-
Cisco Guard Configuration Guide (Software Version 5.1)
-
Index
-
Preface
-
Product Overview
-
Initializing the Guard
-
Configuring the Guard
-
Configuring Traffic Diversion
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Learning the Zone Traffic Characteristics
-
Protecting Zones
-
Using Interactive Protect Mode
-
Understanding Attack Reports
-
Using Guard Diagnostics Tools
-
Performing Maintenance Tasks
-
Analyzing Guard Mitigation
-
Understanding Zone Traffic Diversion
-
Troubleshooting Diversion
-
Table Of Contents
Activating On-Demand Protection
Configuring How the Guard Performs Zone Protection
Configuring the Protection Activation Method
Configuring the Sensitivity for Activating Zone Protection
Configuring the Protection Activation Extent
Configuring the Protection Inactivity Timeout
Protecting an IP Zone that is Part of the Zone Address Range
Protecting an IP Address when the Zone Name is Not Known
Protecting Zones
This chapter describes how to configure and activate the Cisco Guard (Guard) to protect a zone. These procedures are required to enable zone protection.
This chapter contains the following sections:
•
Activating On-Demand Protection
•
•
•
•
•
Overview
Before activating zone protection, we recommend that you let the Guard study the zone traffic patterns or synchronize the zone configuration, including the zone policies, from a Cisco Traffic Anomaly Detector (Detector). The learning process allows the Guard to learn the traffic patterns of each zone and to create sets of recommended thresholds according to statistical analysis of the zone traffic. You can protect several zones at the same time only if their IP address ranges do not overlap.
You must configure diversion before initiating the learning process or divert the zone traffic to the Guard manually. Configure zone diversion using the Guard routing configuration.
See "Configuring Traffic Diversion," for more information.
If the zone is not under attack, you can activate the protect and learn function to enable the Guard to constantly divert the zone traffic and tune the zone policy thresholds. See the "Synchronizing a Guard with Cisco Traffic Anomaly Detector Zone Configuration" section on page 5-13 for more information.
You can define the following protection characteristics:
•
•
•
•
Activating On-Demand Protection
In an immediate need such as a zone under attack, you can use system-defined zone templates to protect a zone without enabling the Guard to learn the zone traffic characteristics. The predefined policies and filters in the zone template can protect a zone that has traffic characteristics that are unknown to the Guard. The default thresholds of these zone policies are tuned so that the Guard activates the antispoofing functions quickly if it identifies traffic anomalies in the zone traffic.
Because the Guard does not know the zone traffic patterns, the thresholds used to block (drop) source IP addresses are set to high values. On-demand protection requires user intervention when mitigating nonspoofed attacks. You must monitor the legitimate and malicious traffic rates of the zone and view the Guard mitigation actions.
You may require on-demand protection for a zone if there is an attack on the zone and one of the following conditions apply:
•
•
•
To activate on-demand protection, perform the following steps:
Step 1
zone new-zone-name [template-name] [interactive]See the "Creating a New Zone from a Zone Template" section on page 5-5 for more information.
Step 2
ip address ip-addr [ip-mask]See the "Configuring Zone Attributes" section on page 5-8 for more information.
Step 3
protectSee the "Activating Zone Protection" section for more information.
Step 4
Configuring How the Guard Performs Zone Protection
You can configure the Guard to perform zone protection in one of the following ways:
•
•
See "Using Interactive Protect Mode," for more information.
Configuring the Protection Activation Method
The protection activation method defines how the Guard identifies the zone for which it activates zone protection when it receives an external indication. This indication can be a command from an external device, such as a Detector, or traffic that is destined to the zone (packet).
The method that the Guard uses to activate protection can be one of the following:
•
•
•
•
When you configure zones with a protection activation method of packet or packet-or-ip-address:
•
•
•
The Guard activates the entire zone or a specific IP address range according to the zone activation extent unless the protection activation method is zone-name-only (see "Configuring the Protection Activation Extent" section). If the protection activation method is zone-name-only, the Guard activates the entire zone.
To configure the protection activation method, use the following command in zone configuration mode:
activation-interface {packet [divert] | ip-address | packet-or-ip-address [divert] | zone-name-only}
The default is zone-name-only. If you create a zone by duplicating an existing zone, the protection activation method is set to the zone-name-only, regardless of the configuration of the source zone. See the "Creating a New Zone by Duplicating an Existing Zone" section on page 5-7.
Table 9-1 provides the keywords for the activation-interface command.
Table 9-1 Keywords for the activation-interface Command
ip-address
Activates zone protection when it receives a command from an external device, such as a Detector, that consists of an IP address or subnet that is part of the zone. The Guard scans the zone database and activates the zone that has an address range that includes the received IP address or subnet. If you have configured several zones with an address range that includes the received IP address, the Guard activates the zone with the longest prefix match (the zone that has the most specific address range that includes the received IP address). The received IP address or subnet must be completely included in the zone IP address range.
packet
Activates zone protection when it receives traffic that is destined to the zone. The Guard scans the zone database and activates the zone that has an address range that includes the received packet IP address. If you have configured several zones with an address range that includes the received packet IP address, the Guard activates the zone with the longest prefix match (the zone that has the most specific address range that includes the received packet IP address). The received IP address or subnet must be completely included in the zone IP address range.
Note
packet-or-ip-address
Activates zone protection when it receives traffic (a packet) that is destined to the zone or when it receives a command from an external device, such as the Detector, that consists of an IP address or subnet that is part of the zone address range. See the ip-address and packet protection activation methods in this table for more information.
zone-name-only
Activates zone protection based on the zone name. A command from an external device, such as a Detector, to activate zone protection must include the zone name. This activation method is the default.
divert
Sends a BGP1 announcement to the adjacent router to divert the zone traffic from the original path to the Guard. Use the divert keyword when a Detector activates zone protection on the Guard using BGP.
See the Cisco Traffic Anomaly Detector Configuration Guide for more information.
1 BGP = Border Gateway Protocol
The following example shows how to configure the protection activation method so that the Guard activates protection when it receives a packet that is within the zone IP address range:
user@GUARD-conf-zone-scannet# activation-interface packet
Note
You can create a default zone for the Guard to protect if the received IP address or packet is not part of any other zone. You can define a default zone only if the network is homogenous and can use the same zone template. You cannot perform the learning process for a default zone. Create the zone with an IP address of 0.0.0.0 and a subnet of 0.0.0.0. Define the activation extent as ip-address (see the "Configuring the Protection Activation Extent" section).
To display the zone activation method, use the show running-config command in zone configuration mode.
Configuring the Sensitivity for Activating Zone Protection
When the methods that the Guard uses to activate zone protection is packet or packet-or-ip-address, the Guard activates zone protection only if the received traffic rate to a single IP address is higher than the activation sensitivity. The activation sensitivity is defined globally and applies to all zones.
To change the minimum packet rate that is required to activate zone protection, use the following command in configuration mode:
protect-packet activation-sensitivity min-rate
The min-rate argument defines the minimum packet rate that is destined to a single zone destination IP address that causes the Guard to activate zone protection. The default is 0 packets per second (pps).
The following example shows how to configure the activation sensitivity to 10 pps:
user@GUARD-conf-zone-scannet# protect-packet activation-sensitivity 10Configuring the Protection Activation Extent
The protection activation extent defines whether to activate zone protection for the entire zone or for a partial zone once the Guard receives an external indication. This indication can be a command from an external device, such as the Detector, or traffic that is destined to the zone (packet).
The Guard supports the following activation extents:
•
•
To configure the activation extent, use the following command in zone configuration mode:
activation-extent {entire-zone | ip-address-only}
Table 9-5 provides the keywords for the activation-extent command.
The following example shows how to use the activation-extent command to configure the activation extent of zone protection for the entire zone:
user@GUARD-conf-zone-scannet# activation-extent entire-zoneTo display the zone activation extent, use the show running-config command.
Understanding Subzones
The Guard creates a subzone when it activates zone protection for a partial zone (a zone that does not include the complete IP address range of the source zone). The IP address range of the subzone is included in the address range of the source zone.
The subzone configuration is similar to the configuration of the source zone except that the IP address and name are different. The name of the subzone consists of the first 30 characters of the name of the source zone, the IP address and the subnet, concatenated with underscores. If the subzone consists of a single IP address, the subnet is not added. For example, if the name of the source zone is scannet with an address range of 10.10.10.0 and a subnet of 255.255.255.0 and the Guard activates zone protection for an internal range of IP address 10.10.10.192 and subnet 255.255.255.252, the name of the subzone is scannet_10.10.10.192_255.255.255.252.
The IP address and subnet of the subzone are the IP address and subnet that the Guard received with the external command or the IP address of the packet that triggered the Guard to activate zone protection.
The Guard deletes subzones when it terminates zone protection. The Guard terminates zone protection for a subzone according to the activation method and the protection termination timeout that are configured for the source zone. The Guard does not delete a subzone if you have manually terminated zone protection by using the no protect command or the deactivate command.
Note
When the Guard deletes a subzone, it does not erase the logs and attack reports of the subzone.
To display the logs and reports of the subzone after the Guard has erased the subzone, use the following commands:
•
•
To display a list of the subzones that were created from the zone, enter the command and press Tab for the sub-zone-name argument.
The following example shows how to display the logs of a subzone that was erased:
user@GUARD-conf-zone-scannet# show logs scannet_10.10.10.192Configuring the Protection Inactivity Timeout
The Guard can activate or deactivate zone protection and the learning process when the Guard identifies that an attack on the zone has ended. If the Guard is protecting a zone, it terminates zone protection when the zone is no longer under attack. If the protect and learn function is enabled, the Guard deactivates the learning process when it detects an attack on the zone and resumes the learning process when the zone is no longer under attack.
The Guard verifies whether an attack on the zone has ended according to an inactivity timeout. You can define this timeout from seconds to infinite.
To define the inactivity timeout, use the following command in zone configuration mode:
protection-end-timer {time-seconds | forever}
Table 9-3 provides the arguments and keywords for the protection-end-timer command.
Table 9-3 Arguments and Keywords for the protection-end-timer Command
Timeout in seconds. Enter an integer greater than 60.
Sets an indefinite timeout.
The default is forever. If you do not change the default value, you must deactivate zone protection manually.
The following example shows how to configure the protection inactivity timeout:
user@GUARD-conf-zone-scannet# protection-end-timer 300The Guard measures the inactivity based on dynamic filter inactivity and dropped traffic. If for a predefined span of time, no dynamic filters are in use and both the following conditions apply, the Guard assumes the attack on the zone has ended as follows:
•
•
attack-detection zone-malicious-rate threshold
The threshold argument defines the minimum rate of dropped zone packets. If the rate goes lower than this threshold, the Guard may end zone protection. If the rate exceeds this threshold, the Guard identifies an attack on the zone and creates an attack report.
If the zone activation method is Packet, the Guard checks for inactivity based on the received traffic before deactivating a zone. The Guard deactivates protection only if the previous conditions apply, and no packet to the zone was received.
Activating Zone Protection
You can wait for an external device (such as a Detector) to detect an attack on the zone before setting the Guard to protect the zone, or activate the Guard to protect the zone after configuring the zone. When the Guard protects a zone, the Guard diverts the zone traffic to itself and applies its protection policies.
If the zone is under attack before the Guard has learned the zone traffic characteristics, use on-demand protection to protect the zone. The Guard default policy thresholds for a new zone enable effective on-demand protection. See the "Activating On-Demand Protection" section for more information.
Note
You can activate zone protection in one of the following ways:
•
•
•
Tip
Protecting the Entire Zone
You can protect the entire zone by entering the following command in zone configuration mode:
protect [learning]
The learning keyword sets the Guard to protect the zone and tune the policy thresholds. See the "Tuning Policy Thresholds" section for more information.
The following example shows how to activate zone protection:
user@GUARD-conf-zone-scannet# protectProtecting an IP Zone that is Part of the Zone Address Range
You can protect an IP-specific zone that is a part of the zone address range. In this case, the Guard creates a new zone. The name of the new zone consists of the first 30 characters of the major zone and the specific IP address concatenated by an underscore. If a zone by the same name already exists, the Guard activates zone protection for the existing zone instead of creating another zone by the same name.
To activate zone protection for an IP-specific zone, use the following command in global mode:
protect zone-name ip-address-general
Table 9-4 provides the arguments for the protect command.
To remove this zone, use the no form of the zone command.
The following example shows how to activate zone protection for IP address 192.168.5.6 that is included in the IP address range of the zone scannet:
user@GUARD# protect scannet 192.168.5.6creating zone scannet_192.168.5.6user@GUARD#Protecting an IP Address when the Zone Name is Not Known
You can protect a specific IP address even if you do not know the name of the zone that the IP address is included in its IP address range by entering the following command in global mode:
protect ip-address-general [subnet-mask]
Table 9-5 provides the arguments for the protect command.
The Guard activates zone protection for the zone that the IP address is included in its IP address range based on the IP address activation method. See the "Configuring the Protection Activation Extent" section for more information.
The following example shows how to activate zone protection for IP address 192.168.5.6:
user@GUARD# protect 192.168.5.6You can enter the protect-related commands for several zones at the same time. Enter the command in global mode and use an asterisk (*) as a wildcard. For example, to stop zone protection for all zones, enter the no protect * command in global mode. To stop zone protection for all zones with names that begin with scan (such as scannet and scanserver), enter the no protect scan* command in global mode.
Deactivating Zone Protection
When there is no attack on a zone and you rely on another source for detecting zone traffic anomalies, you may want to deactivate zone protection and end traffic diversion to the Guard.
To deactivate zone protection, use one of the following commands in zone configuration mode:
•
•
The following example show how to deactivate zone protection and the learning process:
user@GUARD-conf-zone-scannet# deactivate
