Table Of Contents
Creating and Configuring Zones
Understanding Zones
Understanding Zone Protection Activation Methods and Coverage Options
Understanding the Protection Activation Methods
Understanding the Extent of Zone Protection
Understanding Subzones
Creating a Zone
Creating a Zone from a Zone Template
Creating a Zone from an Existing Zone
Configuring the Zone IP Address Range
Adding an IP Address to the Zone IP Address Range
Deleting an IP Address from the Zone IP Address Range
Updating the Zone Policies
Viewing and Modifying a Zone Configuration
Deleting a Zone
Creating and Configuring Zones
This chapter describes how to create and manage zones on the Cisco Guard (Guard).
This chapter refers to the Cisco Traffic Anomaly Detector (Detector), the companion product of the Guard. The Detector is a Distributed Denial of Service (DDoS) attack detection device that analyzes a copy of the zone traffic. The Detector can activate the Guard attack mitigation services when the Detector determines that the zone is under attack. The Detector can also synchronize zone configurations with the Guard. For more information about the Detector, see the Cisco Traffic Anomaly Detector Module Configuration Guide and Cisco Traffic Anomaly Detector Configuration Guide.
This chapter contains the following sections:
•
Understanding Zones
•Understanding Zone Protection Activation Methods and Coverage Options
•Creating a Zone
•Configuring the Zone IP Address Range
•Viewing and Modifying a Zone Configuration
•Deleting a Zone
Understanding Zones
A zone is a network element that you define and that the Guard protects against Distributed Denial of Service (DDoS) attacks. A zone can be any combination of the following elements:
•A network server, client, or router
•A network link, subnet, or an entire network
•An individual Internet user or a company
•An Internet Service Provider (ISP)
The Guard can protect different zones simultaneously if their network address ranges do not overlap.
The zone configuration includes the following attributes:
•Zone description—Defines the zone name and description.
•Zone network definition—Defines the zone network attributes that include the zone network IP address and subnet mask.
•Policy templates—Define the types of policies that the Guard creates when performing the learning process.
•Policies—Analyze the zone traffic and execute an action when the Guard identifies an anomaly in the zone traffic. The zone policies can be the default policies that came with the zone template or zone-specific policies that the Guard created during the learning process.
•Zone Filters—Direct the zone traffic to the required protection level and define how the Guard handles specific traffic flows.
You can create a zone by using one of the following methods:
•Use a predefined zone template—You can create a new zone using one of the predefined zone templates, which configures the zone with a set of default policies and filters. You can use a zone with the default policies for on-demand protection.
After you create a new zone, you must configure the zone attributes.
•Use an existing zone as a template—You can create a zone from an existing zone. Use this method if the new zone has traffic patterns that are similar to the traffic patterns of an existing zone.
•Copy the zone configuration from a Detector—You can enable synchronization of the zone configuration with the Detector. You can initiate this action only from the Detector by using the CLI. See the Guard Configuration Guide for more information.
Understanding Zone Protection Activation Methods and Coverage Options
When you define a zone configuration, you have the option to define the trigger, or activation method, that the Guard uses to automatically activate zone protection. You can also define the extent of the range that the Guard protects. For example, the Guard can protect the entire zone or just a specific IP address within the zone IP address range.
This section contains the following topics:
•Understanding the Protection Activation Methods
•Understanding the Extent of Zone Protection
•Understanding Subzones
Understanding the Protection Activation Methods
The Guard can activate zone protection based on a zone name or information that it extracts from the traffic that you divert to it.
The available protection activation methods are as follows:
•Zone name—Activates zone protection based on the zone name. An external indication to activate protection must include the zone name. This is the default method that the Guard uses for activating zone protection.
•IP address—Activates zone protection when it receives an external indication that consists of an IP address or subnet that is part of the zone. The Guard scans the zone database and activates the zone. The zone has an address range that includes the received IP address or subnet. If you have configured several zones with an address range that includes the received IP address, the Guard will choose to activate the zone with the longest prefix match (the zone that has the most specific address range that includes the received IP address). The received IP address or subnet must be completely included in the zone IP address range.
•Packet—Activates zone protection when it receives packets for a zone in its database. When the Guard receives the packets, it scans the zone database and activates the zone that has an address range that includes the received packet IP address. If you have configured several zones with an address range that includes the received packet IP address, the Guard activates the zone with the longest prefix match (the zone with the most specific address range that includes the received packet IP address). The received IP address or subnet must be completely included in the zone IP address range.
•IP Address or Packet—Activates zone protection when it receives traffic (packet) that is destined to the zone or when it receives an external indication that consists of an IP address or subnet that is part of the zone address range. See the previous bullets (Packet and IP address) for more information.
Understanding the Extent of Zone Protection
The activation extent defines whether to activate zone protection for the entire zone or for a partial zone once the Guard receives an external indication. This indication can be a command from an external device, such as the Detector, or traffic that is destined to the zone (packet).
The Guard supports the following activation extents:
•Entire zone—Activates protection for the entire zone. The Guard activates protection when it receives traffic that is destined to the zone or when it receives an external indication that consists of an IP address or subnet that is part of the zone.
•IP Address only—Activates protection for only a specified IP address or subnet within a zone. When the Guard receives traffic that is destined to the zone or when it receives an external indication that consists of an IP address or subnet that is part of the zone, it creates a new zone that is referred to as a subzone (see the "Understanding Subzones" section). This is the default setting for the activation extent parameter.
Understanding Subzones
The Guard creates a subzone when it activates protection for a partial zone (a zone that does not include the complete IP address range of the source zone). The IP address range of the subzone is included in the address range of the source zone.
The subzone configuration is identical to the configuration of the source zone apart from the IP address and name. The name of the subzone consists of the first 30 characters of the name of the source zone, the IP address, and the subnet, concatenated with underscores. If the subzone consists of a single IP address, the subnet is not added. For example, if the name of the source zone is scannet with an address range of 10.10.10.0 and a subnet of 255.255.255.0 and the Guard activates protect mode for an internal range of IP address 10.10.10.192 and subnet 255.255.255.252, the name of the subzone is scannet_10.10.10.192_255.255.255.252.
The Guard receives the IP address and subnet of the subzone with the external indication or the IP address of the packet that triggered the Guard to activate zone protection.
Once zone protection for the subzone ends, the Guard erases the subzone but does not erase the attack reports of the subzone.The Guard terminates zone protection for a subzone according to the activation method and the protection termination timeout that you configured for the source zone.
To view the attack reports of a subzone after the Guard erases it, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > Attack Reports > Attack Summary from the zone main menu. The Attacks summary screen appears and displays the summery of the subzone attack reports in the Sub-Zone Reports table.
Step 3 To display the details of an attack report, click on any of the fields for the attack listed in the Sub-Zone Reports table.
Creating a Zone
You can create a zone and configure the zone name, description, network address, operation definitions, and networking definitions.
When you create a new zone, you can use an existing zone as a template or you can create a zone using one of the predefined zone templates. The zone template defines the initial policy and filter configuration of the zone.
The new zone has default policies that are tuned for on-demand protection. However, if there is no immediate need to protect the zone, we recommend that you allow the Guard to learn the zone traffic characteristics. See the "Activating On-Demand Protection" section in Chapter 9, "Activating Zone Protection" for more information. Alternatively, you can copy the configuration of the zone and the zone policies from the Detector.
You can create a new zone in three ways:
•Use a predefined zone template—Create a new zone using one of the predefined zone templates. Use this method to create a new zone with the default policies and filters.
Note When you create a zone using a zone template containing PPH policies for monitoring low-rate zombie attacks, the PPH policies by default are set to the disabled state because they may increase the amount of memory used by the zone and also affect Guard module performance. To enable the zone PPH polices, you must change the policy states to active (see the "Modifying Policy Parameters" section in Chapter 8, "Managing Zone Policies").
•Use an existing zone configuration as a template—Create a new zone by duplicating an existing zone. Use this method if the new zone has traffic patterns that are similar to those of an existing zone.
•Copy the zone configuration from the Detector—Enable synchronization of the zone configuration with the Detector.
You can initiate this action only from the Detector by using the CLI. See the Cisco Traffic Anomaly Detector Configuration Guide or the Cisco Traffic Anomaly Detector Module Configuration Guide for more information.
This section contains the following topics:
•Creating a Zone from a Zone Template
•Creating a Zone from an Existing Zone
Creating a Zone from a Zone Template
To create a new zone using a zone template, perform the following steps:
Step 1 From the navigation pane, click Guard Summary. The Guard Summary menu appears.
Step 2 Choose Zones > Create Zone from the Guard main menu. The Zone Definition Form appears.
To display the Zone Definition Form, you can also choose Zones > Zone list and then click Add or choose Main > Create Zone from the zone main menu.
Step 3 Define the first set of zone configuration parameters. Table 4-1 describes the fields in the Zone Definition Form.
Table 4-1 Zone Configuration Form Fields
Field
|
Description
|
Name
|
Name of the new zone. The name is an alphanumeric string from 1 to 63 characters. The string must start with a letter, can contain underscores, but cannot contain any spaces.
|
Description
|
Text describing the zone. Enter an alphanumeric string from 1 to 80 characters.
|
Zone Template
|
Zone template that defines the policies in the zone configuration. Choose one of the following options from the Template drop-down list,:
•GUARD_DEFAULT—Default zone template. The Guard may change the packet source IP address to the Guard TCP-proxy IP address. Use this template if you do not use access control lists, access policies, or load-balancing policies that are based on the incoming IP address for the zone network.
•GUARD_TCP_NO_PROXY—Zone template for a zone in which no TCP proxy is to be used. Use this template if the zone is controlled based on the IP addresses, such as an Internet Relay Chat server-type zone, or if you do not know the type of services running on the zone.
•Bandwidth Limited Link Templates—Zone templates for on-demand protection of large subnets segmented according to zones with a known bandwidth. You should activate zone protection on these zones for the attacked address range only to better focus on the zone protection requirements and save Guard resources. We recommend that you define the resources and that you define the zone with an protect-ip state of only-dest-ip (see Protect-IP state in this table). The following templates are available for 128-Kb, 1-Mb, 4-Mb, and 512-Kb links:
GUARD_LINK_128K
GUARD_LINK_1M
GUARD_LINK_4M
GUARD_LINK_512K
You cannot perform the policy construction phase of the learning process for zones created from these templates. You can perform the threshold tuning phase (see the "Understanding the Learning Process" section in Chapter 7, "Learning Zone Traffic").
|
Zone Template
(continued)
|
Note We recommend that you activate zone protection for these zones based on the attacked subnet or range by setting the activation-extent parameter in Step 4 to IP address only.
•GUARD_VOIP—Zone template designed for a zone that contains a Voice-over-IP (VoIP) server that uses Session Initiation Protocol (SIP) over UDP to establish VoIP sessions and the Real-Time Transport Protocol/Real-Time Control Protocol (RTP/RTCP) to transmit voice data between SIP endpoints after sessions are established.
Zones that are created from the GUARD_VOIP zone template contain specific policies to handle VoIP traffic that are produced from the sip_udp policy template.
|
Operation mode
|
Mode in which the Guard performs zone protection. The operation mode can be one of the following:
•Automatic—The Guard automatically activates all dynamic filters as it creates them during an attack.
•Interactive—The Guard displays the dynamic filters that the policies create as recommendations. You must decide whether or not to activate each dynamic filter.
See the "Activating Automatic or Interactive Protect Mode" section in Chapter 9, "Activating Zone Protection" for information about zone operation modes.
|
IP Address
|
Zone IP address. After you create the zone, you can modify the IP address or add additional IP addresses (see the "Configuring the Zone IP Address Range" section).
|
IP Mask
|
Zone address mask. Choose the address mask from the Mask drop-down list. After you create the zone, you can modify the address mask (see the "Configuring the Zone IP Address Range" section).
|
IP List
|
Additional zone IP addresses. Create a list of zone IP addresses, space delimited, in dotted-decimal notation (use format a.b.c.d/x, where /x specifies the subnet mask).
|
Step 4 Click OK. The Zone Configuration Form appears, displaying the second set of zone configuration parameters. This form contains the default parameter values associated with the zone template you selected in the previous step.
Step 5 Define the second set of zone configuration parameters. Table 4-2 describes the fields in the Zone Configuration Form.
Table 4-2 Zone Configuration Form Fields
Field
|
Description
|
General Parameters
|
Description
|
Text describing the zone. Enter an alphanumeric string from 1 to 80 characters.
|
Operation mode
|
Mode in which the Guard performs zone protection. The operation mode can be one of the following:
•Automatic—The Guard automatically activates all dynamic filters as it creates them during an attack.
•Interactive—The Guard displays the dynamic filters that the policies create as recommendations. You must decide whether or not to activate each dynamic filter.
See the "Activating Automatic or Interactive Protect Mode" section in Chapter 9, "Activating Zone Protection" for information about zone operation modes.
|
Rate
|
Amount of traffic that the Guard is allowed to inject back into the network. Set the bandwidth value to the highest bandwidth measured entering the zone. If the highest bandwidth value is not known, leave the Rate and Burst fields blank and choose unlimited units (unlimit) from the drop-down list.
Enter an integer for the maximum rate and then choose one of the following units of measurement from the drop-down list:
•unlimit—Use this default setting if you do not want to limit the rate of the traffic that the Guard injects back into the network. When you choose unlimit, do not enter a maximum rate value.
•mbps—Megabits per second.
•kbps—Kilobits per second.
•bps—Bits per second.
•kpp—Kilopackets per second.
•pps—Packets per second.
|
Burst
|
Highest traffic peak that the Guard is allowed to pass to the zone. Enter an integer for the burst size rate. The units are bits, kilobits, kilopackets, megabits, and packets that correspond to the rate units that are specified by the rate (Rate) unit of measurement.
|
Attack detection/termination parameters
|
Protection-end Timer
|
Inactivity timeout that the Guard uses to terminate zone protection when there is no attack on the zone. The Guard measures the inactivity based on the dynamic filter inactivity and dropped traffic. Enter a value from seconds to an infinite amount of time.
|
Malicious-rate detection threshold
|
Minimum rate of zone packets that are dropped. If the rate goes lower than this threshold, the Guard may end zone protection. If the rate exceeds this threshold, the Guard identifies an attack on the zone and creates an attack report.
The default Malicious-rate detection threshold is 10 packets per second (pps).
|
Filter-rate termination threshold
|
Threshold value that, together with the malicious-rate termination threshold, specifies when the Guard can deactivate dynamic filters. Define this threshold in packets per second (pps). See the "Managing Dynamic Filters" section in Chapter 9, "Activating Zone Protection" for more information.
|
Filter-rate-pph termination threshold
|
Threshold value that together with the malicious-rate termination threshold, specifies when the Guard can deactivate dynamic filters. Define this threshold in packets per hour (pph). See the "Managing Dynamic Filters" section in Chapter 9, "Activating Zone Protection" for more information.
|
Malicious-rate termination threshold
|
Threshold value, that together with the Filter-rate termination threshold, specifies when the Guard can deactivate dynamic filters. Define this threshold in packets per second (pps). See the "Managing Dynamic Filters" section in Chapter 9, "Activating Zone Protection" for more information.
|
Activation parameters
|
Activation interface
|
Protection activation method that defines how the Guard identifies the zone for which it activates zone protection when it receives an external indication. This indication can be a command from an external device, such as a Detector, or traffic that is destined to the zone (packet). The activation method can be one of the following:
•Zone name—Activates zone protection based on the zone name. This is the default activation method.
To configure the activation method to zone name, uncheck both check boxes.
•By packet—Activates zone protection when it receives traffic that is destined to the zone. The Guard scans the zone database and activates the zone that has an address range that includes the received packet IP address. If you have configured several zones with an address range that includes the received packet IP address, the Guard activates the zone with the longest prefix match (the zone that has the most specific address range that includes the received packet IP address). The received IP address or subnet must be completely included in the zone IP address range.
Note When you configure a zone with a protection activation method of packet, the Guard changes the way that it handles traffic that is not destined to an active zone. If you have configured injection for that traffic, the Guard forwards the traffic instead of dropping it.
To configure the activation method to by packet, check the By packet check box.
|
Activation interface (continued)
|
•By IP address—Activates zone protection when it receives a command from an external device, such as a Detector, that consists of an IP address or subnet that is part of the zone. The Guard scans the zone database and activates the zone that has an address range that includes the received IP address or subnet. If you have configured several zones with an address range that includes the received IP address, the Guard activates the zone with the longest prefix match (the zone that has the most specific address range that includes the received IP address). The received IP address or subnet must be completely included in the zone IP address range.
To configure the activation method to by packet, check the By IP address check box.
•By IP Address or By Packet—Activates zone protection when it receives traffic (a packet) that is destined to the zone or when it receives a command from an external device, such as the Detector, that consists of an IP address or subnet that is part of the zone address range. See the By IP address and By packet bullets in this section for more information.
To configure the activation method to By IP Address or By Packet, check both the By IP address check box and the By packet check box.
Note You must manually divert traffic to the Guard when the zone is attacked if you configure the protection activation to By Packet or By IP Address or By Packet. For more information about the Activation interface options, see the "Understanding the Protection Activation Methods" section.
|
Activation extent
|
Defines whether the Guard activates zone protection for the entire zone or for a part of the zone when the Guard receives an external indication to activate zone protection. The activation extent can be one of the following:
•IP address only—Activates protection only for the specified IP address or subnet within the zone. This is the default activation extent setting.
•Entire zone—Activates protection for the entire zone.
For more information about the Activation extent options, see the "Understanding the Extent of Zone Protection" section.
|
Packet Dump parameters
|
Auto Packet Dump
|
Check the check box next to one of the following options:
•On—Enables auto packet dump
•Off—Disables auto packet dump (default setting)
|
Max. disk space
|
Enter the maximum amount of disk space in megabytes to use for auto packet dumps.
This field applies to the Cisco Guard (appliance) only and does not affect the Cisco Guard.
|
Step 6 Click OK to save the new zone.
Creating a Zone from an Existing Zone
To create a new zone using an exiting zone as a template, perform the following steps:
Step 1 From the navigation pane, choose a zone to be used as a zone template. The zone main menu appears.
Step 2 From the zone main menu, choose Main > Save as. The Zone Save as screen appears.
Step 3 Define the new zone name. In the Name text field, enter the zone name as an alphanumeric string of 1 to 63 characters. The string must start with a letter, can contain underscores, but cannot have spaces.
Step 4 Click OK to save the new zone. The Zone general view screen appears.
Configuring the Zone IP Address Range
You must configure at least one IP address that is not excluded before you can activate zone protection, but you can add or delete IP addresses from the zone IP address range at any time.
This section contains the following topics:
•Adding an IP Address to the Zone IP Address Range
•Deleting an IP Address from the Zone IP Address Range
•Updating the Zone Policies
Adding an IP Address to the Zone IP Address Range
You can configure a large subnet and then exclude specific IP addresses from that subnet so that they are not part of the zone IP address range.
To add an IP address to the zone configuration, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > General. The Zone general view screen appears.
Step 3 Click Add (located below the second table). The Zone IP Form appears.
Step 4 Enter the following IP address information:
•IP Address—Zone IP address. Enter the IP address in dotted-decimal notation (for example, 192.168.100.32).
•IP Mask—Zone IP address mask. Enter the subnet mask in dotted-decimal notation (for example, 255.255.255.224). The default subnet mask is 255.255.255.255.
Step 5 (Optional) Check the Exclude check box to exclude the IP address from the zone IP address range.
Step 6 Click OK to save the zone configuration. The Zone general view screen appears.
Step 7 Update the zone policies. See the "Updating the Zone Policies" section for more information.
Deleting an IP Address from the Zone IP Address Range
To delete an IP address from the zone IP address range, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > General. The Zone General view screen appears.
Step 3 Check the check box next to each IP address that you want to delete and then click Delete.
Step 4 Update the zone policies. See the "Updating the Zone Policies" section for more information.
Updating the Zone Policies
If you modify the zone IP address or subnet, perform one of the following tasks:
•If the new IP address or subnet consists of a new service that was not previously defined in the zone network, activate the policy construction phase before activating zone protection or add the service manually. See the following sections for more information:
–"Starting the Policy Construction Phase" section on page 7-3
–"Adding a Service" section on page 8-11
•If the zone is not under attack and you have zone protection and the learning process enabled by selecting Protect and Learn, mark the zone policies as untuned. Marking the zone policies untuned when there is an attack on the zone would prevent the Guard from detecting the attack and cause the Guard to learn thresholds of malicious traffic. See the "Marking the Zone Policies as Tuned or Untuned" section for more information.
•If you did not enable zone protection and the learning process by selecting Protect and Learn and you do not plan to activate two processes together, activate the threshold tuning phase before activating zone protection. See the "Starting the Threshold Tuning Phase" section for more information.
Viewing and Modifying a Zone Configuration
You can view the parameter settings of a zone configuration at any time to verify the current configuration settings and to modify the configuration of needed.
To view the current parameter settings of a zone configuration, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > General. The General Configuration view screen appears, displaying the parameter settings of the zone configuration.
Table 4-3 describes the information that displays in the General Configuration area.
Table 4-3 General Configuration Information
Item
|
Description
|
Basic Zone Information
|
|
Name
|
Name that you assign to the zone.
|
Description
|
Description to help identify the zone.
|
Operation mode
|
Mode the zone is configured to operate in (automatic or interactive).
|
Zone template
|
Template used to create the zone.
|
Rate
|
Amount of traffic that the Guard is allowed to inject back into the network.
|
Burst
|
Highest traffic peak that the Guard is allowed to pass to the zone.
|
Attack Detection/Termination Parameters
|
Protection-end timer
|
Inactivity timeout that the Guard uses to terminate zone protection when there is no attack on the zone.
|
Malicious-rate detection threshold
|
Minimum rate of zone packets that are dropped.
|
Filter-rate termination threshold
|
Threshold value defined in packets per second, that together with the malicious-rate termination threshold, specifies when the Guard can deactivate dynamic filters created by policies that measure traffic rate in packets per second.
|
Filter-rate-pph termination threshold
|
Threshold value defined in packets per hour, that together with the filter-rate termination threshold, specifies when the Guard can deactivate dynamic filters created by policies that measure traffic rate in packets per hour.
|
Malicious-rate termination threshold
|
Threshold value, that together with the filter-rate termination threshold, specifies when the Guard can deactivate dynamic filters.
|
Activation Parameters
|
Activation interface
|
Protection activation method that defines how the Guard identifies the zone for which it activates zone protection when it receives an external indication.
|
Activation extent
|
Scope of protection that the Guard activates to protect a zone (entire zone or a part of the zone) when the Guard receives an external indication to activate zone protection.
|
Packet Dump Parameters
|
Auto Packet Dump
|
State of the auto packet-dump capture function (on or off).
|
Max. disk space
|
Maximum amount of disk space (in megabytes) to use for auto packet dumps.
|
Table 4-4 describes the information that displays in the IP address table.
Table 4-4 Zone IP Addresses
Item
|
Description
|
IP
|
Zone IP address.
|
Mask
|
Zone IP address mask.
|
Type
|
IP address to include or exclude from the zone IP address range (regular or excluded).
|
To modify the zone configuration, select one of the following function buttons:
•Config—Modify the general configuration parameters. The Zone Configuration Form appears. For information on each of the editable zone configuration fields, see Table 4-2 in the "Creating a Zone from a Zone Template" section.
•Add—Add an IP address to the zone configuration. The Zone IP Form appears. For information about each of the editable IP address fields, see the "Adding an IP Address to the Zone IP Address Range" section.
Delete—Delete an IP address to the zone configuration. For information on deleting an IP address from the zone configuration, see the "Deleting an IP Address from the Zone IP Address Range" section.
Deleting a Zone
To delete one or more zones, perform the following steps:
Step 1 Click Guard Summary from the navigation pane. The Guard summary menu appears.
Step 2 Choose Zones > Zone list from the Guard main menu. The Zone list screen appears.
Step 3 Check the check box next to each zone that you want to delete, and then click Delete. To delete all the zones listed, check the check box in the header (next to Zone), and then click Delete. The Validation form appears.
Step 4 Click OK to delete the zone.
