Table Of Contents
Introduction
Client Requirements
Minimum Requirements
Installing Java 2 Runtime Environment
Guard Requirements for WBM Operation
What is a DDoS Attack
Cisco Guard
WBM Interface
WBM Browser Window
Zone Status Icons
WBM Navigation Maps
Introduction
This chapter provides an overview of the WBM interface and includes the following sections:
•
Client Requirements
•Guard Requirements for WBM Operation
•What is a DDoS Attack
•Cisco Guard
•WBM Interface
Client Requirements
This section describes the minimum requirements for the WBM client and includes the following information and procedure:
•Minimum Requirements
•Installing Java 2 Runtime Environment
Minimum Requirements
The minimum client requirements to access and use the WBM on the Guard are:
•MS Internet Explorer 5.0 (or higher)—Must support HTML, tables, cookies, Javascript, and frames
•Sun Microsystems Java 2 Runtime Environment (JRE) Standard Edition version 1.4.2_04—JRE is required to view the real time counters only (see the "Installing Java 2 Runtime Environment" section)
•Monitor resolution—Recommend 1024 x 768 pixels minimum
Installing Java 2 Runtime Environment
You must install Java 2 Runtime Environment (JRE) to view the real time counters. To download and install JRE from the Sun Microsystems web site, perform the following steps:
Step 1 Open the following URL in your Web browser: www.sun.com. The Sun Microsystems home page appears.
Step 2 Navigate to the downloads page by selecting Downloads > Java 2 Standard Edition. Select the version number to open the version download site.
Step 3 Download J2SE JRE.
Scroll down to the J2SE v <version number> JRE category and select Download J2SE JRE.
Note Do NOT select J2SE SDK.
Step 4 Run the file you just downloaded and follow the online installation instructions provided by Sun Microsystems.
Step 5 Verify that JRE supports your browser. Perform the following actions:
1. Open the Windows Control Panel on your machine by choosing Start > Settings > Control Panel. The Control Panel appears.
2. Locate and double-click Java Plug-in. The Java(TM) Plug-in Control Panel appears.
3. Click the Advanced tab. Open the <APPLET> tag support section and check the check box next to your browser.
Note If you have a previous version of JRE installed, the supported browsers are located in a different tab. Click the Browser tab and under Settings, select the check box next to your browser.
4. Click Apply to save your settings.
5. Restart the browser.
Guard Requirements for WBM Operation
Before using the WBM, ensure that the Guard is properly installed as described in the Cisco Guard Configuration Guide. You must perform the initial configuration process using the CLI. Verify that the following items are configured on the Guard for proper operation of the WBM:
•Networking configuration—Configure the Guard network interfaces. You cannot connect to the Guard until you configure the Guard interfaces for operation in your networking environment.
•Traffic diversion—Diverts zone traffic to the Guard when zone protection is activated. Traffic diversion also defines how the Guard injects legitimate traffic back into the network.
•Enable WBM service and permit access—Enables and defines access from a WBM workstation to the Guard. The CLI procedures to configure this operation are also included in this guide (see the "Configuring Network Access to the WBM" section in "Enabling and Launching the WBM").
What is a DDoS Attack
Distributed Denial of Service (DDoS) attacks are attacks in which computer hackers cause thousands of compromised computers (zombies) to run automated scripts that cripple network resources with spurious requests for service. For example, DDoS attacks can be a flood of bogus home page requests to a Web server that shut out legitimate consumers, or efforts that compromise the availability and accuracy of Domain Name System (DNS) servers. Although often launched by an individual, the zombies actually executing the attack code may number in the hundreds of thousands, and are distributed over multiple autonomous systems, administered by multiple organizations.
DDoS attacks continuously evolve as sophisticated hackers create damaging new exploits. In addition, their attack scripts are made widely available on the Internet and are routinely executed by individuals with minimal technical knowledge of networking. Thus, DDoS defense technology must be flexible and adaptive. It must be capable of detecting an upcoming DDoS attack, differentiate between malicious and legitimate traffic, and perform those tasks without hindering the legitimate traffic flow of the attacked network element.
Cisco Guard
The Cisco Guard is a high performance network device deployed in a distributed upstream configuration at the ISP/MSP/backbone level, protecting the entire network. When you enable zone protection on the Guard, the Guard diverts the zone traffic to itself and begins analyzing the traffic for anomalies. The Guard blocks all DDoS attack components and forwards only legitimate traffic to the intended zone. The Guard allows zone traffic to flow transparently through it while it constantly analyzes and filters the traffic, remaining attuned to zone traffic characteristics and evolving attack patterns.
To accomplish these tasks, the Guard employs the following features:
•A traffic diversion mechanism that redirects (diverts) the zone traffic to the Guard learning and protection systems and then forwards the legitimate traffic flow on to the zone. The Guard performs traffic diversion without obstructing normal network traffic flow.
•An algorithm-based learning system that learns the zone traffic, modifies the zone running configuration to the particular traffic characteristics, and supports the protection system with references and protection instructions in the form of zone traffic threshold rates and policies. In addition, the Guard can provide on-demand protection to address situations in which an attack on the zone occurs before the Guard can complete its learning process and tune the zone policies to the patterns of the zone traffic.
•A protection system that distinguishes between legitimate and suspicious traffic and filters the malicious traffic. The Guard only forwards legitimate traffic to the zone.
Integrating these features enables the Guard to assume its protective role when there is a DDoS attack and remain unobtrusively in the background under normal conditions.
WBM Interface
The WBM is a browser-based GUI that provides access to various Guard configuration and management functions. Providing a subset of the CLI functionality, the WMB allows you to create and modify zone configurations, manage zone protection, and monitor Guard and zone operations. Configuration parameters relating to procedures such as the initial Guard setup procedures and network-level setup of the Guard are only accessible through the CLI. Refer to the Cisco Guard Configuration Guide for details on using the CLI.
WBM Browser Window
Figure 1-1 provides a sample screen shot of the WBM window. Table 1-1 describes each of the sections called out in the figure.
Figure 1-1 Sample WBM Screen Shot
Table 1-1 WBM Window Overview
Section
|
Function
|
1
|
Main Menu Bar—Displays the main menu for the link that is selected in the navigation pane. The WBM displays one of two menu bars in this section:
•Guard summary menu—Provides access to the following Guard statistical and configuration options:
–Guard status and diagnostic tools
–List of defined zones
–User profile manager
To view the Guard summary menu, click Guard Summary in the navigation pane (3).
•Zone main menu—Provides access to detailed zone information and configuration options.
To view the zone-specific menu, click on the desired zone listed in the navigation area (3).
|
2
|
Navigation Path—Displays the path to the location of the screen displayed in the work area (5). To navigate to a specific section of the path, click the desired section of the path.
|
3
|
Navigation Area—Displays the list of links to the Guard summary screen and the zone status screens. Click a link from the list to display the relevant status information in the work area (5). The selected navigation area link is highlighted with a white frame.
To resize the navigation area, drag the frame bar between the navigation and the display areas.
|
4
|
Information Area—Provides the following links and information:
•Home—Returns you to the Guard summary screen.
•Logout—Closes your WBM session. The System Login screen appears.
•About—Displays WBM software information, including software version number, system serial number, and software licensing agreement.
•Current user—Lists the name of the current user and their assigned user privilege level.
|
5
|
Work Area—Displays the information that you select. From the work area, you define the various zone configuration parameters, enable learning and protection, and display statistical information. To resize the work area, drag the frame bar between the navigation and work areas.
|
Zone Status Icons
The WBM uses icons to represent the current zone status. The status icons appear in the navigation area and in the zone status bar. Table 1-2 describes the different zone status icons.
Table 1-2 Zone Status Icons
Icon
|
Status
|
|
Zone is inactive (not learning zone traffic or protecting the zone).
|
|
Zone is active and in a phase of the learning process, either the policy construction phase or the threshold tuning phase.
|
|
Zone is active and in the zone protect mode or the zone protect and learn mode.
|
|
Zone is active, operating in the interactive protect mode, and there are new zone protection recommendations available.
|
WBM Navigation Maps
The tables in this section map the various links available from the two WBM menu bars:
•Guard Summary menu—Provides access to general Guard statistical and configuration tools. To view the Guard Summary menu, click Guard Summary in the navigation area or Home in the Information area. Table 1-2 provides a map of the the various Guard Summary menu levels.
Table 1-2 Guard Summary Menu
Level 1
|
Level 2
|
Level 3
|
Guard Summary
|
Main
|
Summary
|
Protect IP
|
Diagnostics
|
Counters
|
Event log
|
Real time counters
|
Zones
|
Zone list
|
Create zone
|
Template list
|
Compare zone policies
|
Users
|
User list
|
Create user
|
Change password
|
•Zone menu—Provides access to zone-specific statistical and configuration tools. To view the Zone menu, click on the desired zone listed in the navigation area. Table 1-3 provides a map of the the various Zone menu levels.
Table 1-3 Zone Menu
Level 1
|
Level 2
|
Level 3
|
Zone
|
Main
|
Summary
|
Create zone
|
Save as . . .
|
Diagnostics
|
Counters
|
Event log
|
Attack reports
|
HTTP Zombies
|
Policy statistics
|
Drop Statistics
|
Real time counters
|
Start Packet-Dump
|
Stop Packet-Dump
|
Packet-Dump List
|
Protection
|
Detect
|
Deactivate
|
Dynamic Filters
|
Recommendations
|
Learning
|
Construct Policies
|
Tune Threshold
|
Deactivate
|
Stop Learning
|
Accept
|
Snapshot
|
Snapshot List
|
Zone
(continued)
|
Configuration
|
General
|
User Filters
|
Bypass Filters
|
Flex-Content Filters
|
Policy Templates
|
Add Service
|
Remove Service
|
Policy
|
Compare Policies
|
Learning Parameters
|
