Table Of Contents
Configuring Policy Templates
Understanding Policy Templates
Modifying the Configuration of a Policy Template
Configuring Policy Templates
This chapter describes how to configure the zone policy templates that the Cisco Guard (Guard) uses to create zone policies.
This chapter contains the following sections:
•
Understanding Policy Templates
•Modifying the Configuration of a Policy Template
Understanding Policy Templates
A policy template is a collection of policy construction rules that the Guard uses to create the zone policies during the policy construction phase of the learning process. When you create a new zone, the Guard includes a set of policy templates in the zone configuration. Based on the characteristics of the zone traffic, each policy template enables the Guard to produce a group of policies during the policy construction phase. The Guard uses the policies to monitor the zone traffic for anomalies that indicate an attack on the zone. The zone policies are configured to take action against a particular traffic flow if the flow exceeds the policy thresholds.
Changes that you make to a zone policy template configuration affect the policy construction phase. Using the WBM, you can enable, disable, or modify the zone policy templates to control the policies that the Guard creates during the policy construction phase.
To match the services of a traffic flow, there are several types of policy templates that the Guard uses during the policy construction phase. The name of the policy template is derived from the characteristics that are common to all the policies that it creates and can be a protocol such as Domain Name System (DNS), an application such as HTTP, or an objective such as ip_scan. For example, the policy template tcp_connections produces policies that relate to a connection, such as the number of concurrent connections.
Table 6-1 describes the Guard policy template types.
Table 6-1 Policy Templates
Policy template
|
Produces a set of policies relating to . . .
|
dns_tcp
|
DNS-TCP protocol traffic.
|
dns_udp
|
DNS-UDP protocol traffic.
|
fragments
|
Fragmented traffic.
|
http
|
HTTP traffic that flows, by default, through port 80 (or other user-configured ports).
|
ip_scan
|
IP scanning. A situation in which a client from a specific source IP address tries to access many destination IP addresses in the zone. This policy template is designed primarily for zones in which the IP address definition is a subnet.
By default, this policy template is disabled. The default action for this policy template is notify.
Note The policies that are produced from this policy template are resource consuming and can affect your network's performance.
|
other_protocols
|
Non-TCP and non-UDP protocols.
|
port_scan
|
Port scanning. A situation in which a client from a specific source IP address tries to access many ports in the zone.
By default, this policy template is disabled. The default action for this policy template is notify.
Note The policies that are produced from this policy template are resource consuming and can affect your network's performance.
|
tcp_connections
|
TCP connection characteristics.
|
tcp_not_auth
|
TCP connections that the Guard anti-spoofing feature has not authenticated.
|
tcp_outgoing
|
TCP connections initiated by the zone.
|
tcp_ratio
|
Ratios between different types of TCP packets, such as SYN packets versus FIN/RST packets.
|
tcp_services
|
TCP services on ports other than HTTP-related ports, such as ports 80 and 8080.
|
tcp_services_ns
|
TCP services. By default, the policies created by the tcp_services_ns template relate to IRC ports (666X), SSH, and Telnet. This policy template does not create policies with actions that apply the Strong protection level to the traffic flow.
|
udp_services
|
UDP services.
|
The Guard includes additional policy templates for zones that were created from the GUARD_SIP zone template as described in Table 6-2.
Table 6-2 Specific Policy Templates
Zone Template
|
Policy Template
|
GUARD_VOIP
|
sip_udp—Constructs a group of policies relating to Voice-over IP (VoIP) sessions that use the Session Initiation Protocol over UDP to establish the VoIP sessions and the Real-Time Transport/Real-Time Control Protocol (RTP/RTCP) to transmit voice data between the SIP endpoints after sessions are established.
|
Note The Guard relates first to indicators of TCP traffic on dedicated ports 6660 to 6670 and 21 to 23. If traffic is traced on these ports, the tcp_services_ns policy template constructs a group of policies, and the tcp_services policy template monitors TCP services on other ports. If no traffic is traced on these ports, the tcp_services_ns policy template is not used. You can add services to policies that were created from the tcp_services_ns policy template.
Table 6-3 lists additional policy templates that are designed for zones for which you do not want the Guard to serve as a proxy. You can use these policy templates if the zone is controlled based on the IP addresses, such as an Internet Relay Chat (IRC) server-type zone, or if you do not know the type of services that are running on the zone.
If you define a zone with the GUARD_TCP_NO_PROXY zone template, the Guard uses the policy templates described in Table 6-3. The Guard replaces the policy templates http, tcp_connections, and tcp_outgoing with the policy templates http_ns, tcp_connections_ns, and tcp_outgoing_ns policies.The http_ns, tcp_connections_ns, and tcp_outgoing_ns policy templates do not create policies with actions that require the Guard to apply the strong protection level to the traffic flow.
Table 6-3 TCP_NO_PROXY Policy Templates
Policy template
|
Produces a group of policies relating to . . .
|
tcp_connections_ns
|
TCP connection characteristics.
|
tcp_outgoing_ns
|
TCP connections initiated by a zone.
|
http_ns
|
HTTP traffic flowing (by default) through port 80 or other user-configured ports.
|
Modifying the Configuration of a Policy Template
During the learning process, the Guard analyzes the traffic that transparently flows through it. Each active policy template produces a group of policies based on the policy definitions and the zone traffic characteristics. The Guard ranks the services (protocol and port numbers) that the policy template monitors by the traffic volume level. The Guard then selects the services that have the highest traffic volume and that have exceeded the defined minimum threshold, and it creates a policy for each service. Some of the policy templates create an additional policy to handle all traffic flows for which a specific policy was not added with a service of any.
You can modify policy template parameters as follows to manage the policy construction phase:
•Enable or disable the policy template. Only enabled policy templates can produce policies during the policy construction phase.
•Control when the policy template creates policies during the learning process based on the volume of traffic for a service.
•Define the maximum number of policies that the Guard can produce using the policy template during the policy construction phase.
To modify the configuration of a policy template, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > Policy templates > View. The Policy Templates screen appears.
Step 3 Choose a policy template. The Config Policy Template screen appears.
Step 4 Modify the desired parameters of the policy template. Table 6-4 describes the policy template parameters that are listed in the Policy Template form. Depending on the type of policy template selected, some or all of the parameters listed in the table display for editing.
Table 6-4 Policy Template Parameters
Parameter
|
Description
|
State
|
Operating state of the policy template. Choose one of the following options:
•enable—The Guard applies the policy template to the traffic flow during the policy construction phase of the learning process. When the Guard detects a service, it creates a new policy based on the rules of the policy template designed for that service.
•disable—The Guard does not apply the policy template to the traffic flow during the policy construction phase of the learning process. If the Guard detects a service associated with the disabled policy template, it does not create a new policy.
Caution Disabling a policy template may seriously compromise zone protection. When you disable a policy template, the Guard does not produce policies to manage the type of malicious traffic that the policy template is designed to manage.
|
Min Threshold
|
Minimum traffic volume for a service. When the service traffic rate exceeds the threshold, the Guard constructs policies that relate to the service traffic according to the particular traffic flow that exceeded the threshold. By setting the threshold, you can better adapt the protection operation to the known traffic volume of the zone services.
You cannot configure the minimum threshold parameter for policy templates that are essential for proper traffic protection. These policies, such as tcp_services, udp_services, other_protocols, http, and fragments, always create a policy when required by the zone traffic.
Enter the minimum threshold rate in packets-per-second (pps). When measuring the concurrent connection and SYN/FIN ratio, the threshold value is the total number of connections.
|
Max Services
|
Maximum number of services (protocol numbers or port numbers) for which the policy template selects and creates policies. The Guard ranks the services that the policy template relates to by the level of traffic volume for each service. The Guard then selects the services that have the highest traffic volume and that have exceeded the defined minimum threshold (as defined by the min-threshold parameter), and it creates policies for each service. The Guard may add an additional policy with a service of any to handle all other traffic flows with the characteristics of the policy template.
Note The higher the maximum number of services, the more memory the zone uses.
You can only define the maximum number of services parameter for policy templates that detect services: tcp_services, tcp_services_ns, udp_services, and other protocols. You cannot define the maximum number of services for policy templates that monitor a specific service, such as dns_tcp, which monitors service 53, or for policy templates that relate to a specific traffic characteristic, such as fragments.
The Guard measures the traffic rate of the service based on the policy traffic characteristics. The traffic characteristic can be the source IP addresses or the destination IP addresses. A policy that monitors the service any measures the rate of source IP addresses on all services that are not handled by a specific policy, so it is not precise.
By limiting the service number, you can configure the Guard policies to your preferred traffic flow requirements.
|
|
Step 5 Choose one of the following options:
•OK—Saves the new policy template configuration. The Policy Template screen appears.
•Clear—Reverts the form information back to the default values and clears any information that you added.
•Cancel—Exits the Config policy template screen without saving any information. The Policy Template screen appears.
To add or remove services from all policies that were created from a specific policy template, see the "Adding a Service" section or the "Deleting a Service" section.
