-
Cisco Guard Configuration Guide (Software Version 6.0)
-
Index
-
Preface
-
Product Overview
-
Initializing the Guard
-
Configuring the Guard
-
Configuring Traffic Diversion
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Learning the Zone Traffic Characteristics
-
Protecting Zones
-
Using Interactive Protect Mode
-
Using Attack Reports
-
Using Guard Diagnostics Tools
-
Performing Maintenance Tasks
-
Analyzing Guard Mitigation
-
Understanding Zone Traffic Diversion
-
Troubleshooting Diversion
-
Feedback
Table Of Contents
Symbols - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W - X - Z
Index
Symbols
# (number sign) 11-8
A
AAA
accounting 3-13
authentication 3-5
authorization 3-11
configuring 3-4
aaa accounting command 3-13
aaa authentication command 3-5
aaa authorization command 3-11
accounting, configuring 3-13
action command 7-19
action flow 11-11
activation
activation-extent command 9-7
activation-interface command 9-4
interface 9-4
method 9-4
sensitivity 9-6
add-service command 7-9
admin privilege level 2-2, 3-7
always-accept 7-21
always-ignore 7-21
analysis protection level 1-5, 7-10
anomaly
detected 11-3
flow 11-8
anomaly detection engine memory usage 12-24, 12-25
anti-spoofing 1-2
anti-spoofing drop statistics 14-7
anti-zombie 1-3
arp command 12-26
attack-detection command 9-8
attack report
copying 11-12
detected anomalies 11-3
exporting automatically 11-12
history 12-23
layout 11-1
malicious packets statistics 11-2
mitigated attacks 11-4
notify 11-8
statistics 11-2
timing 11-1
attack reports
exporting 13-6
attack statistics 14-5
attack type
client 11-5
malformed packets 11-6
mitigated attack 11-9
user defined 11-6
authentication, configuring 3-5
authorization
disabling zone command completion 3-13, 5-6
auth packet types 7-11
automatic protect mode 1-5, 9-3, 10-1
B
bad packets to proxy drop statistics 14-7
banner
configuring login 3-29
basic
user filter actions 6-14
basic protection level 1-5, 7-10
Berkeley Packet filter 6-8
BGP
announcement A-13
Cisco router configuration example 4-6
configuration 4-2
configuration example 4-4
diverting method A-5
block dynamic filter actions 6-19
block-unauthenticated policy action 7-19
burn flash 13-9
bypass filter
command 6-11
configuring 14-4
deleting 6-13
displaying 6-12
C
capture, packets 12-12
caution
symbol overview 1-xix
clear counters command 2-12, 12-4
clear log command 12-9
CLI
changing prompt 3-25
command shortcuts 2-6
error messages 2-5
getting help 2-5
issuing commands 2-3
TAB completion 2-5
using 2-1
client attack 11-9
client attack mitigated attacks 11-5
command completion 3-13
command line interface
See CLI 2-1
command shortcuts 2-6
Common Firmware Environment (CFE) 13-9
comparator 6-3
config privilege level 2-2, 3-7
configuration
saving 4-1
configuration, accessing command mode 3-12
configuration file
copying 13-2
exporting 13-2
importing 13-4
viewing 12-1
configuration mode 2-2
configure command 2-7
constructing policies 8-4
copy commands
ftp running-config 13-4
new-version 13-8
packet-dump 12-15
reports 11-12
zone log 12-8
copy-from-this 5-5
copy guard-running-config command 5-10
copy login-banner command 3-30
copy-policies command 8-16
copy wbm-logo command 3-32
counters
history 12-3
counters, viewing 12-3
cpu utilization 12-24
D
DDoS
attack classification 14-5
nonspoofed attacks 1-2
overview 1-2
spoofed attacks 1-2
zombies 1-3
deactivate command 9-11
deactivating commands 2-4
deactivating protection 9-8
default-gateway command 2-13
default zone 9-6
description command 5-6
detected
anomalies 11-3
flow 11-11
diff command 8-14
disable command 7-6
disabling
automatic export 13-6
disk usage 12-23
distributed denial of service
See DDoS
diversion A-2
BGP 4-1
dynamic next hop A-7
layer 2 topology A-4
layer 3 topology A-3
long diversion 4-22, A-4, A-12
static next hop A-6
troubleshooting 14-2
DNS
detected anomalies 11-3
TCP policy templates 7-2
drop
dynamic filter action 6-18
policy action 7-19
statistics 14-6
user filter action 6-14
dropped packets
learning 8-1
drop-statistics command 14-5
dst traffic characteristics 7-11
dynamic filter
1000 and more 6-20
deactivating 6-23
definition 1-5
displaying events 12-7
inactivating 14-3
preventing production of 6-23
sorting 6-19
terminating 6-23
zone malicious rate 6-23
dynamic filters 10-1
dynamic privilege level 2-2, 3-7
E
enable
password command 3-9
enabling services 3-2
even log
deactivating 12-6
event log
activating 12-6
event monitor command 12-6
export
disabling automatic 13-6
export command 13-6
packet-dump 12-14
reports 11-12
exporting
configuration file 13-2
log file 12-8
reports automatically 11-12
exporting GUARD configuration 5-10
extracting signatures 12-18
F
facility 12-6
file-server
command 13-1
configuring 13-1
deleting 13-2
file server, displaying sync-config 13-6
filter rate
termination threshold 6-23
filters
overview 6-1
filter-termination command 6-23
fixed-threshold 7-15
flash-burn command 13-9
flex-content filter
configuring 6-4
default configuration 12-33
displaying 6-9
dropped 14-6
filtering criteria 6-3
renumbering 6-4
Layer 2 4-7
layer 2 A-7
layer 3 A-8
PBR-DST 4-9
PBR VLAN A-9
policy based routing 4-9
VLAN VRF A-10
VPN routing 4-11
VRF A-8
VRF-VLAN 4-17
fragments
detected anomalies 11-3
policy template 7-2
G
generating signatures 12-18
global mode 2-2
global traffic characteristics 7-12
GRE
See tunnel 2-10
Guard
self protection 12-32
GUARD_DEFAULT 5-2
GUARD_LINK 5-2
GUARD_TCP_NO_ PROXY 5-2
Guard configuration
resetting 13-12
GUARD configuration, exporting 5-10
GUARD configuration, importing 5-11
H
hijacking traffic A-1
history command 12-23
host, logging 12-7
host keys
hostname
changing 3-25
command 3-25
HTTP
detected anomalies 11-3
policy template 7-2
hybrid 11-9
I
idle session, configuring timeout 3-33
idle session, displaying timeout 3-33
importing
configuration 13-4
GUARD configuration 5-11
in-band
configuring interface 2-8
incoming TCP drop statistics 14-6
in packet types 7-11
install new-version command 13-8
interactive
operation mode 10-3
policy status 7-21
interactive protect mode 1-5, 9-3, 10-1
interactive-status command 7-20
interface
clearing counters 2-12
configuration mode 2-2
configuring 2-8
configuring IP address2-8to 2-10, 2-11
loopback 2-10
out-of-band 2-7
IP address
modifying, zone 5-8
ip address command 2-11
deleting 5-8
excluding 5-7
IPIP
See tunnel 2-10
ip route command 2-13
IP scan
detected anomalies 11-3
policy template 7-2
IP threshold configuration 7-17
K
keepalive command 2-12
key command
generate 3-25
remove 3-24
L
configuration 4-8
router configuration 4-8
land attack drop statistics 14-7
layer 2 topology A-4
layer 3 topology A-3
learning
constructing policies 8-4
dropped packets 8-1
overview 8-1
policy-construction command 8-5
synchronizing results 8-3
threshold-tuning command 8-6
tuning thresholds 8-6
learning accept command 8-5, 8-7
learning params
threshold-selection command 8-9
learning-params
deactivating periodic action 8-7
deactivating periodic-action command 8-5
periodic-action command 8-5, 8-7, 8-9
threshold-multiplier command 7-15
threshold-selection command 8-7
threshold-tuned command 5-8, 8-10
learning-params fixed-threshold command 7-15
LINK templates 8-4
log
displaying subzones 9-8
log file
clearing 12-9
history 12-23
viewing 12-8
logging, viewing configuration 12-7
logging command 12-6
login banner
deleting 3-31
importing 3-30
login-banner command 3-30
logo, adding WBM 3-31
logo, deleting WBM 3-32
long diversion 4-22, A-4, A-12
Cisco router configuration 4-24
Guard configuration 4-23
loopback interface 2-10
M
malformed packets 11-9
mitigated attacks 11-6
malformed packets drop statistics 14-7
malicious packets statistics
attack report 11-2
malicious rate termination threshold 6-23
management
MDM 2-16
overview 2-14
SSH 2-17
WBM 2-15
max-services command 7-5
MDM
activating 2-16
memory consumption 12-23
memory usage, anomaly detection engine 12-24, 12-25
MIB, supported 3-2
min-threshold command 7-5
mitigated attacks
client attack 11-5
malformed packets 11-6
overview 11-4
spoofed 11-4
user defined 11-6
monitoring
MP
upgrading 13-8
MPLS LSP A-13
N
netstat command 12-27
network server
configuring 13-1
deleting 13-2
network server, displaying sync-config 13-6
new version
installing 13-8
upgrading 13-8
next hop discovery A-15
IGP + BGP A-17
non DNS drop statistics 14-7
nonspoofed attacks 1-2
no proxy policy templates 7-4
note
symbol overview 1-xix
notify 11-8
notify policy action 7-20
ns policy templates 7-4
NTP
enable service 3-22
permit 3-23
server 3-23
num_sources packet type 7-11
O
other protocols
detected anomalies 11-3
policy template 7-2
other protocols drop statistics 14-6
out_pkts packet types 7-11
outgoing TCP drop statistics 14-6
out-of-band
configuring interface 2-8
out-of-band interface 2-7
P
packet-dump
auto-capture command 12-11
automatic
activating 12-10
deactivating 12-11
displaying settings 12-11
signatures 12-19
packet-dump command 12-12
packets, capturing 12-12
password
changing 3-7
enabling 3-9
encrypted 3-7
resetting 13-10
PBR-DST 4-9
Cisco router configuration 4-10
configuration 4-9
example 4-11
Guard configuration 4-10
PBR -VLAN
Guard configuration 4-15
PBR VLAN A-9
pending 10-1
pending dynamic filters 10-1, 10-2
periodic action
accepting policies automatically 8-5, 8-7
permit
user filter action 6-14
permit ssh command 3-21
ping command 12-30
pkts packet type 7-11
policy
activating 7-13
adding services 7-8
command 7-12
configuration mode 2-3
copying parameters 8-16
copy-policies 8-16
deleting services 7-9
disabling 7-13
inactivating 7-13
learning-params, fixed-threshold command 7-15
marking threshold as fixed 7-15
multiplying thresholds 7-16, 14-2, 14-3
navigating path 7-12
packet types 7-10
proxy threshold 7-18
show statistics 7-22
state 7-13
threshold-list command 7-17
traffic characteristics 7-11
tuning thresholds 1-4, 8-2, 8-6
using wildcards 7-12, 7-21, 7-23
viewing 14-3
viewing statistics 8-8
policy set-timeout command 7-19
policy template
configuration command level 7-4
configuration mode 2-3
displaying list 7-4
max-services 7-5
min-threshold 7-5
overview 7-2
parameters 7-4
state 7-6
policy-template add-service command 7-9
policy-template remove service command 7-9
port scan
detected anomalies 11-3
policy template 7-2
possible next-hop routers A-1
poweroff command 13-7
privilege levels 2-1
assigning passwords 3-9
moving between 3-10
protect
activating 2-14
command 9-9
deactivating 9-11
deactivating automatically 9-8
entire zone 9-9
interactive mode 1-5, 9-3, 10-1
specific IP 9-10
specific ip address 9-10
specific zone IP 9-10
specific zone ip address 9-10
protect command 9-11
protection
activation sensitivity 9-6
protection-end-timer command 9-8
protection level
protect learning command 8-6
protect-packet command 9-6
protocol traffic characteristics 7-12
proxy
command 2-14
configuring 2-14
no proxy policy templates 7-4
proxy-threshold command 7-18
public-key
displaying 3-25
R
Rate Limiter
dropped 14-6
rates
history 12-3
rates, viewing 12-3
reactivate-zones 13-7
reboot command 13-7
rebooting
parameters 13-7
recommendations 10-1
accepting 10-6
change decision 7-20
command 10-6
displaying 10-2
dynamic filters 10-1
ignoring 10-6
overview 10-1
receiving notification 10-2
viewing 10-4
viewing pending-filters 10-3, 10-5
redirect/zombie
dynamic filter action 6-19
policy action 7-20
reload command 13-6
remove service command 7-9
renumbering flex-content filters 6-4
renumbering user filters 6-15
replied packets 11-2
report
See attack report 11-1
reports
details 11-8
displaying subzones 9-8
exporting 13-6
reqs packet type 7-11
router configuration mode 2-2
routing table
GRM B-3
manipulation 2-13
viewing 2-14
zebra application B-3
RTP/RTCP 5-3
running-config
show 12-1
S
saving configuration 4-1
self-protection command 12-33
service
adding 7-8
copy 8-16
deleting 7-9
MDM 2-16
permissions 3-3
snmp-trap 3-26
wbm 2-15
services
enabling 3-2
session, configuring timeout 3-33
session, displaying idle timeout 3-33
session timeout, disabling 3-33
session-timeout command 3-33
set-action 7-20
show commands
counters 12-3
cpu 12-24
diagnostic-info 12-21
disk-usage 12-23
drop-statistics 14-5
flex-content-filter 6-9
host-keys 3-21
learning-params 7-15
log 12-8
log export-ip 12-7
logging 12-7
login-banner 3-30
memory 12-24
packet-dump 12-11
packet-dump signatures 12-19
public-key 3-25
recommendations 10-4
recommendations pending-filters 10-3, 10-5
reports 14-4
reports details 11-8
running-config 12-1
show 12-3
sorting dynamic-filters 6-19
sync-config file-servers 13-6
templates 5-4
zone policies 7-21
show public-key command 3-25
shutdown command 2-9
signature
generating 12-18
SIP
detected anomalies 11-3
drop statistics 14-7
malformed packets 11-7
policy template 7-3
spoofed attacks 11-5
user filter action 6-14
snapshot
backing up policies 7-24, 8-17
command 8-13
comparing 8-14
deleting 8-16
displaying 8-15
save periodically 8-9
saving 8-13
snapshot command 8-12
SNMP
accessing 3-2
configuring trap generator 3-26
traps description 3-27
snmp commands
community 3-29
trap-dest 3-26
source IP
tunnel 2-11
specific IP threshold 7-17
speed command 2-8
spoofed attacks 1-2, 11-4, 11-9
src traffic characteristics 7-12
SSH
configuring 2-17
deleting keys 3-24
generating key 3-25
service 2-17
static route
adding 2-13
strong
dynamic filter action 6-18
policy action 7-19
user filter action 6-14
sub zone 9-7
subzone
displaying logs and attack reports 9-8
syn_by_fin packet type 7-11
syns packet type 7-11
syslog
configuring export parameters 12-6
configuring server 12-7
message format 12-6
system log
message format 12-6
T
TACACS+
authentication
key generate command 3-19, 3-21
clearing statistics 3-17
configuring server 3-14
server connection timeout 3-16
server encryption key 3-15
server IP address 3-15
viewing statistics 3-17
tacacs-server commands
clear statistics 3-17
first-hit 3-14
show statistics 3-17
TCP
detected anomalies 11-3
no proxy policy templates 7-4
policy templates 7-2
templates
LINK 8-4
viewing policies 5-4
zone 5-2
threshold
command 7-14
configuring IP threshold 7-17
configuring list 7-17
configuring specific IP 7-17
filter rate termination 6-23
malicious rate termination 6-23
multiplying before accepting 7-15
selection 8-13
setting as fixed 7-14
threshold-list command 7-17
threshold selection 8-7
threshold tuning
save results periodically 8-9
time, configuring 3-21
timeout command 7-18
timeout session, configuring 3-33
timeout session, disabling 3-33
timesaver
symbol overview 1-xix
timezone 3-22
tip
symbol overview 1-xix
to-user-filters
dynamic filter action 6-18
policy action 7-19
traceroute command 12-29
traffic
traffic injection A-14
trap 12-6
trap-dest 3-26
tuning policy thresholds 8-6
tunnel
commands 2-11
configuring 2-10
GRE keepalive 2-11
Cisco router configuration 4-21
Guard configuration 4-21
U
UDP
detected anomalies 11-3
drop statistics 14-6
policy templates 7-3
unauthenticated drop statistics 14-6
unauth_pkts packet type 7-11
unauthenticated TCP detected anomalies 11-3
upgrading 13-8
MP 13-8
user
detected anomalies 11-3
user defined mitigated attacks 11-6
user filter
configuring 6-13
deleting 6-18
displaying 6-17
renumbering 6-15
username
encrypted password 3-7
username command 3-6
users
adding 3-6
adding new 3-6
assigning privilege levels 3-6
deleting 3-8
system users
admin 2-7
riverhead 2-7
username command 3-6
V
VLAN
configuring 2-9
VLAN VPN routing forwarding 4-17
VLAN VRF A-10
Voice over IP
See VoIP
VoIP
detected anomalies 11-3
drop statistics 14-7
malformed packets 11-7
policy template 7-3
spoofed attacks 11-5
user filter action 6-14
zone template 5-3
VPN routing forwarding 4-11, A-6
VRF-DST
Cisco router configuration 4-13
Guard configuration 4-12
VRF - VLAN 4-17
W
WBM
activating 2-15
WBM logo
adding 3-31
deleting 3-32
X
Z
zebra routing table B-3
zombie 11-9
packet counter 12-4
zombie attack 11-10
zombies 1-3
zone
blocking criteria 14-3
blocking flows 14-2
clearing counters 12-4
comparing 8-14
copying 5-5
creating 5-4
creating default 9-6
defining IP address 5-7
definition 5-1
deleting 5-4
deleting IP address 5-8
duplicating 5-5
excluding IP address 5-7
IP address 5-7
learning 8-1
LINK templates 8-4
malicious rate 9-8
modifying IP address 5-8
operation mode 5-4
protecting 9-1
reconfiguring 5-5
sub 9-7
synchronize configuration 5-8
synchronizing offline 5-10
templates 5-2
viewing configuration 5-7
viewing policies 7-21
viewing status 12-2
zone-malicious-rate 6-23
zone policy
zone protection
terminating 9-11
zone synchronization 8-3