Table Of Contents
Managing Zone Policies
Understanding Zone Policies
Viewing Zone Policies
Modifying Policy Parameters
Configuring IP Addresses and Thresholds
Adding an IP Address and Threshold
Deleting an IP Address and Threshold
Adding or Deleting a Service
Adding a Service
Deleting a Service
Backing Up the Zone Policies
Managing Zone Policies
This chapter describes how to modify the policies of a zone configuration and how to manually tune the protection capabilities of the zone configuration on the Cisco Guard (Guard).
This chapter contains the following sections:
•
Understanding Zone Policies
•Viewing Zone Policies
•Modifying Policy Parameters
•Configuring IP Addresses and Thresholds
•Adding or Deleting a Service
•Backing Up the Zone Policies
Understanding Zone Policies
The zone policies enable the Guard to perform a statistical analysis of the zone traffic flow. Depending on the type of policy, a policy monitors traffic for one of the following traffic characteristics:
•Traffic rate—Rate of traffic measured in packets per second or packets per hour. Policies that monitor traffic in packets per hour, or PPH policies, are used to monitor zone traffic for low rate zombie attacks that can last for hours or days. For more information on PPH policies, see the "Modifying Policy Parameters" section.
Note Only zone configurations that you create using the 6.1 software release will contain PPH policies. Zones that you created using a previous software version will not contain PPH policies.
•Connections—Number of concurrent connections.
•Packet ratio—Ratio o f one packet type to another.
A zone policy identifies a traffic flow as malicious or abnormal when the flow exceeds the policy threshold, at which time the policy creates filters dynamically (dynamic filters) to protect the traffic flow according to the severity of the attack. You can configure the policy threshold and the action that the policy takes when it detects an anomaly.
Viewing Zone Policies
To view the policies of a zone configuration, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > Policies > View. The Policies screen appears (see Figure 8-1).
Step 3 (Optional) Set a screen filter to display only the policies that you want to view or configure as follows:
a. Click Set screen filter. The Policy Filter window opens.
b. Configure the screen filters to use, and then click OK. Table 8-1 describes the screen filter parameters listed in the Policy Filter window. Choose the desired display parameters from the corresponding drop-down lists.
To change multiple filter parameters, begin from the top and work your way down the parameters of the Policy Filter window. You must start from the top because when you change one of the filtering parameters, all the parameters listed below it are automatically reset to their default setting.
Table 8-1 Policy Filter Parameters
Parameter
|
Restricts the display to . . .
|
Policy template
|
Policies that were created from the selected policy template.
|
Service
|
Policies that were created for the selected service.
|
Protection level
|
Policies of the selected protection level.
|
Type
|
Policies of the selected packet type.
|
Policy
|
Policies of the selected key.
|
State
|
Policies of the selected operating state.
|
Action
|
Policies configured with the selected action.
|
Policies
|
Policies of the current configuration or of a snapshot (if available).
|
A partial list of the policies that meet the criteria that you specified is displayed. The details of the selected path, state, and action are displayed in the Screen Filter frame.
Step 4 (Optional) To view the details of single policy only or to modify a policy configuration, click the Key type of the desired policy. The Policy Details screen appears. See the "Modifying Policy Parameters" section for information about modifying a policy configuration.
Figure 8-1 contains a sample of the Policy screen.
Figure 8-1 Policy Table
Table 8-2 describes the fields in the Policy table.
Table 8-2 Field Descriptions for Policy Table
Field
|
Description
|
Policy Template
|
Policy template that the Guard used to construct the policy. Each policy template relates to specific traffic characteristics that the Guard requires to protect against a specific Distributed Denial of Service (DDoS) threat.
|
Service
|
Service in the traffic flow that the policy monitors. A service is either a port number or a protocol number. See the "Adding or Deleting a Service" section for more information.
The Guard displays a service value of any for all traffic that does not specifically match other services created from the same policy template.
|
Level
|
Protection level that the policy applies to the traffic flow.
There are three protection levels:
•Analysis
•Basic
•Strong
|
Type
|
Packet types that the Guard monitors.
Packet type values are as follows:
•auth_pkts—Packets for which either a TCP handshake or UDP authentication was performed.
•auth_tcp_pkts—Packets for which a TCP handshake was performed.
•auth_udp_pkts—Packets for which UDP authentication was performed.
•in_nodata_conns—Zone incoming connections that have no data transfer on the connection (packets without a data payload)
•in_conns—Zone incoming connections.
•in_pkts—Zone incoming Domain Name System (DNS) query packets.
•in_unauth_pkts—Zone incoming unauthenticated DNS queries.
•num_sources—Packets that have TCP source IP addresses that are destined to the zone and that have been authenticated by the Guard anti-spoofing functions.
•out_pkts—Zone incoming DNS reply packets.
•reqs—Request packets with data payload.
•reqs_pph—Request packets with data payload (measured in packets per hour). A policy with this packet type is designed to monitor the zone traffic for low rate zombie attacks. PPH policies by default are set to the disabled state when you create a new zone because they may increase the amount of memory used by the zone and also affect Guard performance. To enable the zone PPH polices, you must change the policy states to active (see the "Modifying Policy Parameters" section).
•syns—Synchronization packets (TCP SYN flagged packets).
•syns_pph—Synchronization packets (TCP SYN flagged packets that are measured in packets per hour). A policy with this packet type is designed to monitor the zone traffic for low rate zombie attacks. PPH policies by default are set to the disabled state when you create a new zone because they may increase the amount of memory used by the zone and also affect Guard performance. To enable the zone PPH polices, you must change the policy states to active (see the "Modifying Policy Parameters" section).
•syn_by_fin—SYN and FIN flagged packets. The Guard verifies the ratio between the number of SYN flagged packets and the number of FIN flagged packets.
•unauth_pkts—Packets that did not undergo a TCP handshake.
•pkts—All packet types that do not fall under any other category in the same protection level.
|
Key
|
Traffic characteristic that was used to aggregate the policies. Click the key name to view the details.
Key name values are as follows:
•dst_ip—Traffic destined to a zone IP address.
•dst_ip_ratio—Ratio of SYN and FIN flagged packets destined to a specific IP address.
•dst_port_ratio—Ratio of SYN and FIN flagged packets destined to a specific port.
•global—Summation of all traffic flows as defined by the other policy sections.
•src_ip—Traffic destined to the zone aggregated according to the source IP address.
•dst_port—Traffic destined to a specific zone port.
•protocol—Traffic destined to the zone aggregated based on the protocol.
•src_ip_many_dst_ips—Traffic from a single IP address that probes a large number of zone IP addresses on the same port. This key is used for IP scanning.
•src_ip_many_ports—Traffic from a single IP address that probes a large number of ports on a zone destination IP address. This key is used for port scanning.
|
State
|
Operating state of the policy. The policy operates in one of the following states:
Active—The Guard applies the policy to the traffic flow. The policy executes an action when the traffic flow exceeds the policy threshold.
Inactive—The Guard applies the policy to the traffic flow. The policy does not execute an action when the traffic flow exceeds the policy threshold.
Disabled—The Guard does not apply the policy to the traffic flow.
|
Action
|
Action assigned to the policy. The policy executes the action when the traffic flow exceeds the policy threshold. See the "Modifying Policy Parameters" section for more information.
|
Threshold
|
Policy threshold traffic rate. When the traffic flow exceeds the policy threshold, the policy executes its assigned action. You can configure the policy threshold manually or allow the Guard to configure it during the threshold tuning phase of the learning process.
By default, the threshold is set to a value appropriate for on-demand protection.
|
Proxy Threshold
|
Threshold for the HTTP proxy client. The proxy threshold defines the traffic rate for clients that connect to the zone in HTTP through proxies. You configure the proxy threshold using the CLI.
|
Threshold List
|
Number of entries in a threshold list for a particular policy. A dash (-) indicates that you cannot configure a threshold list for the policy.
|
Timeout
|
Minimum amount of time that the policy applies its assigned action to the traffic flow. When the timeout expires, the Guard determines whether or not to deactivate the dynamic filter produced by the policy. The timeout value can be set to never.
|
Fixed
|
Policy threshold operating status. A check mark indicates the threshold is a fixed value that cannot be modified during the threshold tuning phase of the learning process. An x indicates that the threshold value is not fixed, which means that the Guard can modify the policy threshold during the threshold tuning process.
|
Learning Multiplier
|
Factor by which the Guard multiplies the threshold when it accepts the results of the threshold tuning phase.
|
Detection Time
|
Parameter that defines the time period over which a PPH policy calculates the average packet rate. PPH policies are policies that monitor zone traffic for low rate zombie attacks and measure traffic rate in packets per hour rather than packets per second (see the "Understanding Zone Policies" section).
|
Modifying Policy Parameters
This section describes how to modify policy parameters. You can modify a zone policy only when the Guard is not learning the zone traffic or protecting the zone. You can modify the parameters of a single policy or modify the parameters of several policies simultaneously.
Note Changes that you make to a policy parameter may be lost if you perform the policy construction phase after changing the parameter because when you accept the results of the policy construction phase, the Guard replaces the current zone policies with the new policies.
To modify the policy parameters, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > Policies > View. The Policies screen appears.
Step 3 Choose the policies to configure as follows:
•To configure a single policy, click the Key type of the desired policy (the Policy Details screen appears), and then click Config (which is located under the Learning Parameters table). The Zone Policy Form appears.
•To configure a group of policies, check the check box next to the policies that you want to reconfigure, and then click Config Selection. The Zone Policy Parameter Form appears.
The Multiple value for a policy section specifies that the policy section does not have the same value in all the policies that you selected.
Step 4 Reconfigure the desired policy parameters and then click OK.
If you leave the field of a policy parameter blank, the Guard does not change the value of the parameter in the policies that you selected.
Table 8-3 describes the policy parameters in the Zone Policy form and the Zone Policy Parameter form.
Table 8-3 Zone Policy Parameter Form and Zone Policy Form
Parameter
|
Description
|
State
|
The state of the policy. Possible values are as follows:
•active—The Guard applies the policy to the traffic and the policy executes its assigned action when the traffic exceeds the policy threshold.
•inactive—The Guard applies the policy to the traffic, but the policy does not execute its assigned action when the traffic exceeds the policy threshold.
•disabled—The Guard does not apply the policy to the traffic.
Caution Setting the policy state to inactive or disabled may compromise zone protection. When you set the policy state to disabled, the enabled zone policies assume responsibility for the traffic that was managed by the disabled policy. After you disable a policy and before the Guard performs zone protection, you must perform the threshold tuning phase to update the thresholds of the enabled policies.
|
Action
|
Action that the policy executes when the traffic exceeds the policy threshold.
Configure the policy action so that it enhances the protection that the policy defines. For example, configure the policy action to to-user-filters for policies with a protection module of analysis, or configure the policy action to filter/drop for policies with a protection module of strong. Do not configure the policy action so that it reduces that protection level that the policy defines. For example, do not configure the policy action to to-user-filters for policies with a protection module of basic or strong.
Choose a policy action from the drop-down list:
•notify—Notifies you when the traffic exceeds the policy threshold.
•block-unauthenticated—Adds a filter that blocks traffic that was not authenticated by the anti-spoofing functions, such as an ACK with no prior handshake.
Configure this policy action for policies with a packet type of in_unauth_pkts and unauth_pkts only.
•to-user-filters—Adds a filter directing the traffic to the user filters.
Configure this policy action for policies with a protection level of analysis.
•filter/strong—Adds a filter that applies the strong protection level to the traffic flow.
Configure this policy action for policies with a protection level of analysis and basic. We recommend that you use this policy action on TCP (incoming) policies with traffic characteristics of src_ip only and do not use it on policies with traffic characteristics of global because it may cause network problems in networks that use a load balancer or an access control list to manage traffic.
|
Action (continued)
|
•filter/drop—Adds a filter that directs the Guard to drop the specified traffic.
Configure this policy action for policies that monitor traffic after the Guard has applied the anti-spoofing functions (policies with a protection level of basic and strong). We do not recommend that you use this action for policies with a protection level of analysis because this action may cause the Guard to consume all the Guard filters when mitigating a spoofed attack.
•redirect/zombie—Adds a filter that enhances authentication for all user filters with an action of redirect.
This policy action applies to the tcp_connections/any/basic/num_sources/global policy only.
|
Threshold
|
Threshold traffic rate for the policy. When the traffic exceeds the threshold, the policy executes an action to protect the zone.
You can configure the threshold for a single policy only.
The threshold is measured in packets per second (pps) except for policies that are constructed from the following policy templates:
•num_soruces—Unit of measurement is the number of IP addresses or ports.
•tcp_connections—Unit of measurement is the number of connections.
•tcp_ratio—Unit of measurement is the ratio number.
|
Threshold multiplier
|
Factor by which the thresholds of the policies are increased or decreased.
You can configure a threshold multiplier for a group of policies only.
Enter a factor to increase or decrease the thresholds of the policies when the thresholds are not appropriate for the zone traffic.
Note The new value may change in subsequent threshold tuning phases if you do not set it as fixed.
|
Timeout
|
Minimum time for dynamic filters that are produced by the policy to apply their action. Enter the timeout value in seconds.
|
Detection Time
|
(PPH policies only) Time period over which a PPH policy calculates the average packet rate. The default is one hour, but you may want to increase the detection time when you need a longer sampling period in which to discern malicious traffic from legitimate traffic. For example, it is possible for a legitimate user and an attacker to send the same number of packets during a one-hour time period. Over a two-hour time period, however, the legitimate user may stop sending traffic, resulting in a lower traffic rate, while the traffic rate of the persistent attacker will remain high. See the "Understanding Zone Policies" section for more information about PPH policies.
You define the detection time in hours. Enter a value from 1 to 48. The default is 1.
|
Learning parameters
|
Manner in which the Guard accepts the results of a threshold tuning phase and modifies the policy threshold.
To configure the learning parameters, check the Learning parameters check box. You can configure the following learning parameters:
•Set as fixed—Defines the current threshold of the policy as a fixed value. When the Guard accepts the results of a threshold tuning phase, it does not modify this policy threshold.
•Learning multiplier—Calculates a new policy threshold by multiplying the learned threshold by the specified multiplier before accepting the results of subsequent threshold tuning phases. The Guard accepts the results of the threshold tuning phase using the configured threshold selection method. Enter a real positive number (a floating point number with 2 decimal places) by which the policy threshold is multiplied. Enter a number less than 1 to decrease the policy threshold.
|
Configuring IP Addresses and Thresholds
To avoid false attack detections by the Guard when traffic increases on a known high traffic source or destination IP address, you can configure a policy with a threshold for traffic that is associated with that IP address. Add an IP address and threshold to a policy for the following network applications:
•High volume source IP address—When the zone normally receives a high volume of traffic from a specific source IP address, you can configure a policy with a threshold that the Guard applies to traffic that originates from the source IP address.
•High volume destination IP address—When you define a zone with two or more IP addresses and sections of the zone normally receive a high volume of traffic, you can configure a policy with a threshold that the Guard applies to traffic that targets the destination IP address within the zone.
You can configure IP thresholds only for the following policies:
•Policies with traffic characteristic of the destination IP address (dst_ip).
•Policies with traffic characteristics of the source IP address (src_ip) where the default policy action is drop. The default policy action is the action that the Guard applies to the policy when you create a new zone. You can configure the threshold list for such policies even if you change the policy action.
You can configure a maximum of 10 IP addresses and thresholds for each policy.
This section contains the following topics:
•Adding an IP Address and Threshold
•Deleting an IP Address and Threshold
Adding an IP Address and Threshold
To add an IP address and threshold to a policy, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > Policies > View. The Policies screen appears.
Step 3 Click the Key type (located under the Key column) of the policy that you want to configure. The Policy Details screen appears.
Step 4 Click Add (located under the Threshold list table). The Add Threshold IP Entry screen appears.
Step 5 Define the source or destination IP address and the threshold value. Table 8-4 describes the parameters in the Threshold IP Entry form.
Table 8-4 Threshold IP Entry Form
Parameter
|
Description
|
IP
|
IP address. Enter the source or destination IP address.
|
Threshold
|
IP address traffic threshold. When the traffic exceeds the threshold, the policy executes its configured action. Enter the threshold value in packets per second (pps) except for the following policy types:
•tcp_connections—Unit of measurement is the number of connections.
•tcp_ratio—Unit of measurement is the ratio number.
|
Step 6 Choose one of the following options:
•OK—Saves the policy IP address information to the zone configuration. The Threshold IP Entry form closes and the Policy details screen appears, displaying any policy configuration changes.
•Clear—Clears any information that you added to the Threshold IP Entry form.
•Cancel—Exits the Threshold IP Entry form without making any changes to the policy configuration.
Deleting an IP Address and Threshold
To delete a policy IP address and threshold, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > Policies > View. The Policies screen appears.
Step 3 Click the Key type of the desired policy. The Policy Details screen appears.
Step 4 Check the check box of the IP listing or listings that you want to delete from the Threshold list table.
Step 5 Click Delete. The modified policy configuration information is saved to the zone configuration.
Adding or Deleting a Service
You can manually add a service (application port or protocol) to the zone configuration that the Guard did not discover during the policy construction phase. We recommend that you define specific policies for the zone main services to obtain protection that is most suited for the zone.
Caution Do not add the same service (port number) to more than one policy because it may decrease your network's performance.
When you add or delete a service from the zone policies, the Guard marks the zone policies as untuned. Because the zone is untuned, the Guard cannot protect the zone when you activate Protect and Learn until you perform one of the following actions:
•Perform the threshold tuning phase of the learning process and accept the results (see the "Starting the Threshold Tuning Phase" section in Chapter 7, "Learning Zone Traffic").
•Mark the zone as tuned (see the "Marking the Zone Policies as Tuned or Untuned" section in Chapter 7, "Learning Zone Traffic").
This section contains the following topics:
•Adding a Service
•Deleting a Service
Adding a Service
You can add services to all policies that were created from a specific policy template. The Guard adds the new service to the services that it discovered during the policy construction phase and configures the new service with a default threshold value. You can define the threshold manually, but we recommend that you run the threshold tuning phase of the learning process to tune the policies to the zone traffic.
You can add a new service to policies that were created from the following policy templates:
•tcp_services, udp_services, tcp_services_ns
The service designates a port number.
•other_protocols
The service designates a protocol number.
Note If you activate the policy construction phase after adding a service, new services may override the service that you added manually.
You may need to manually add a service for the following reasons:
•A new application or service was added to the zone network, but you do not want to activate the policy construction phase to add the service to the zone configuration.
•You did not allow the policy construction phase to run long enough to detect all of the network services. For example, you may know of applications or services that are active only once a week or during the night when you do not have the policy construction phase activated.
To add a service to a policy type, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 Use one of the following methods to initiate the Add Service process:
•From the zone main menu, choose Configuration > Policy Templates > Add Service.
•From the zone main menu, choose Configuration > Policies > View, and then click Add service in the Policies screen.
•From the zone main menu, choose Configuration > Policy templates > View, and then click Add service in the Policies Templates screen.
The Add Service Step 1 screen appears.
Step 3 From the Policy Template list, choose a policy template and then click Next. The Add Service Step 2 screen appears.
See the "Understanding Policy Templates" section in Chapter 6, "Configuring Policy Templates" for information about policy template types.
Step 4 Enter the new service in the Add Service Form.
Step 5 Choose one of the following options:
•OK—Adds the new policies for the service to the zone configuration. The Guard marks the zone policies as untuned. The policies of the new service are configured with the default threshold values.
•Clear—Clears the Add Service form information.
•Cancel—Exits the Add Service form without adding any new service to the zone configuration.
Step 6 (Optional) Define the thresholds of the new policies. You can define the threshold manually, but we recommend that you run the threshold tuning phase of the learning process to tune the policies to the zone traffic. See the "Starting the Threshold Tuning Phase" section in Chapter 7, "Learning Zone Traffic" for more information.
You can mark the zone policies as tuned even if you do not run the threshold tuning phase of the learning process. See the "Marking the Zone Policies as Tuned or Untuned" section in Chapter 7, "Learning Zone Traffic" for more information.
Deleting a Service
You can delete a specific service for any policy template. The Guard deletes the service from all policies that were created from the specific policy template.
Caution If you delete a service, the zone policies cannot monitor the traffic of that service, which may compromise zone protection.
You can remove services from the following policy templates:
•tcp_services, udp_services, tcp_services_ns
The service designates a port number.
•other_protocols
The service is a protocol number.
If you do not activate the policy construction phase of the learning process, you may need to manually remove a service for the following reasons:
•An application or service was removed from the network.
•An application or service was identified during the policy construction phase but you do not want to enable it because it is uncommon for the network environment.
Note If you activate the policy construction phase after removing a service, the Guard may add the same service once again.
To delete a service from a policy, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 Use one of the following methods to initiate the Remove Service process:
•From the zone main menu, choose Configuration > Policy Templates > Remove service.
•From the zone main menu, choose Configuration > Policies > View, and then click Remove service in the Policies screen.
•From the zone main menu, choose Configuration > Policy templates > View, and then click Remove service in the Policies Templates screen.
The Remove service screen appears.
Step 3 Choose the service that you want to remove from the list, and then click Delete. The delete verification screen appears.
Step 4 Choose one of the following options:
•OK—Removes the selected service from the zone configuration. The Guard marks the zone as untuned.
•Cancel—Exits the Remove Service form without removing any new service from the zone configuration.
Step 5 (Optional) Change the zone configuration from untuned to tuned after deleting a service by performing one of the following actions:
•Perform the threshold tuning phase of the learning process and accept the phase results (see the "Starting the Threshold Tuning Phase" section in Chapter 7, "Learning Zone Traffic").
•Mark the zone as tuned (see the "Marking the Zone Policies as Tuned or Untuned" section in Chapter 7, "Learning Zone Traffic").
Backing Up the Zone Policies
You can use the snapshot feature to create a backup of the current zone policies.
To back up the zone policies, perform the following steps:
Step 1 From the navigation pane, choose a zone that is not currently in a learning phase. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Snapshot. The Create Snapshot screen appears.
Step 3 Enter a name for the snapshot in the Snapshot name field, and then click OK. The Guard saves the zone policies and assigns a consecutive ID number to the snapshot.
