Cisco Guard Configuration Guide (Software Version 5.1)
Configuring Zones
Download this chapter
Configuring ZonesConfiguring Zones
Download the complete book
Cisco Guard Configuration Guide (Software Version 5.1), Book-Length PDFCisco Guard Configuration Guide (Software Version 5.1), Book-Length PDF (PDF - 5 MB)
give_us_feedback

Table Of Contents

Configuring Zones

Overview

Using Zone Templates

Creating a New Zone

Creating a New Zone from a Zone Template

Creating a New Zone by Duplicating an Existing Zone

Configuring Zone Attributes

Configuring the Zone IP Address Range

Synchronizing a Guard with Cisco Traffic Anomaly Detector Zone Configuration

Configuration Guidelines

Synchronizing a Zone Configuration Offline

Example Scenario


Configuring Zones

This chapter describes how to create and manage zones on the Cisco Guard (Guard). These procedures are required to enable zone protection.

This chapter contains the following sections:

Overview

Using Zone Templates

Creating a New Zone

Configuring Zone Attributes

Configuring the Zone IP Address Range

Synchronizing a Guard with Cisco Traffic Anomaly Detector Zone Configuration

Overview

A zone is a network element that the Guard uses to protect against Distributed Denial of Service (DDoS) attacks. A zone can be any combination of the following elements:

A network server, client, or router

A network link or subnet or an entire network

An individual Internet user or a company

An Internet Service Provider (ISP)

The Guard can protect different zones simultaneously as long as their network address ranges do not overlap.

You assign a name to the zone and use this name to refer to it.

The zone configuration process consists of the following tasks:

Creating a zone—You can create a zone and configure the zone name and the zone description. See the "Creating a New Zone" section for more information.

Configuring the zone network definition—You can configure the zone network definitions that include the network IP address and subnet mask. See the "Configuring Zone Attributes" section for more information.

Configuring the zone filters—You can configure the zone filters. The zone filters apply the required protection level to the zone traffic and define the way the Guard handles specific traffic flows. See "Configuring Zone Filters," for more information.

Learning the zone traffic characteristics—You can create the zone protection policies that enable the Guard to analyze a particular traffic flow and take action if the traffic flow exceeds a policy threshold. The Guard constructs the policies in a learning process that consists of two phases: policy construction and threshold tuning. See "Learning the Zone Traffic Characteristics," for more information.

Using Zone Templates

A zone template defines the default configuration of a zone.

Table 5-1 displays the zone templates.

Table 5-1 Zone Templates 

Template
Description

GUARD_DEFAULT

Default zone template. The Guard may change the packet source IP address to the Guard TCP-proxy IP address. You can use this zone template if you do not use ACLs1 , access policies, or load-balancing policies that are based on the incoming IP address for the zone network.

GUARD_LINK Templates

Zone templates designed for on-demand protection of large subnets segmented according to zones with a known bandwidth. We recommend that you activate zone protection on these zones for the attacked address range only to better focus on the zone protection requirements and save Guard resources. Configure the method that the Guard uses to activate zone protection for the attacked subnet or range by using the activation-extent ip-address-only command. To enable a Detector to activate zone protection on the Guard for the attacked IP address or subnet only, use the protect-ip-state dst-ip-by-name command on the Detector.

The following bandwidth-limited link zone templates are available for 128-Kb, 1-Mb, 4-Mb, and 512-Kb links:

GUARD_LINK_128K

GUARD_LINK_1M

GUARD_LINK_4M

GUARD_LINK_512K

GUARD_LINK Templates (continued)

You cannot perform the policy construction phase of the learning process for zones that were created from these templates.

GUARD_TCP_NO_
PROXY

A zone template designed for a zone for which no TCP proxy is to be used. You can use this zone template if the zone is controlled based on the IP addresses, such as an IRC2 server-type zone, or if you do not know the type of services running on the zone.

GUARD_VOIP

A zone template designed for a zone that contains a VoIP3 server that uses SIP4 over UDP to establish VoIP sessions and RTP/RTCP5 to transmit voice data between SIP end points after sessions are established.

Zones that are created from the GUARD_VOIP zone template contain specific policies to handle VoIP traffic that are produced from the sip_udp policy template (see the "Understanding Policy Templates" section for more information).

1 ACL = Access Control List

2 IRC = Internet Relay Chat

3 VoIP = Voice over IP

4 SIP = Session Initiation Protocol

5 RTP/RTCP = Real-Time Transport Protocol/Real-Time Control Protocol


Creating a New Zone

You can create a zone and configure the zone name, description, network address, operation definitions, and networking definitions.

When you create a new zone, you can use an existing zone as a template or you can create a zone from system-defined zone templates. The zone template defines the initial policy and filter configuration of the zone.

The new zone has default policies that are tuned for on-demand protection. However, if there is no immediate need to protect the zone, we recommend that you allow the Guard to learn the zone traffic characteristics. See the "Activating On-Demand Protection" section for more information. Alternatively, you can copy the configuration of the zone and the zone policies from the Cisco Traffic Anomaly Detector (Detector).

You can create a new zone in three ways:

Create a new zone—You can create a new zone from system-defined zone templates. Use this method to create a new zone with the default policies and filters.

After you create a new zone, you must configure the zone attributes.

Duplicate a zone—You can create a zone from an existing zone. Use this method if the new zone has traffic patterns that are similar to those of an existing zone.

Copy the zone configuration from the Detector—You can enable synchronization of the zone configuration with the Detector. See the "Synchronizing a Guard with Cisco Traffic Anomaly Detector Zone Configuration" section.

You can initiate this action only from the Detector. See the Cisco Traffic Anomaly Detector Configuration Guide for more information.

See the "Configuring Zone Attributes" section for information on how to modify the zone configuration settings.

Creating a New Zone from a Zone Template

To create a new zone from system-defined zone templates, use one of the following commands:

zone new-zone-name [template-name] [interactive]—Creates a new zone. If you do not enter the template-name argument, the new zone is created from the GUARD_DEFAULT zone template.

zone zone-name [template-name] [interactive]—Deletes the existing zone and creates a new zone with the same name.

When using a system-defined zone template, the Guard applies the default settings to all zone attributes. These default policy settings are tuned for on-demand protection.

If the command is performed successfully, the Guard enters the configuration mode of the new zone.

If you enter the name of an existing zone without specifying a zone template, the Guard enters the configuration mode of the specified zone.

Table 5-2 provides the arguments and keywords for the zone command.

Table 5-2 Arguments and Keywords for the zone Command 

Parameter
Description

new-zone-name

The name of a new zone. The name is an alphanumeric string from 1 to 63 characters. The string must start with an alphabetic letter, can contain underscores, but cannot contain any spaces.

zone-name

The name of an existing zone.

template-name

(Optional) A zone template that defines the zone configuration. The default is to create the zone using the GUARD_DEFAULT zone template.

The zone template can be one of the following:

GUARD_DEFAULT

GUARD_LINK_128K

GUARD_LINK_1M

GUARD_LINK_4M

GUARD_LINK_512K

GUARD_TCP_NO_PROXY

GUARD_VOIP

See the Using Zone Templates for more information on the zone templates.

interactive

(Optional) Sets the Guard to perform zone protection in an interactive manner. The dynamic filters that the policies create appear as recommendations. You must decide whether or not to activate each dynamic filter. See "Using Interactive Protect Mode," for more information.


The following example shows how to create a new zone configured for interactive protect mode: 

user@GUARD-conf# zone scannet interactive 

user@GUARD-conf-zone-scannet#

To delete a zone, use the no zone command. When deleting a zone, you can use an asterisk (*) as a wildcard character at the end of the zone name. The wildcard allows you to remove several zones with the same prefix in one command.

To display the zone templates, use the show templates command in global or configuration mode. To display the zone template default policies, use the show templates template-name policies command in global or configuration mode.

Creating a New Zone by Duplicating an Existing Zone

You can create a new zone based on an existing zone. When using an existing zone as a template for the new zone, all properties of the existing zone are copied to the newly defined zone. If you specify a snapshot, the zone policies are copied from the snapshot.

To duplicate a zone, use one of the following commands:

zone new-zone-name copy-from-this [snapshot-id]—Use this command in zone configuration mode to create a new zone with the configuration of the current zone.

zone new-zone-name copy-from zone-name [snapshot-id]—Use this command in configuration mode to create a new zone with the configuration of the specified zone.

Table 5-3 provides the arguments and keywords for the zone command.

Table 5-3 Arguments and Keywords for the zone Command 

Parameter
Description

new-zone-name

Name of a new zone. The name is an alphanumeric string from 1 to 63 characters. The string must start with an alphabetic letter and can contain underscores but cannot contain any spaces.

copy-from-this

Creates a new zone by copying the configuration of the current zone.

copy-from

Creates a new zone by copying the configuration of the specified zone.

zone-name

Name of an existing zone.

snapshot-id

ID of an existing snapshot. See the "Displaying Snapshots" section for more information.


The following example shows how to create a new zone from the current zone: 

user@GUARD-conf-zone-scannet# zone mailserver copy-from-this 

user@GUARD-conf-zone-mailserver#

If the command is performed successfully, the Guard enters the configuration mode of the new zone.

The policies of the new zone are marked as untuned. We recommend that you perform the threshold tuning phase of the learning process to tune the policy thresholds to the zone traffic. If the traffic characteristics of the new zone are identical or very similar to the traffic characteristics of the originating zone, you can mark the policy thresholds as tuned. See the "Marking the Policies as Tuned" section for more information.

The activation interface of the new zone is set to zone-name-only, regardless of the configuration of the source zone. See the "Configuring the Protection Activation Method" section for more information.

Configuring Zone Attributes

After you create the zone, you can configure the zone attributes.

To configure the zone attributes, perform the following steps:

Step 1 Enter zone configuration mode. Skip this step if you are in zone configuration mode already.

To enter zone configuration mode, use one of the following commands:

conf zone-name (from global mode)

zone zone-name (from configuration mode or zone configuration mode)

The zone-name argument specifies the name of an existing zone.

Note You can disable tab completion for zone names in the zone command by using the aaa authorization commands zone-completion tacacs+ command. See the "Disabling Tab Completion of Zone Names" section for more information.

Step 2 Define the zone IP address by using the ip address command. You must define at least one IP address that is not excluded to enable the Guard to learn the zone traffic and protect the zone.

See the "Configuring the Zone IP Address Range" section for more information.

Step 3 (Optional) Limit the traffic bandwidth that the Guard injects back to the zone according to the traffic rate that you think the zone can handle by entering the following command in zone configuration mode: 

rate-limit {no-limit | rate burst-size rate-units}

We recommend that you set the bandwidth value to the highest bandwidth that was measured entering the zone. If you do not know what this value is, leave the default bandwidth value (no-limit).

Table 5-4 provides the arguments and keywords for the rate limit command.

Table 5-4 Arguments and Keywords for the rate limit Command 

Parameter
Description
no-limit

Defines the zone with no rate limit.

rate

Integer greater than 64 that specifies the amount of traffic that is allowed to pass to the zone. The units are specified by the rate-units argument. The rate limit can be up to 10 times greater than the burst limit.

burst

Integer greater than 64 that specifies the highest traffic peak allowed to pass to the zone. The units are bits, kilobits, kilopackets, megabits, and packets that correspond to the rate units that are specified by the rate-units argument. The burst limit can be up to eight times greater than the rate limit.

rate-units

Rate units. The units are as follows:

bps—Bits per second

kbps—Kilobits per second

kpps—Kilopackets per second

mbps—Megabits per second

pps—Packets per second


Step 4 (Optional) Add a description to the zone for identification purposes by entering the following command in zone configuration mode: 

description string

The maximum string length is 80 characters. If you use spaces in the expression, enclose the expression in quotation marks (" ").

To modify a zone description, reenter the zone description. The new description overrides the previous description.

Step 5 Display the configuration of the newly configured zone by entering the show running-config command in zone configuration mode.

The configuration information consists of CLI commands that are executed to configure the Guard with the current settings. Refer to the specific command entries for more information.

The following example shows how to create a new zone and configure the zone attributes. The zone IP address range is configured to 192.168.100.32/27, but the IP address 192.168.100.50 is excluded from the zone IP address range. 

user@GUARD-conf# zone scannet

user@GUARD-conf-zone-scannet# ip address 192.168.100.32 
255.255.255.224

user@GUARD-conf-zone-scannet# ip address exclude 192.168.100.50

user@GUARD-conf-zone-scannet# rate-limit 1000 2300 pps

user@GUARD-conf-zone-scannet# description Demonstration zone

user@GUARD-conf-zone-scannet# show running-config

Configuring the Zone IP Address Range

You must configure at least one IP address that is not excluded before you can activate zone protection, but you can add or delete IP addresses from the zone IP address range at any time. You can configure a large subnet and then exclude specific IP addresses from that subnet so that they are not part of the zone IP address range.

To configure the zone IP address, use the following command in zone configuration mode:

ip address [exclude] ip-addr [ip-mask]

Table 5-5 provides the arguments and keywords for the ip address command.

Table 5-5 Arguments and Keywords for the ip address Command 

Parameter
Description

exclude

Excludes the IP address from the zone IP address range.

ip-addr

IP address. Enter the IP address in dotted-decimal notation (for example, 192.168.100.1).

By default, the IP address is included in the zone IP address range.

The IP address must match the subnet mask. If you enter a Class A, Class B, or Class C subnet mask, the host bits in the IP address must be 0.

ip-mask

(Optional) IP subnet mask. Enter the subnet mask in dotted-decimal notation (for example, 255.255.255.0). The default subnet mask is 255.255.255.255.


The following example shows how to configure the zone IP address range to 192.168.100.32/27 but exclude IP address 192.168.100.50 from the zone IP address range. 

user@GUARD-conf-zone-scannet# ip address 192.168.100.32 
255.255.255.224

user@GUARD-conf-zone-scannet# ip address exclude 192.168.100.50

If you modify the zone IP address range, perform one of the following tasks:

If the new IP address or subnet consists of a new service that was not previously defined in the zone network, activate the policy construction phase before activating zone protection or add the service manually. See the "Constructing Policies" section and the "Adding a Service" section for more information.

If you enabled the protect and learn function, use the no learning-params threshold-tuned command to mark the zone policies as untuned. Do not change the status of the zone policies to untuned if there is an attack on the zone. Changing the status prevents the Guard from detecting the attack and causes the Guard to learn malicious traffic thresholds. See the "Marking the Policies as Tuned" section for more information.

If you are not using the protect and learn function, you should activate the threshold tuning phase before activating zone protection. See the "Tuning Policy Thresholds" section.

To delete zone IP addresses, use the no form of the command.

To delete exclude IP addresses, use the no ip address exclude command.

To delete all zone IP address and exclude IP addresses, use the no ip address * command.

Synchronizing a Guard with Cisco Traffic Anomaly Detector Zone Configuration

You can synchronize the zone configuration, which includes the zone policies and filters, with the zone on the Detector. The Detector copies the complete zone configuration to the Guard. This process allows you to configure the zone once but maintain the same configuration and policies on both the Guard and the Detector.

Communication between the Detector and the Guard requires the Secure Sockets Layer (SSL) protocol, which provides authentication and encryption. You must configure the SSL communication connection channel before you synchronize the zone. See the "Establishing Communication with the Cisco Traffic Anomaly Detector" section for more information.

You can set the Detector to continuously learn the zone traffic characteristics to keep the zone policies updated and avoid constantly diverting the zone traffic to the Guard.

You must create the zone for synchronization and synchronize the zone from the Detector. See the Cisco Traffic Anomaly Detector Configuration Guide for more information.

This section contains the following topics:

Configuration Guidelines

Synchronizing a Zone Configuration Offline

Example Scenario

Configuration Guidelines

To synchronize zones between a Guard and a Detector, use the following guidelines:

Create the new zone on the Detector using zone templates that are appropriate for both the Guard and the Detector (Guard zone templates).

Ensure that the same type of traffic flows to both the Guard, when it is diverting traffic, and the Detector for proper synchronization of zone policies. Otherwise, the zone global policies may be too high or too low to guarantee proper protection for spoofed DDoS attacks.

Use the Detector as the central configuration point because you can create new zones on the Detector only and the configuration file of the Detector contains the configuration of both the Detector zones and the Guard zones. Configure the zones on the Detector and maintain a backup of the Detector configuration. Copy the zone configuration from the Detector to the Guard.

If you replace a device or change the IP address of the interface that the Detector and the Guard use to communicate, you must regenerate the SSL certificates that the Detector and the Guard use for secure communication.

Verify the zone configuration on the Guard. If the activation extent is ip-address-only and the activation method is not zone-name-only, we recommend that you configure the timer that the Guard uses to identify that an attack on the zone has ended by entering the protection-end-timer command. If you configure the value of the protection-end-timer to forever, the Guard does not terminate zone protection when the attack ends and does not delete the subzone that it had created to protect the specific IP address.

See the "Configuring the Protection Activation Method" section, the "Configuring the Protection Activation Extent" section, and the "Configuring the Protection Inactivity Timeout" section for more information.

Synchronizing a Zone Configuration Offline

You can synchronize a zone configuration on the Detector a the zone configuration on the Guardeven if you cannot establish a secure communication channel between the Detector and a Guard. You may need to synchronize a zone configuration offline if one of the following conditions applies:

The Guard does not have access to the Detector.

The Detector does not have access to the Guard.

The Detector communicates with the Guard across a Network Address Translation (NAT) device.

To synchronize a zone configuration on the Detector with a zone configuration on the Guard offline, you must first export the zone configuration from the Detector to a network server using FTP, Secure FTP (SFTP), or Secure Copy (SCP), and then manually import the zone configuration to the Guard. Because there is no secure communication channel between the Guard and the Detector, you must manually activate the Guard to protect the zone when the Detector detects anomalies in the zone traffic.

See "Protecting Zones," for more information.

To enable the Guard to synchronize the zone configuration, you must create the zone on the Detector using one of the Guard zone templates.

To synchronize the zone on the Detector a the zone configuration on the Guard configuration offline, perform the following steps:

Step 1 Export the zone configuration from the source device (Guard or Detector) by entering the following command in global mode: 

copy zone zone-name running-config ftp

See the "Exporting the Configuration" section.

Step 2 Import the zone configuration from a network server to the target device by entering one of the following commands in global mode:

Note Deactivate a zone before importing the zone configuration.

copy ftp running-config server full-file-name [login [password]]

copy {sftp | scp} running-config server full-file-name login

copy file-server-name running-config source-file-name

See the "Importing and Updating the Configuration" section for more information.

Example Scenario

This example scenario shows how to synchronize a zone configuration on the Detector with a zone configuration on the Guard to protect the zone and continue to learn the zone traffic characteristics:

1. Create and configure a new zone on the Detector using one of the Guard zone templates.

The Detector displays (Guard/Detector) next to the zone ID field in the output of the show command in zone configuration mode.

2. Add the Guard to the zone SSL remote Guard list or the default SSL remote Guard list on the Detector.

3. Set the Detector to construct the zone policies by entering the learning policy-construction command.

4. Set the Detector to learn the zone traffic and tune the policy thresholds while detecting traffic anomalies by entering the detect learning command.

5. Configure the Detector to accept the policy thresholds every 24 hours to ensure that the zone policies are updated with the changing traffic patterns.

6. Configure the Detector to synchronize the zone configuration with the Guard each time that it accepts the new learned policy thresholds to ensure that when the Detector learns new zone policy thresholds, the zone policies on the Guard are also updated.

7. Configure the Detector to synchronize the zone configuration with the configuration on the Guard before activating the Guard to protect the zone to ensure that the zone configuration and policies on the Guard are updated when the Guard activates zone protection.

8. When the Detector detects an attack on the zone, it performs the following actions:

Verifies that the zone configuration on the Guard is updated. If the zone configuration on the Guard is not the same as the zone configuration on the Detector, the Detector synchronizes the zone configuration with the Guard.

Activates the Guard to protect the zone (the Guard activates zone protection).

Stops the learning process for the zone but continues to detect anomalies in the zone traffic to prevent the Detector from learning malicious traffic thresholds.

You can modify the zone policies on the Guard when the attack is in progress.

The Detector polls the Guard constantly. When the Detector identifies that the Guard has deactivated zone protection (the Guard deactivates zone protection when the attack ends) and additional traffic anomalies do not exist, then the Detector reactivates zone anomaly detection and the learning process.

9. If you manually modify the zone policies on the Guard to adjust the zone policies to the attack characteristics, you can synchronize the new policies with the Detector. This action is important if the zone traffic requires that you set certain policy thresholds as fixed or set a fixed multiplier for policy thresholds. Synchronizing the zone configuration with the Detector ensures that the Detector has the correct policy thresholds, calculates the thresholds correctly in future threshold tuning phases, and updates the Guard policies with the correct thresholds.

For more information, see the "Setting the Threshold as Fixed" section and the "Configuring a Threshold Multiplier" section.

Note You can perform this action only from the Detector. See the Cisco Traffic Anomaly Detector Configuration Guide for more information.