Table Of Contents
Configuring Zone Filters
Zone Filter Overview
Managing User Filters
Adding a User Filter
Deleting a User Filter
Managing Bypass Filters
Adding a Bypass Filter
Deleting a Bypass Filter
Managing Flex-Content Filters
Understanding the Flex-Content Expression Syntax
Understanding the Flex-Content Filter Pattern Syntax
Adding a Flex-Content Filter
Deleting a Flex-Content Filter
Configuring Zone Filters
This chapter describes how to perform advanced zone filter configuration tasks. Using the WBM, you can design custom filter configurations for processing zone traffic.
This chapter includes the following sections:
•
Zone Filter Overview
•Managing User Filters
•Managing Bypass Filters
•Managing Flex-Content Filters
Zone Filter Overview
The Guard uses zone filters to manage traffic flow when protecting the zone or learning zone traffic. Zone filters enable the Guard to perform the following functions:
•Analyze zone traffic for anomalies
•Apply the basic or strong level of protection to separate legitimate traffic from malicious traffic
•Drop malicious packets
•Forward traffic directly to the zone, bypassing the Guard zone protection features
You can configure a set of zone filters that provide the Guard with zone-specific rules for traffic management and DDoS attack protection. When you modify a zone filter configuration, the change is saved to the zone configuration and takes effect immediately. The Guard uses the following traffic filter types:
•User Filters—The Guard is pre-configured with a set of static User filters that apply a specific protection level to the traffic flow. User filters are designed to handle a wide range of attack types.
The Guard utilizes both User and Dynamic filters (described below) to manage zone protection during an attack. When an attack on the zone occurs, the Guard begins producing Dynamic filters that it configures with action settings that manage the protection process during the attack. Until the Guard has had enough time to analyze the attack, it configures the Dynamic filters with an action that directs the traffic flow to the User filters. The User filters apply their actions to the traffic, providing the first line of defense against the attack. Once the Guard analyzes the attack, it begins producing Dynamic filters with actions of their own to apply directly to the traffic flow. When the Guard attempts to apply both a User filter and a Dynamic filter to the traffic flow, it selects the filter with the more stringent action.
•Dynamic Filters—The Guard creates Dynamic filters as the result of analyzing the traffic flow during an attack. Similar to User filters, Dynamic filters apply a specific protection level to the traffic flow. The Guard continuously adapts the Dynamic filters to the zone traffic and the type of the DDoS attack. Dynamic filters have a limited life span and the Guard deletes them when the attack has terminated. You can add or delete a Dynamic filter.
•Bypass Filters—User-defined Bypass filters prevent the Guard from processing specific traffic flows and forwards the traffic directly to the zone. For example, you can allow a trusted traffic flow to bypass the Guard protection features, including the anti-spoofing and anti-zombie features.
•Flex-Content Filters—User-defined Flex-Content filters enable the Guard to count or drop the packets of a specific traffic flow and can be used to identify sources of malicious traffic. This Berkley Packet filter provides flexible filtering capabilities, such as filtering according to fields in the IP and TCP headers and filtering according to content bytes. You can configure the Flex-Content filter to a specific traffic flow. You can only configure one Flex-Content filter per zone. Because Flex-Content filters are resource-consuming, use them cautiously as they may affect performance.
For a detailed explanation on the Berkley Packet filter configuration options see: http://www.freesoft.org/CIE/Topics/56.htm.
Managing User Filters
The following procedures describe how to add or delete a Guard User Filter. The Guard activates User filters in the order in which they appear in the User filter list (see Figure 5-1). When adding a new User filter, it is important that you know where to place the new filter within the list.
Figure 5-1 User Filters
This section contains the following procedures:
•Adding a User Filter
•Deleting a User Filter
Adding a User Filter
To add a new User filter:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Configuration > User filters from the zone main menu. The list of zone User filters appears (see Figure 5-1).
Step 3 Click Add. The Add Filter Step 1 screen appears with the list of User filters.
Step 4 From the Insert column, click the row below where you want the User filter to appear. The Insert Here text appears, indicating that the new User filter will be inserted above the selected row.
Step 5 Click Next. The Add Filter Step 2 screen appears with the User Filter Form.
Step 6 Configure the parameters of the new User filter. Table 5-1 describes the filter parameters listed in the User Filter Form.
Table 5-1 User Filter Parameters
Parameter
|
Description
|
Source IP
|
Directs traffic from a specific IP address to the User filter. Enter the source IP address. To specify any source IP address, leave this field blank or enter an asterisk (*).
|
Source subnet
|
Directs traffic from a specific subnet to the User filter. Choose the subnet from the Source subnet drop-down list.
|
Protocol
|
Directs traffic from a specific protocol to the User filter. Enter the protocol number. To specify any protocol, leave this field blank or enter an asterisk (*).
|
Dst Port
|
Directs traffic destined to a specific port to the User filter. Enter the destination port number. To specify any destination port, leave this field blank or enter an asterisk (*).
|
Fragments
|
Specifies the traffic type to be processed by the filter. From the Fragments drop-down list, choose:
•without—User filter processes non-fragmented traffic.
•with—User filter processes fragmented traffic.
•*—User filter processes fragmented and non-fragmented traffic.
|
Rate
|
Specifies the rate limitation. The User filter limits the traffic to the rate specified. Enter the rate limit value in the Rate field, then choose the unit of measurement to use from the Rate drop-down list. Choose unlimit for the unit of measurement if you do not want the User filter to limit the traffic rate.
|
Burst
|
Specifies the traffic burst limit. The Use filter uses the same unit of measurement for burst that you chose for Rate (see Rate in this table).
|
Action
|
Specifies the action the User filter executes on the traffic type. From the Action drop-down list, choose:
•permit—Use this action to prevent statistical analysis of the flow and to prevent the anti-spoofing or anti-zombie protection mechanisms from handling this flow. We recommend that you set a rate and burst limit to this filter as it is not handled by other protection mechanisms.
•basic/redirect—Use this action to authenticate applications over HTTP.
•basic/reset—Use this action to authenticate applications over TCP. We recommend that you use an action of basic/redirect for HTTP traffic flows.
•basic/safe-reset—Use this action to authenticate TCP application traffic flows that are not tolerant of TCP connection reset. We recommend that you use an action of basic/redirect for HTTP traffic flows.
•basic/default—Use this action to authenticate non-TCP traffic flows.
•basic/dns-proxy—Use this action to authenticate TCP DNS traffic flows.
•strong—Use this action when strong authentication for a traffic flow is required or when the previous filters do not seem suitable for the application. Authentication is performed for every connection.
For TCP incoming connections the Guard serves as a proxy, therefore we recommend that you do not use this action for such connections if the network is moderated according to IP addresses (such as using ACL-access control lists).
•drop—Use this action to drop traffic flows.
|
Step 7 Choose one of the following options:
•OK—Saves the new User filter configuration. The User filters screen appears.
•Cancel—Exits the User Filters Form without saving any information. The User filters screen appears.
Deleting a User Filter
Caution Use caution when deleting a User filter as it may affect the ability of the Guard to protect the zone.
To delete a User filter:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Configuration > User filters from the zone main menu. The list of zone User filters appears.
Step 3 Click the check box next to the User filter to delete.
Step 4 Click Delete. The User filter is removed from the list of User filters.
Managing Bypass Filters
The following procedures describe how to add or delete a Guard Bypass filter. When you display the list of Bypass filters in the following procedures, the counter denotes the current Bypass filter traffic rate measured in packets per second (pps) that was filtered by the Bypass filter.
This section contains the following procedures:
•Adding a Bypass Filter
•Deleting a Bypass Filter
Adding a Bypass Filter
To add a Bypass filter:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Configuration > Bypass filters from the zone main menu. The Bypass filters screen appears.
Step 3 Click Add. The Add bypass filter screen appears.
Step 4 Configure the parameters of the new Bypass filter. Table 5-1 describes the filter parameters listed in the Bypass Filter Form.
Table 5-2 Bypass Filter Parameters
Parameter
|
Description
|
Source IP
|
The Guard forwards traffic from the IP address you specify directly to the zone, bypassing the Guard protection features. To specify any source IP address, leave this field blank or enter an asterisk (*).
|
Source subnet
|
The Guard forwards traffic from the subnet you specify directly to the zone, bypassing the Guard protection features. Choose the subnet from the Source subnet drop-down list.
|
Protocol
|
The Guard forwards traffic using the protocol you specify directly to the zone, bypassing the Guard protection features. Enter the protocol number. To specify any protocol, leave this field blank or enter an asterisk (*).
|
Dst Port
|
The Guard forwards traffic targeting the zone destination port you specify, bypassing the Guard protection features. Enter the destination port number. To specify any source destination port, leave this field blank or enter an asterisk (*).
|
Fragments
|
Specifies the traffic type to be handled by the filter. From the Fragments drop-down list, choose:
•without—Bypass filter processes non-fragmented traffic.
•with—Bypass filter processes fragmented traffic.
•*—Bypass filter processes both fragmented and non-fragmented traffic.
|
Step 5 Choose one of the following options:
•OK—Saves the new Bypass filter configuration. The Bypass filters screen appears.
•Cancel—Exits the Bypass Filters Form without saving any information. The Bypass filters screen appears.
Deleting a Bypass Filter
To delete a Bypass filter:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Configuration > Bypass filters from the zone main menu. The Bypass filters screen appears.
Step 3 Click the check box next to each Bypass filter to be deleted, then click Delete. The Bypass filter is deleted from the list of filters. To delete all the Bypass filters listed, click the check box next to Src IP, then click Delete.
Managing Flex-Content Filters
The Flex-Content filters enable you to filter the zone traffic based on fields in the packet header or patterns in the packet payload. You can identify attacks that are based on patterns that appear in the incoming traffic. Such patterns can identify known worms or flood attacks that have a constant pattern. However, the Flex-Content filter is resource consuming. We recommend that you use the Flex-Content filters cautiously as they might affect performance. If you are using a Flex-Content filter to protect a specific attack that can be identified by a Dynamic filter, such as TCP traffic to a specified port, we recommend that you filter the traffic using a Dynamic filter.
The Flex-Content filter is a combination of Berkley Packet filter and a pattern filter with very selective filtering capabilities. Use the Flex-Content filters to drop or count a desired packet flow and to identify a specific malicious source of traffic.
The Flex-Content filter applies the filtering criteria in the following order:
1. Filters packets based on the protocol and the destination port
2. Applies the tcp dump expression
3. Performs pattern matching with the pattern on the remaining packets.
This section contains the following information and procedures:
•Understanding the Flex-Content Expression Syntax
•Understanding the Flex-Content Filter Pattern Syntax
•Adding a Flex-Content Filter
•Deleting a Flex-Content Filter
Understanding the Flex-Content Expression Syntax
The Flex-Content expression specifies the expression to be matched with the packet. You define the expression using the Berkley Packet filter format.
Note You can use the TCPDump expression to filter traffic based on the destination port and protocol. However, due to performance considerations we recommend that you filter traffic based on these criteria using the Flex-Content filter protocol and port parameters.
Table 5-3 describes the Flex-Content filter expression parameters.
Table 5-3 Flex-Content Filter Expression Parameters
Parameter
|
Description
|
Destination host IP address
|
Traffic to a destination host IP address
|
Source host IP address
|
Traffic from a source host IP address
|
Host IP address
|
Traffic to and from both source and destination host IP addresses
|
Net mask
|
Traffic to a specific network
|
Net net/len
|
Traffic to a specific subnet
|
Destination port number
|
TCP or UDP traffic to a destination port number
|
Source port number
|
TCP or UDP traffic from a source port number
|
Port number
|
TCP or UDP traffic to and from both source and destination port numbers
|
Less packet length
|
Packets with a length equal to or less than the specific length in bytes
|
Greater packet length
|
Packets with a length equal to or greater than the specific length in bytes
|
IP protocol
|
Packets with a protocol number of the following protocols: ICMP, UDP, and TCP.
|
IP broadcast
|
Broadcast IP packets
|
IP multicast
|
Multicast packets
|
Ether protocol
|
Ether protocol packets of a specific protocol number or name such as IP, ARP or RARP.
|
Relop expression
|
Traffic that complies with the specific expression. See Table 5-4 for further details.
|
Table 5-4 describes the Flex-Content filter expression rules.
Table 5-4 Flex-Content Filter Expression Rules
Expression Rule
|
|
relop
|
>, <, >=, <=, =, !=
|
expression
|
An arithmetic expression composed of integer constants (expressed in standard C syntax), the normal binary operators [+, -, *, /, &, |], a length operator, and special packet data accesses. To access data inside the packet, use the following syntax:
protocol [expression: size]
|
protocol
|
Specifies the protocol layer for the index operation. The possible values are ether, ip, tcp, udp, or icmp. The byte offset, relative to the indicated protocol layer, is given by expression. The size parameter is optional and indicates the number of bytes in the field of interest; it can be one, two, or four. The default is one. The length parameter specifies the length of the packet.
|
You can combine primitives using the following methods:
•A parenthesized group of primitives and operators (parentheses are special to the Shell and must be escaped)
•Negation—Use ! or not
•Concatenation—Use && or and
•Alternation—Use || or or
Negation has the highest precedence. Alternation and concatenation have equal precedence and associate left to right. Explicit and tokens, not juxtaposition, are required for concatenation. If you specify an identifier without a keyword, the most recent keyword is used.
For a detailed explanation on the Berkley Packet filter configuration options see: http://www.freesoft.org/CIE/Topics/56.htm.
The following example shows how to count only unfragmented datagram and fragment zero of fragmented datagrams. This filter is implicitly applied to the TCP and UDP index operations. For instance, tcp[0] always means the first byte of the TCP header, and never means the first byte of an intervening fragment:
The following example shows how to drop all TCP RST packets:
The following example shows how to count all ICMP packets that are not echo requests/echo reply (ping):
"icmp [0]!=8 and icmp[0] != 0"
The following example shows how to count all TCP packets destined to port 80 that did not originate from port 1000:
"tcp and dst port 80 and not src port 1000"
Understanding the Flex-Content Filter Pattern Syntax
The pattern, a regular expression, describes a string of characters. The pattern describes a set of strings without actually listing its elements. It is made up of normal characters and special characters. Normal characters include all printable ASCII characters that are not considered as special characters. Special characters indicate what kind of matching to do. The Flex-Content filter matches this pattern with the content of the packet (the packet payload). For example, the three strings version 3.1, version 4.0, and version 5.2 are described by the following pattern: version .*\..*
Special characters are characters that have a special meaning and specify what kind of matching the Guard will perform on the expression. Table 5-5 describes the special characters you can use.
Table 5-5 Flex-Content Pattern Field Descriptions
Special character
|
Description
|
.*
|
Matches a string that may be present and can contain zero or more characters. For example, the pattern goo.*s matches goos, goods, good for ddos and so on.
|
\
|
Removes the special meaning of a special character. To use the special characters in this list as single-character patterns, remove the special meaning by preceding each character with a backslash (\). For example, the sequence `\\' matches " \ " and the sequence `\.' matches " . ".
You must also proceed an asterisk (*) with a backslash.
|
\xHH
|
Matches a hexadecimal value, where H is a hexadecimal digit and is not case-sensitive. Hexadecimal values must be exactly two digits long. For example, '\x41' matches "A".
|
The following example shows how to drop packets with a specific pattern in the packet payload. The pattern in the example was extracted from the Slammer worm. The protocol, port and tcpdump-expression are non-specific.
\x89\xE5Qh\.dllhel32hkernQhounthickChGetTf\xB9ll
Qh32\.dhws2_f\xB9etQhsockf\xB9toQhsend\xBE\x18\x10\xAEB
Adding a Flex-Content Filter
To add a Flex-Content filter:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Configuration > Flex-Content filters from the zone main menu. The Flex-Content filters screen appears and displays the list of existing Flex-Content filters.
Step 3 Click Add. The Add filter - step 2 screen appears.
Step 4 Configure the Flex-Content filter parameters. Table 5-6 describes the filter parameters listed in the Flex-Content Filter Form.
Table 5-6 Flex-Content Filter Parameters
Parameter
|
Description
|
Description
|
Text describing the Flex-Content filter.
|
Protocol
|
Processes traffic using a specific protocol. Enter a protocol number from 0 to 255. To specify any protocol type, enter an asterisk (*).
Refer to the Internet Assigned Numbers Authority (IANA) Web site for a list of valid protocol numbers:
http://www.iana.org/assignments/protocol-numbers
|
Dst Port
|
Processes traffic flowing to a specific destination port. Enter a destination port number from 0 to 65535. To specify any destination port, enter an asterisk (*).
Refer to the Internet Assigned Numbers Authority (IANA) Web site for a list of valid port numbers:
http://www.iana.org/assignments/port-numbers
|
Expression
|
Filters traffic according to the specified expression (see the "Understanding the Flex-Content Expression Syntax" section). Enter a string with up to 180 space-separated tokens.
|
Pattern
|
Specifies the regular expression data pattern to match with the packet content (see the "Understanding the Flex-Content Filter Pattern Syntax" section). Enter the data pattern to use.
|
Match Case
|
Specifies whether or not the data pattern expression is case-sensitive. Click the check box to define the data pattern expression as case-sensitive.
|
Start Offset
|
Specifies the offset (in bytes) from the beginning of the packet content where the pattern-matching begins. The default is 0, the start of the payload. The start offset applies to the pattern field. Enter an integer from 0 to 2047.
|
End Offset
|
Specifies the offset (in bytes) from the beginning of the packet content where the pattern-matching ends. The default is the packet length, the end of the payload. The end offset applies to the pattern field. Enter an integer from 0 to 2047.
|
Action
|
Specifies the action the Flex-Content filter performs on the traffic.
Choose an action from the Action drop-down list:
•count—Count the traffic flow packets that match the filter
•drop—Drop the traffic flow packets that match the filter
|
State
|
Operating state of the Flex-Content filter.
Choose an operating state from the State drop-down list:
•enable—The Guard applies the filter to the traffic flow and executes the configured action when a match is found.
•disable—The Guard does not apply the filter to the traffic flow.
|
Step 5 Choose one of the following options:
•OK—Saves the new Flex-Content filter. The Flex-Content filters screen appears.
•Clear—Reverts the form information back to the default values and clears any information you added.
•Cancel—Exits the Flex-Content filter screen without saving any information. The Flex-Content filters screen appears.
Deleting a Flex-Content Filter
To delete a Flex-Content filter:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Configuration > Flex-Content filters from the zone main menu. The Flex-Content filters screen appears and displays the list of existing Flex-Content filters.
Step 3 Click the check box next to each Flex-Content filter to be deleted and click Delete. The Flex-Content filter is deleted from the list of filters. To delete all the Flex-Content filters listed, click the check box next to Src IP, then click Delete.
