Cisco DDoS Multi-Device Management System Configuration Guide (Software Release 1.0)
Managing Devices on the MDM Network
Download this chapter
Managing Devices on the MDM NetworkManaging Devices on the MDM Network
Download the complete book
Cisco DDoS MultiDevice Manager Configuration Guide (Software Version 1.0), Book-Length PDFCisco DDoS MultiDevice Manager Configuration Guide (Software Version 1.0), Book-Length PDF (PDF - 4 MB)
give_us_feedback

Table Of Contents

Managing Devices on the MDM Network

Preparing the Device for Operation with the MDM

Configuring a Device to Connect with the MDM

Adding a Device to the MDM Device List

Displaying the MDM Device List

Exchanging Certificates and Keys

Pinging a Device

Enabling or Disabling Communication with a Device

Deleting a Device

Where to Go Next


Managing Devices on the MDM Network

This chapter describes how to prepare and manage the Detector and Guard devices that you want to include in the Cisco DDoS MultiDevice Manager (MDM) network. Some of the initial action items described in this chapter involve using the device's CLI to configure device-side operational attributes prior to configuring the MDM with the device information.

Note This guide refers to the Cisco Traffic Anomaly Detector Module and the Cisco Traffic Anomaly Detector appliance as Detector and the Cisco Anomaly Guard Module and the Cisco Guard appliance as Guard. When referring to both the Detector and the Guard, this guide uses the term device.

This chapter contains the following sections:

Preparing the Device for Operation with the MDM

Configuring a Device to Connect with the MDM

Adding a Device to the MDM Device List

Displaying the MDM Device List

Exchanging Certificates and Keys

Pinging a Device

Enabling or Disabling Communication with a Device

Deleting a Device

Where to Go Next

Preparing the Device for Operation with the MDM

Before you can use the MDM to manage your Detector and Guard devices, you must first ensure that your devices are installed and configured as described in the appropriate device configuration guide (see the "Related Documentation" section). Perform the initial device configuration process using the CLI.

Note To use the MDM feature, you must install software version 5.1(5) or higher on the device.

Verify that you have configured the following items on each device to ensure proper network operation and communication with the MDM:

Networking configuration—Configure the device network interfaces. You cannot connect to the device until you configure the device interfaces for operation in your networking environment.

Remote Guard List—(Detector only) If your network consists of Detectors that will activate Guards when one of the Detectors detects a traffic anomaly, verify that you have the remote Guard list configured on each Detector.

Traffic diversion—(Guard only) Configure traffic diversion so that each Guard can divert the zone traffic to itself and then inject the legitimate traffic back into the network when you activate zone protection.

Enable the MDM service and permit access—Enable and permit access to the device from the MDM. The CLI procedures to configure this operation are also included in this section (see the "Configuring a Device to Connect with the MDM" section).

Configuring a Device to Connect with the MDM

Use the device's CLI to enable the MDM service and to permit network access to the device from the MDM. You must log on as a user with either administration or configuration user privilege level rights to make the necessary configuration changes. For detailed information on accessing and using the device CLI, see the appropriate configuration guide in the "Related Documentation" section.

To enable the MDM service and permit network access, follow these steps:

Step 1 Log on to the device CLI using a console or a Secure Shell (SSH) connection.

Step 2 Enter configuration mode by entering the following command in global mode: 

admin@DEVICE# configure

Step 3 Enable the MDM service by entering the following command, which activates the Remote Agent (RA) daemon: 

admin@DEVICE-conf# service mdm

Step 4 Permit access to the device from the MDM by entering the following command: 

admin@DEVICE-conf# mdm server ip-addr [ip-mask]

The ip-addr and ip-mask arguments define the IP address of your MDM server.

Step 5 Permit an SSH connection to the device from the MDM by entering the following command: 

admin@DEVICE-conf# permit ssh ip-addr

The ip-addr argument defines the IP address of your MDM server.

The following example shows how to configure the network access for an MDM that connects from IP address 192.168.30.32: 

admin@DEVICE# configure

admin@DEVICE-conf# service mdm

admin@DEVICE-conf# server mdm 192.168.30.32

admin@DEVICE-conf# permit ssh 192.168.30.32

After configuring the network access for the MDM on the device, you may exit the CLI. The device is now ready for you to add to the MDM device list.

Adding a Device to the MDM Device List

To add a device to the MDM device list, follow these steps:

Step 1 Access the Network Summary screen using the following methods:

From the navigation pane, click Network Summary.

From the information area located in the upper right hand corner, click Home.

The Network Summary menu and screen appear.

Step 2 From the Network Summary menu, choose Main > Devices List. The Device List screen appears, displaying the devices currently associated with the MDM.

Step 3 Click Add, located below the Device List table. The Config Device screen appears.

Step 4 Define the device parameters as described in Table 3-1.

Table 3-1 Device Parameters 

Parameter
Description

IP Address

IP address of the device on the network. Enter an IP address in dotted decimal notation (for example, 192.168.12.15).

Hostname

Hostname of the device on the network. Enter an alphanumeric string with a maximum of 255 characters.

Description

Device description to help identify the device on the network. Enter an alphanumeric string with a maximum of 255 characters.

Enable

Manages the communication channel between the MDM and the device. Choose one of the following options:

Check the Enable check box to allow the MDM to communicate with the device.

Uncheck the Enable check box to not allow the MDM to communicate with the device.


Step 5 Click OK. The MDM adds the device to the Device List screen.

After adding a device to the device list, you need to initiate a certificate exchange so that the MDM and the device can establish an SSL session (see the "Exchanging Certificates and Keys" section).

Displaying the MDM Device List

The MDM device list provides you with a summary view of the devices that you have associated with the MDM. From this screen, you can determine the status of each device listed, such as whether the MDM is communicating with the device, the number of zones configured on the device, memory usage, and so on.

To display the MDM device list, follow these steps:

Step 1 Access the Network Summary screen using the following methods:

From the navigation pane, click Network Summary.

From the information area located in the upper right hand corner, click Home.

The Network Summary menu and screen appear.

Step 2 From the Network Summary menu, choose Main > Devices List. The Device List screen appears, displaying the devices currently associated with the MDM.

Table 3-2 describes the fields of the Device List table.

Table 3-2 MDM Device List Fields 

Field
Description

Hostname

Hostname of the device on the network.

IP Address

IP address of the device on the network.

Type

Type of device as determined by the MDM. Possible values for the device type are as follows:

Detector—The MDM recognizes the device as a Detector.

Guard—The MDM recognizes the device as a Guard.

Undetermined—Since you added the device to the device list, the MDM has not been able to communicate with it to determine the device type.

State

Communication state between the MDM and the device. Possible communication states are as follows:

Disconnected—The MDM is not able to establish a connection with the device.

Suspended—The device is not enabled.

Initializing—The MDM is establishing a connection with the device and is in the process of updating the device's Remote Agent (RA).

Connected—The MDM has an established communication path with the device.

Zones

Number of zones configured on the device.

Active Zones

Number of zones configured on the device that perform any of the following operations:

Anomaly detection—Detect operation is active

Zone protection—Protect operation is active

Learning—Construct Policies or Tune Thresholds is active

The MDM displays a value of N/A if it does not have an established communication path with the device as indicated by the State field.

Attacked Zones

Number of zones configured on the device currently under attack.

#DF

Number of dynamic filters that the device has created in response to the attacks the device is currently handling on the active zones.

Mem Usage

Amount of memory that the device's anomaly detection engine is currently utilizing. The amount of memory relates to the number of active zones on the device and the number of services that each zone monitors. This value is expressed as a percentage of the total amount of available memory.

Note If the anomaly detection engine memory usage is higher than 95 percent, we strongly recommend that you lower the number of active zones.

Total Rate

Amount of traffic that the device is receiving from the active zones. This rate is expressed in packets per second (pps).


Exchanging Certificates and Keys

Communication between the MDM and the devices is performed using Secure Sockets Layer (SSL). SSL provides a secure means for exchanging data between a device (the client) and the MDM server through privacy, authentication, and data integrity. SSL relies upon certificates and private-public key pairs for this level of security. The keys used for data encryption and the certificates provide proof of identity. To establish an SSL session, the device and the MDM server perform an SSL handshake, during which they exchange their public keys and self-signed certificates.

After adding a new device to the MDM device list, you must initiate a certificate exchange to allow the MDM and the device to perform an SSL handshake and exchange self-signed certificates and public keys. You can only initiate the certificate exchange process on one device at a time.

To initiate a certificate exchange, follow these steps:

Step 1 Access the Network Summary screen using the following methods:

From the navigation pane, click Network Summary.

From the information area located in the upper right hand corner, click Home.

The Network Summary menu and screen appear.

Step 2 From the Network Summary menu, choose Main > Devices List. The Device List screen appears, displaying the devices currently associated with the MDM.

Step 3 Check the check box next to the hostname of the desired device.

Step 4 Click Exchange Certificate, located below the Device List table. The Certificate Exchange window opens.

Step 5 Enter the required password for accessing the device. The MDM uses the riverhead user account to access the device. You must enter the password that you assigned to the riverhead user account on the device using the device CLI.

Step 6 Click OK. The MDM and the device perform the SSL handshake and exchange certificates and public keys.

After the MDM and the device complete the SSL handshake, the MDM initializes the device, the MDM performs the following:

Opens a communication channel

Queries the device to extract the following information:

Device type (Detector or Guard).

Local time (to calculate the time difference with the MDM).

Version of the installed Remote Agent (RA). If required, the MDM updates the RA version installed on the device.

While the MDM is initializing the device, the device state changes to Initializing. When initialization is complete, the state changes to Connected. To display the changes to the device state, you must refresh the MDM window.

Note When the device state is Disconnected, the MDM attempts to connect to the device once a minute. While the MDM is attempting to establish a connection, the device state changes to Initializing.

Pinging a Device

From the Device List page, you can use the ICMP Ping option to test the communication path between the MDM and a device on the device list.

To ping a device, follow these steps:

Step 1 Access the Network Summary screen using the following methods:

From the navigation pane, click Network Summary.

From the information area located in the upper right hand corner, click Home.

The Network Summary menu and screen appear.

Step 2 From the Network Summary menu, choose Main > Devices List. The Device List screen appears, displaying the devices currently associated with the MDM.

Step 3 From the Device List table, check the check box next to the device to ping.

Step 4 Click Ping, located below the Device List table. The MDM issues the ping command to the device and the Ping window opens, displaying the results of the ping action.

Enabling or Disabling Communication with a Device

To manage the ability of the MDM to communicate with the device, you can enable or disable the communication channel between the MDM and a device. Disabling communication with a device does not affect the current operating state of the device. For example, if you disable communication with a Guard that currently has Protect active for a zone, the Guard continues to protect the zone.

Note Changing the communication state between the MDM and a device may introduce conflict error conditions (see the "Resolving MDM Database Conflicts" section on page 4-1).

To enable or disable the communication channel between the MDM and a device, follow these steps:

Step 1 Access the Network Summary screen using the following methods:

From the navigation pane, click Network Summary.

From the information area located in the upper right hand corner, click Home.

The Network Summary menu and screen appear.

Step 2 From the Network Summary menu, choose Main > Devices List. The Device List screen appears, displaying the devices currently associated with the MDM.

Step 3 Click the hostname of the desired device. The Device Form window appears.

Step 4 Use one of the following methods to enable or disable the MDM to communicate with the device:

Check the Enable check box to allow the MDM to communicate with the device.

Uncheck the Enable check box to disable the device or not allow the MDM to communicate with the device.

Step 5 Click OK.

Deleting a Device

When you delete a device from the MDM device list, you remove the device from the MDM database and the device is no longer associated with any zone. Once you delete the device from the database, you can no longer manage the device with this user interface. The device, however, will continue to perform according to its current operating state. For example, if you delete a Guard that currently has Protect active for a zone, the Guard continues to protect the zone.

Note You cannot delete the zone master device. To delete the device that is the master device, you must first choose another device as the master device.

To delete a device from the MDM device list, follow these steps:

Step 1 Access the Network Summary screen using the following methods:

From the navigation pane, click Network Summary.

From the information area located in the upper right hand corner, click Home.

The Network Summary menu and screen appear.

Step 2 From the Network Summary menu, choose Main > Devices List. The Device List screen appears, displaying the devices currently associated with the MDM.

Step 3 From the Device List table, check the check box next to the device to delete.

Note You cannot delete the zone master device. To delete the device that is the master device, you must first choose another device as the master device.

Step 4 Click Delete (located below the Device List table). The MDM removes the device from its database.

Where to Go Next

After adding a device to the MDM device list, where you go to next in this guide depends on whether the device was configured with zone configurations at the time that you added the device, or if you are experiencing communication problems with a device. Use the following guidelines to determine where to go next:

Zone configurations do not exist on the device—The next step is to begin defining zones on the device, which is performed by creating the zone on the master device.

Make sure that all of the devices that you plan to configure with the same zone information are on the device list, and then see Chapter 5, "Creating and Configuring Zones," to begin creating zone configurations.

Zone configurations exist on the device—When zone configurations already exist on the device, or you are not sure if they exist or not, see Chapter 4, "Resolving Conflicts and Synchronizing Zones." This chapter describes how to check for conflicts, which occur when a device contains a zone configuration that the MDM does not have in its database. The MDM resolves a conflict by pulling any zone configuration names that do not already exist in the MDM database from the device.

The MDM cannot communicate with a device—If the MDM cannot reach a Connected state with a device after you add the device to the device list and imitate a key exchange, see Chapter 12, "Troubleshooting Problems with the MDM."