Table Of Contents
Creating and Configuring Zones
Zone Overview
Zone Protection Activation Methods and Coverage Options
Protection Activation Methods
Extent of Zone Protection
Understanding Sub-zones
Creating a Zone from a Zone Template
Creating a Zone from an Existing Zone
Modifying a Zone Configuration
Adding an IP Address to a Zone Configuration
Deleting an IP Address from a Zone Configuration
Deleting a Zone
Creating and Configuring Zones
This chapter describes how to create and manage Guard zones.
This chapter includes the following sections:
•
Zone Overview
•Zone Protection Activation Methods and Coverage Options
•Creating a Zone from a Zone Template
•Creating a Zone from an Existing Zone
•Modifying a Zone Configuration
•Adding an IP Address to a Zone Configuration
•Deleting an IP Address from a Zone Configuration
•Deleting a Zone
Zone Overview
A zone is a network element that the Guard protects against DDoS attacks. You can create a zone that represents one or all of the following network objects:
•A network server, client, or router
•A network link or subnet, or an entire network
•An individual Internet user or a company
•An Internet Service Provider (ISP)
The Guard can protect multiple zones simultaneously providing their network address ranges do not overlap. You define a new zone by creating a zone configuration that includes the following attributes:
•Zone description—Defines the zone name and description.
•Zone network definition—Defines the zone network attributes which include the zone network IP address and subnet mask.
•Policy templates—Defines the types of policies the Guard creates when you perform the learning process. Each zone template contains a set policy templates.
•Policies—Analyzes zone traffic and executes an action when the zone receives a traffic anomaly. Each zone configuration has its own set of policies, whether they are the default policies that came with the zone template or the zone-specific policies created during the learning process. Each policy executes an action when the zone traffic exceeds the policy threshold, indicating an attack. Policy actions can range from sending a notification to applying the Guard anti-spoofing or anti-zombie features to the traffic or dropping malicious traffic.
•Zone Filters—Direct the zone traffic to the required protection level and define the way the Guard handles specific traffic flows. You can use zone filters to count a specific traffic flow, or to bypass the Guard anomaly detection features. You can modify the default filter configurations to produce customized zone filter configurations that determine which anomaly detection features the Guard applies to the traffic flow.
You can create a zone using of the following methods:
•Use a pre-defined zone template—You create a zone based on the configuration of one of the Guard zone templates. Each zone template has a set of pre-configured policies that define the network services and policy thresholds. These policies are used for on-demand protection. A zone template also contains a set of policy templates that the Guard uses during the learning process when analyzing the zone traffic and creating policies for each service it detects. Each new policy the Guard creates during the learning process is constructed using the rules of the corresponding policy template.
•Use an existing zone as a template—You create a new zone based on an existing zone configuration, which includes the policies and policy threshold values of the existing zone. If the traffic characteristics of the new zone is identical to the existing zone, then you do not have to perform the learning process on the new zone. If the traffic characteristics are different between the two zones, you will need to perform the learning process on the new zone so the Guard can analyze the zone traffic and make the necessary policy modifications to the new zone configuration.
Zone Protection Activation Methods and Coverage Options
When you define a zone configuration, you have the option to define the trigger, or activation method, the Guard uses to automatically activate zone protection. You can also define the extent of the area the Guard protects. For example, the Guard can protect the entire zone or just a specific area within the zone.
This section includes the following information:
•Protection Activation Methods
•Extent of Zone Protection
•Understanding Sub-zones
Protection Activation Methods
The Guard can activate zone protection based on a zone name or information it extracts from the traffic you divert to it.
The follow protection activation methods are available:
•Zone name—The Guard activates zone protection based on the zone name. An external indication to activate protection must include the zone name. This is the default method the Guard uses for activating zone protection.
•IP address—The Guard activates zone protection when it receives an external indication that consists of an IP address or subnet that is part of the zone. The Guard scans the zone database and activates the zone which has an address range that includes the received IP address or subnet. If you have configured several zones with an address range that includes the receive IP address, the Guard will choose to activate the zone with the longest prefix match. That is, the zone which has the most specific address range that includes the receive IP address. The received IP address or subnet must be completely included in the zone IP address range.
•Packet—The Guard activates zone protection when it receives packets for a zone in its database. When the Guard receives the packets, it scans the zone database and activates the zone which has an address range that includes the received packet IP address. If you have configured several zones with an address range that includes the received packet IP address, the Guard activates the zone with the longest prefix match. That is, the zone with the most specific address range that includes the received packet IP address. The received IP address or subnet must be completely included in the zone IP address range.
•IP Address or Packet—The Guard activates zone protection when it receives traffic (packet) that is destined to the zone or when it receives an external indication that consists of an IP address or subnet that is part of the zone address range. See the previous bullets, Packet and IP address, for more information.
Extent of Zone Protection
The activation extent defines whether to activate protect mode for the entire zone or for a partial zone once the Guard receives an external indication. This indication can be a command from an external device, such as the Cisco Traffic Anomaly Detector, or traffic that is destined to the zone (packet).
The Guard supports the following activation extents:
•Entire zone—Activate protection for the entire zone. The Guard activates protection when it receives traffic that is destined to the zone or when it receives an external indication that consists of an IP address or subnet that is part of the zone.
•IP Address only—Activate protection for only a specified IP address or subnet within a zone. When the Guard receives traffic that is destined to the zone or when it receives an external indication that consists of an IP address or subnet that is part of the zone, it creates a new zone referred to as a sub-zone (see the "Understanding Sub-zones" section below). This is the default setting for the activation extent parameter.
Understanding Sub-zones
The Guard creates a sub-zone when it activates protect mode for a partial zone (a zone that does not include the complete IP address range of the source zone). The IP address range of the sub-zone is included in the address range of the source zone.
The sub-zone configuration is identical to the configuration of the source zone apart from the IP address and name. The name of the sub-zone consists of the first 30 characters of the name of the source zone, the IP address and the subnet, concatenated with underscores. If the sub-zone consists of a single IP address, the subnet is not added. For example, If the name of the source zone is scannet with an address range of 10.10.10.0 and a subnet of 255.255.255.0 and the Guard activates protect mode for an internal range of IP address 10.10.10.192 and subnet 255.255.255.252, the name of the sub-zone is scannet_10.10.10.192_255.255.255.252.
The IP address and subnet of the sub-zone are the ones that the Guard received with the external indication, or the IP address of the packet that triggered the Guard to activate protect mode.
Once protect mode for the sub-zone ends the Guard erases the sub zone. Protect mode for a sub-zone is terminated in the same manner as protect mode is terminated for an ordinary zone, according to the activation method and the protection termination timeout.
Creating a Zone from a Zone Template
To create a new zone using a zone template:
Step 1 Use one of the following methods to display the Create Zone screen:
•Click Guard Summary from the navigation pane to display the Guard summary menu, then choose one of the following menu options:
–Zones > Create Zone
–Zones > Zone list and then click Add from the Zone list screen
•Click any zone from the navigation pane to display the zone main menu, then choose Main > Create Zone from the zone main menu.
Step 2 Configure the parameters of the zone configuration as described in Table 4-1
Table 4-1 Zone Configuration Form Fields
Field
|
Description
|
Name
|
Name of the new zone. Starting with a letter, enter an alphanumeric string from 1 to 63 characters in length. The string can contain underscores, but cannot contain any spaces.
|
Description
|
Text describing the zone. Enter an alphanumeric string from 1 to 80 characters in length.
|
Operation mode
|
Zone operation mode the Guard operates in during an attack. From the Operation mode drop-down list, choose:
•Automatic—The Guard automatically activates all Dynamic filters as it creates them during an attack.
•Interactive—You decide whether to accept or ignore the Dynamic filters the Guard produces during an attack and presents to you as Guard recommendations.
Refer to the "Changing Zone Operation Modes" section in "Activating Zone Protection" for details on zone operation modes.
|
Zone Template
|
Zone template that defines the policies used in the zone configuration.From the Template drop-down list, choose:
•GUARD_DEFAULT—The default zone template. The Guard may change the packet source IP address to the Guard TCP-proxy IP address. You can use this zone template if you do not use IP-based Access Lists (ACLs), access policies, or load balancing policies that are based on incoming IP address for the zone network.
•GUARD_TCP_NO_PROXY—Zone template designed for a zone without a TCP proxy. You can use this template if the zone is moderated according to IP addresses, such as an Internet Relay Chat (IRC) server-type zone.
|
Zone Template (continued)
|
•Bandwidth Limited Link Templates—Zone templates designed primarily for applications involving a large network of small customers and you want to detect attacks on the link rather than on a specific sever or service. To use a link template for this purpose, you must be able to segment your customers (or zones) by known bandwidth. When creating a new zone using a link template, we recommend that you define the zone with an protect-ip state of only-dest-ip (see Protect-IP state in this table). The following Bandwidth Limited Link zone templates are available for 128 K, 1 M, 4 M, and 512 K links, respectively:
–GUARD_LINK_1M
–GUARD_LINK_4M
–GUARD_LINK_128K
–GUARD_LINK_512K
The policies that come with a link template are configured for use in applications requiring on-demand protection. You cannot perform the policy construction phase of the learning process when using a link template. You can, however, perform the threshold tuning phase (see the "Learning Process Overview" section in "Learning Zone Traffic").
We recommend that you activate protect mode on the Cisco Traffic Anomaly Detector for these zones based on the attacked subnet or range by setting the activation-extent parameter in Step 4 to IP address only.
|
Max. Rate
|
Amount of traffic the Guard is allowed to inject back into the network. Set the bandwidth value to the highest bandwidth measured entering the zone. If the highest bandwidth value is not known, leave the Max. Rate and Burst fields blank and choose unlimited units (unlimit) from the drop-down list.
Enter an integer for the maximum rate, then choose one of the following units of measurement from the drop-down list:
•unlimit —Use this default setting if you do not wish to limit the rate of the traffic the Guard injects back into the network. When you choose unlimit, do not enter a maximum rate value.
•mbps—Megabits per second.
•kbps—Kilobits per second.
•bps—Bits per second.
•kpp—Kilopackets per second.
•pps—Packets per second.
|
Burst
|
Maximum traffic burst size the Guard is permitted to inject back into the zone before exceeding in the maximum rate (see Max. Rate above). Enter an integer for the burst size rate. The Guard uses the maximum rate (Max. Rate) unit of measurement for the burst parameter.
|
Malicious-rate detection threshold
|
Minimum rate of dropped zone packets. If the rate goes lower than this threshold, the Guard may end protect mode for the zone. The Guard drops zone packets that its protection mechanisms (Dynamic filters, Flex-Content filters and Rate Limiter) have identified as part of an attack. It counts the dropped packets using the zone Dropped counter. The default Malicious-rate detection threshold is 10 packets per second (pps).
|
Protection-end Timer
|
Time at which the Guard can terminate protect mode. The Guard verifies whether an attack has ended by checking on the Dynamic filters it creates. The Guard deactivates protect mode if no Dynamic filters are in use and no new Dynamic filter have been created over a predefined period of time. Enter a value from seconds to an infinite amount of time.
|
Filter-rate termination threshold
|
Threshold value that together with the malicious-rate termination threshold, specifies when the Guard can deactivate Dynamic filters. Define this threshold in packets per second (pps).
|
Malicious-rate termination threshold
|
Threshold value, that together with the Filter-rate termination threshold, specifies when the Guard can deactivate Dynamic filters. Define this threshold in packets per second (pps).
|
IP address
|
Zone IP address.
|
Mask
|
Zone address mask. Select the address mask from the Mask drop-down list.
|
.
Step 3 Choose one of the following options:
•OK—Saves the new zone configuration. The zone general view screen appears, displaying the zone configuration information.
To configure the Activation and Packet-Dump parameters shown in the general view screen, click Config to open the Config screen, then proceed to the following steps:
–Step 4 to configure Activation parameters
–Step 5 to configure Packet Dump parameters
•Clear—Reverts the form information back to the default values and clears any information you added.
•Cancel—Exits the Create Zone screen without saving any information. The Zone List screen appears.
Step 4 Configure the parameters of the Activation area as described in Table 4-2.
Table 4-2 Activation Parameters
Field
|
Description
|
Activation interface
|
Protection activation method that defines how the Guard identifies the zone for which it activates zone protection when it receives an external indication. By default, the Guard activates zone protection based on the zone name. To activate zone protection without using the zone name, select one or both of the following alternative activation methods:
•By packet—The Guard activates zone protection based on the destination IP address of the received packets. The Guard scans the zone database and activates the zone that has an address range that includes the received packet destination IP address.
•By IP address—The Guard activates zone protection based on the received IP address. The Guard scans the zone database and activates the zone that has an address range that includes the received IP address or subnet.
You must manually divert traffic to the Guard when the zone is attacked if you select protection activation by packet or IP address. For more information on the Activation interface options, refer to the "Protection Activation Methods" section.
|
|
Activation extent
|
Defines whether the Guard activates zone protection for the entire zone or for a part of the zone when the Guard receives an external indication.
Choose one of the following options:
•IP address only—Activate protection only for the specified IP address or subnet within the zone. This is the default activation extent setting.
•Entire zone—Activate protection for the entire zone.
For more information on the Activation extent options, refer to the "Extent of Zone Protection" section.
|
|
Step 5 Configure the parameters of the Packet Dump area as described in Table 4-3.
Table 4-3 Packet Dump Parameters
Field
|
Description
|
Auto Packet Dump
|
Click the check box next to one of the following options:
•On—Enable auto packet dump
•Off—Disable auto packet dump (default setting)
|
Max. disk space
|
Enter the maximum amount of disk space (in MB) the Guard is to use for auto packet dumps.
|
Creating a Zone from an Existing Zone
To create a new zone using an exiting zone as a template:
Step 1 Select a zone to be used as a zone template from the navigation pane. The zone main menu appears.
Step 2 Choose Main > Save as from the zone main menu. The Zone Save as screen appears.
Step 3 Define the new zone name. In the Name text field, enter the zone name as an alphanumeric string 1 to 63 characters in length. The string must start with a letter and can contain underscores, but no spaces.
Step 4 Choose one of the following options:
•OK—Saves the new zone configuration. The zone general view screen appears.
•Clear—Reverts the form information back to the default values and clears any information you added.
•Cancel—Exits the Zone Save as screen without saving any information. The zone general view screen appears.
Modifying a Zone Configuration
To modify the parameters of a zone configuration:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Select Configuration > General from the zone main menu. The zone general view appears.
Step 3 Click Config (located below the first table). The Config Zone screen appears.
Step 4 Modify the desired zone parameters (see Table 4-1 for parameter descriptions).
Step 5 Choose one of the following options:
•OK—Saves the new zone configuration. The zone general view screen appears.
•Clear—Reverts the form information back to the default values and clears any information you added.
•Cancel—Exits the Zone Save as screen without saving any information. The zone general view screen appears.
Adding an IP Address to a Zone Configuration
To add an IP address to the zone configuration:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Configuration > General from the zone main menu. The zone general view appears.
Step 3 Click Add (located below the second table). The Add Zone IP screen appears.
Step 4 Enter the following address information:
•IP Address—Zone IP address
•IP Mask—Zone IP address mask
Step 5 Choose one of the following options:
•OK—Saves the new zone configuration. The zone general view screen appears.
•Cancel—Exits the Add Zone IP screen without saving any information. The zone general view screen appears.
If you modify the zone IP address or subnet, perform one of the following tasks:
•If the new IP address or subnet consists of a new service that was not previously defined in the zone network, activate the policy construction phase before activating zone detection or add the service manually. See the following section for more information:
–"Stopping the Policy Construction Phase" section in "Learning Zone Traffic"
–"Adding a Service" section in "Managing Zone Policies"
•If the zone is in the detect and learning operation state, mark the zone policies as untuned. Do not change the status of the zone policies to untuned if there is attack on the zone because that prevents the Guard from detecting the attack, and causes the Guard to learn thresholds of malicious traffic. See the "Marking the Zone Policies as Tuned or Untuned" section in "Learning Zone Traffic" for more information.
•If the zone is not in the detect and learning operation state and you do not plan to activate the detect and learning operation state, activate the threshold tuning phase before activating zone detection. See the "Starting the Threshold Tuning Phase" section in "Learning Zone Traffic" for more information.
Deleting an IP Address from a Zone Configuration
To delete an IP address from the zone configuration:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Configuration > General from the zone main menu. The zone general view appears.
Step 3 Check the check box next to each IP address to be deleted. To delete all the IP addresses listed, check the check box in the header, next to the IP column.
Step 4 Click Delete (located below the second table). The IP address is removed from the zone configuration and the zone general view.
Deleting a Zone
To delete one or more zones:
Step 1 Click Guard Summary from the navigation pane. The Guard summary menu appears.
Step 2 Choose Zones > Zone list from the Guard main menu. The Zone list screen appears.
Step 3 Check the check box next to each zone to be deleted, then click Delete. To delete all the zones listed, check the check box next to Zone, then click Delete. The delete validation screen appears.
Step 4 Choose one of the following options:
•OK—The zone is deleted and the Zone list is displayed.
•Cancel—The delete zone request is ignored and the Zone list displays.
