base zone are compared to.

Minimal difference

The Guard traces any parameters that differ more than the percentage defined.

Figure 6-3 shows an example of the policy comparison tables.

Figure 6-3 Policy Comparison Tables

The comparison is divided into two sections:

1. Difference in services—The services in this section are displayed in two tables:

–Services present only in the base zone policies.

–Services missing from the base zone. These services are only defined in the compared zone.

2. Difference in policy parameters—Differences in the operational parameters of the policies (state, action, threshold, proxy-threshold) are displayed. Each section in the table shows the differences found in a single policy. The first row in each section shows the parameters of the base zone. The second row of each section shows the parameters of the compared zone.

Accepting Policy Parameters Selectively

When you find differences when comparing policies, you can change the base zone's policy according to the parameters in the compared zone policy. This is a powerful tool that enables you to accept learned policy parameters selectively.

Figure 6-3 shows an example of a policy comparison tables. See the "Comparing Policies" section for further details.

To remove services from the base zone policies, check the boxes next to the services to be removed in Services only in zone-name and click Delete to remove the selected services.

To add services to the base zone policies, check the boxes next to the services to be added under Services missing from zone-name and click Add to add the services to the base zone policies.

To copy the operational parameters from the compared zone to the base zone, check the boxes next to the relevant policies and click Copy Parameters.

The parameters from the compared zone (the second row) are copied to the base zone.

To select all table entries, check the box in the table header.

The snapshot function creates a new zone. After comparing two zones (or snapshots) and modifying the base zone policies, you can delete the compared zone.