Cisco DDoS Multi-Device Management System Configuration Guide (Software Release 1.0) - Index [Cisco DDoS Multidevice Management System]

Table Of Contents

Symbols - A - B - C - D - E - F - G - H - I - L - M - N - O - P - R - S - T - U - V - W - Z

Index

Symbols

# (number sign) 11-22, 11-24

* (wildcard) 11-22, 11-24

A

accepting pending dynamic filter 10-17

Accept Thresholds screen

Threshold selection method parameter 9-10, 9-17

weight parameter 9-10, 9-18

Action parameter

flex-content filter 6-8

Policy Filter screen 8-2

user filter 6-18

Zone Policy Form and Zone Policy Parameter Form 8-7

activating

anomaly detection and zone protection 10-1, 10-4

dst-ip-by-ip Protect-IP state 5-10

dst-ip-by-name Protect-IP state 5-10

dynamic filter automatically 5-10

dynamic filter interactively 5-10

entire zone Protect-IP state 5-10

IP address protection 10-6

ondemand protection 10-5

policy-type Protect-IP state 5-10

threshold tuning with Detect or Protect 9-13

zone protection based on zone name 5-12

zone protection by Guard 5-12

zone protection by IP address 5-12

zone protection by packet 5-12

activation options for Guard 10-2

activation parameter

Activation extent 5-12

Activation interface 5-12

active dynamic filters 11-9

Add Bypass Filter screen 6-11

Add Dynamic Filter Form 10-11

adding

bypass filter 6-11

Detector or Guard to the MDM 3-3

Detector or Guard to zone device list 5-17

dynamic filter to Guard 10-11

flex-content filter 6-6

IP address and threshold to policy 8-9

IP address to zone 5-14

service to base zone 9-22

service to policy 7-8

service to zone 8-10

user filter 6-16

users and user groups 2-6

analyzing traffic flow through zone counters 11-11

anomaly detection and zone protection

activating 10-1, 10-4

managing 10-4

options 10-2

attack detection/termination parameters

Filter-rate termination threshold 5-11

malicious-rate detection threshold 5-11

malicious-rate termination threshold 5-11

protection-end time 5-11

attack report

deleting 11-27

detected anomalies 11-20, 11-22

displaying current details 11-18

displaying details 11-17

displaying past details 11-17

dropped/bounced packets 11-19

exporting 11-25

general information 11-19

HTTP detected zombies 11-25

mitigated attack details 11-24

mitigated attacks 11-23

statistics 11-19

understanding report details 11-18

attack statistics table fields 11-19

attack summary 11-16

automatic learning, configuring 9-5

automatic learning and snapshot overview 9-4

automatic operation mode 10-3

Auto Packet Dump parameter 5-14

B

back-end service problem 12-2

backing up and restoring the MySQL database 2-9

backing up MDM server configuration information 2-9

base zone

adding or deleting service 9-22

copying policy parameters 9-23

Base Zone Policy Comparison screen parameter 9-21

Berkley Packet filter 6-5

Burst parameter

user filter 6-18

zone general 5-10

bypass filter

adding 6-11

definition 6-2

deleting 6-13

displaying 6-12

match criteria parameters 6-11

Bypass Filter Form parameters

Dst Port 6-12

Fragments 6-12

Protocol 6-12

Source IP 6-11

Source subnet 6-11

Bypass Filters table fields 6-13

C

caution, symbol overview ii-xi

certificate, initiating exchange 3-5

changing

zone operation mode to automatic 10-18

zone operation mode to interactive 10-18

zone operation mode when dynamic filters exceeds 1000 10-19

clearing

Guard global counters 11-5

zone counters 11-13

client, launching MDM 2-11

client browser requirement 2-2

client monitor requirement 2-2

Compared Zone Policy Comparison screen parameter 9-21

comparing snapshot or policies in zones 9-20

Config Device screen

Description parameter 3-3

Enable parameter 3-3

Hostname parameter 3-3

IP Address parameter 3-3

Config Policy Template screen 7-6

Config screen 5-9

configuring

attack detection/termination parameter 5-11

automatic learning 9-5

bypass filter match criteria parameters 6-11

flex-content filter match criteria parameters 6-7

packet-dump parameters 5-13

server firewall 2-3

snapshot interval of learning process 9-17

snapshots of current learning process results 9-17

synchronization parameters 5-13

zone general attributes 5-10

Conflicts Resolution screen 4-2

consolidation, MDM 1-7

copying policy parameters to base zone 9-23

counters

clearing Guard global 11-5

displaying device-specific 11-13

displaying zone 11-10

Counters screen 11-3

creating

snapshot of policy 9-18

zone 5-3

zone from existing zone 5-8

zone from template 5-6

zone policies snapshot 8-5

D

database connection problem 12-2

DDoS

nonspoofed attacks 1-3

overview 1-3

spoofed attacks 1-3

zombies 1-3

Deactivate window

opening 9-13

Threshold selection method parameter 9-14

weight parameter 9-14

deactivating

Detect or Protect operations 10-7

threshold tuning, Detect, and Protect 9-13

deleting

attack report 11-27

bypass filter 6-13

Detector or Guard from MDM device list 3-7

Detector or Guard from zone device list 5-17

dynamic filter 10-12

flex-content filter 6-10

IP address and threshold from policy 8-10

IP address from zone 5-15

service from base zone 9-22

service from policy 7-9

snapshot 9-20

user filter 6-18

zone 5-18

Description parameter

Config Device screen 3-3

flex-content filter 6-7

zone general screen 5-10

Detect and Protect, deactivating operations 10-7

detected anomalies 11-22

Detected Anomalies Details table fields 11-22

Detected Anomalies table fields 11-20

Detector

adding to MDM device list 3-3

adding to zone device list 5-17

deleting from MDM device list 3-7

deleting from zone device list 5-17

disabling or enabling communication with MDM 3-7

MDM requirement 2-2

overview 1-4

preparing for operation with MDM 3-1

DETECTOR_WORM zone template 5-4

device communication problem 12-4

device disconnected problem 12-4

device initialization problem 12-5

Device List screen 3-4

Device List table fields 3-4, 11-13

device recommendations

displaying 10-13

displaying dynamic filters 10-15

Devices and Master table fields 5-6

device suspended problem 12-4

disabling communication with Detector or Guard 3-7

displaying

bypass filter 6-12

current zone attack 11-18

device recommendations 10-13

device-specific counter information 11-13

drop statistics table 11-28

dynamic filters 10-8

flex-content filters 6-8

global Guard counters 11-3

HTTP zombies list 11-27

MDM device list 3-4

network event log 11-5

past zone attack 11-17

pending dynamic filters of recommendation 10-15

policy differences in zone configuration or snapshot 9-21

policy templates 7-5

snapshot 9-19

traffic counter and zone status information 10-6

user filter 6-15

zone attacks summary report 11-15

zone counters 11-10

zone event log 11-15

zone policies 8-1

zone status 11-6, 11-7

dns_tcp policy template 7-2

dns_udp policy template 7-2

documentation, related ii-x

dropped/bounced packets 11-19

Dropped/Bounced table fields 11-19

Drop Statistics table fields 11-28

Dst Port Bypass Filter Form parameter 6-12

Dst Port Flex-Content filter parameter 6-7

Dst Port User filter parameter 6-17

dynamic filter

accepting pending 10-17

activating automatically 5-10

activating interactively 5-10

active 11-9

adding to Guard 10-11

definition 6-2

deleting 10-12

displaying 10-8

displaying pending dynamic filters of a recommendation 10-15

managing 10-8

managing recommendations 10-13

pending 10-13

preventing unwanted 10-12

Dynamic Filters Form fields 10-11

Dynamic filters screen 10-8

Dynamic Filter table fields 10-9

E

elements used in flex-content filter expression 6-3

Enable Config Device parameter 3-3

enabling

communication with Detector or Guard 3-7

MDM service 3-2

End Offset Flex-Content filter parameter 6-8

exchanging certificates and keys 3-5

excluding IP address from zone 5-15

exporting

attack report from Attack Summary screen 11-25

attack report from zone menu option 11-26

data files from the MDM server 2-8

Expression Flex-Content filter parameter 6-7

expression rules for flex-content filter 6-4

F

filter

bypass 6-2

dynamic 6-2

flex-content 6-2

user 6-2

Filter consolidation error

Bypass Filters table 6-13

Flex-Content Filters table 6-9

User Filters table 6-16

Filter-rate termination threshold attack detection/termination parameter 5-11

flex-content filter

Action parameter 6-8

adding 6-6

definition 6-2

deleting 6-10

Description parameter 6-7

displaying 6-8

Dst Port parameter 6-7

elements 6-3

End Offset parameter 6-8

Expression parameter 6-7

expression rules 6-4

expression syntax 6-3

Match Case parameter 6-7

match criteria parameters 6-7

modifying 6-10

Pattern parameter 6-7

pattern syntax 6-5

Protocol parameter 6-7

qualifiers 6-3

special characters used in pattern 6-6

Start Offset parameter 6-7

State parameter 6-8

Flex-Content Filter Form 6-7

Flex-Content Filters table fields 6-9

Fragments Bypass Filter Form parameter 6-12

fragments policy template 7-2

Fragments User filter parameter 6-17

G

Global Current Counters/Rates table fields 11-4

Guard

activating dst-ip-by-ip Protect-IP state 5-10

activating dst-ip-by-name Protect-IP state 5-10

activating entire zone Protect-IP state 5-10

activating ondemand protection 10-5

activating policy-type Protect-IP state 5-10

activating zone protection 5-12

activation options 10-2

adding dynamic filter 10-11

adding to MDM device list 3-3

adding to zone device list 5-17

clearing global counters 11-5

deleting from MDM device list 3-7

deleting from zone device list 5-17

disabling or enabling communication with MDM 3-7

displaying global counters 11-3

MDM requirement 2-2

ondemand protection overview 10-2

overview 1-5

preparing for operation with MDM 3-1

subzones created by 10-3

GUARD_DEFAULT zone template 5-4

GUARD_LINK zone template 5-5

GUARD_TCP_NO_ PROXY zone template 5-5

GUARD_VOIP zone template 5-5

H

Hostname Config Device parameter 3-3

http_ns policy template 7-4

http policy template 7-2

HTTP zombie attack 11-25

HTTP zombies list, displaying 11-27

HTTP Zombies table fields 11-28

I

icons 2-17

Immediate synchronization parameter 5-13

initiating synchronization manually 4-5

installing MDM 2-2

interactive operation mode 10-3

interactive protection mode 10-3

ip_scanpolicy template 7-2

IP address

activating protection 10-6

adding to zone 5-14

Config Device screen parameter 3-3

deleting from zone 5-15

excluding from zone 5-15

Protect IP screen parameter 10-6

updating zone policies after modifying 5-16

IP mask Protect IP screen parameter 10-6

IP Threshold IP Entry Form parameter 8-9

L

launching MDM from the client 2-11

learning activation extent 9-3

Learning parameters for Zone Policy Form and Zone Policy Parameter Form 8-8

learning process

accepting the threshold tuning phase results 9-9

automatic snapshots of 9-17

device activation 9-3

overview 1-6

performing 9-7

phase 9-2

results of 9-3

snapshot, managing 9-16

snapshots of current results 9-17

starting policy construction phase 9-8

starting threshold tuning phase 9-9

stopping policy construction phase 9-8

stopping threshold tuning phase 9-10

learning process phase

policy construction 9-2

threshold tuning 9-2

learning traffic overview 9-4

Linux requirements for MDM 2-2

M

malicious-rate detection threshold attack detection/termination parameter 5-11

malicious-rate termination threshold 10-8

attack detection/termination parameter 5-11

managing

anomaly detection and zone protection 10-4

Detector and Guard devices on the MDM network 3-1

device recommendations for dynamic filters 10-13

dynamic filter 10-8

learning process snapshot 9-16

network statistical and status information 1-7

zone configurations 1-7

marking zone policies tuned or untuned 9-15

Match Case Flex-Content filter parameter 6-7

match criteria parameters

bypass filter 6-11

flex-content filter 6-7

Max. disk space packet dump parameter 5-14

Max. rate zone general parameter 5-10

Max Services policy template parameter 7-7

MDM

backing up server configuration information 2-9

backing up the MySQL database 2-9

consolidation 1-7

Detector requirement 2-2

disabling or enabling communication with Detector or Guard 3-7

enabling service 3-2

exporting data files 2-8

Guard requirement 2-2

installing 2-2

Linux requirements 2-2

managing network statistical and status information 1-7

managing zone configurations 1-7

network 1-1

overview 1-1, 1-6

permitting network access to a device 3-2

providing security 2-3

removing related information from the server 2-11

resolving database conflicts 4-1

system requirements 2-2

tracking device-to-zone associations 1-6

uninstalling 2-10

MDM browser window

navigating 2-14

overview 2-12

zone icons 2-17

MDM device list

adding Detector or Guard 3-3

deleting Detector or Guard 3-7

displaying 3-4

MDM network, managing Detector and Guard devices 3-1

MDM service, enabling 3-2

Minimal difference Policy Comparison screen parameter 9-21

Min Threshold policy template parameter 7-7

mitigated attack details 11-24

Mitigated Attack Details table fields 11-24

mitigated attacks 11-23

Mitigated Attacks table fields 11-23

modifying

current zone automatic synchronization parameters 4-4

flex-content filter 6-10

policy 8-6

policy template 7-6

zone general configuration 5-9

MySQL and user accounts, hardening 2-7

MySQL database, backing up and restoring 2-9

N

navigating the MDM browser window 2-14

network, MDM 1-1

network event log

displaying 11-5

severity levels 11-5

Network Summary table fields 11-3

nonspoofed attacks 1-3

note, symbol overview ii-xi

O

ondemand protection overview 10-2

Operation mode zone general parameter 5-10

other_protocols policy template 7-2

overview

automatic learning and snapshot 9-4

Detector 1-4

Guard 1-5

learning process device activation 9-3

learning traffic 9-4

MDM 1-1, 1-6

MDM browser window 2-12

ondemand protection by Guard 10-2

policy template 7-1

user filter 6-14

zone 1-5, 5-1

zone filters 6-1

P

packet dump parameter

Auto Packet Dump 5-14

Max. disk space 5-14

Pattern Flex-Content filter parameter 6-7

pattern syntax used by flex-content filter 6-5

Pending Dynamic Filters screen 10-15

Pending Dynamic filters table fields 10-15

Per Attack Summary table fields 11-16

performing

learning process 9-7

state preserving removal operation 2-10

Periodic synchronization time synchronization parameter 5-13

permitting network access to a device from the MDM 3-2

pinging a Detector or Guard device 3-6

Policies, Policy Filter screen parameter 8-2

Policies screen 8-1

policy

adding IP address and threshold 8-9

adding service 7-8

comparing in two zone configurations 9-20

creating snapshot 9-18

deleting IP address and threshold 8-10

deleting service 7-9

displaying differences in zone configurations or snapshots 9-21

modifying 8-6

Policy, Policy Filter screen parameter 8-2

Policy Comparison screen

Base Zone parameter 9-21

Compare Zone parameter 9-21

Minimal difference parameter 9-21

opening 9-21

policy comparison table 9-22

policy construction phase

definition 9-2

starting 9-7

stopping 9-8

Policy Filter screen parameters

Action 8-2

Policies 8-2

Policy 8-2

Policy template 8-2

Protection level 8-2

Service 8-2

State 8-2

Type 8-2

policy parameter, copying to base zone 9-23

Policy table fields 8-2

policy template

displaying 7-5

dns_tcp 7-2

dns_udp 7-2

fragments 7-2

http 7-2

http_ns 7-4

ip_scan 7-2

Max Services parameter 7-7

Min Threshold parameter 7-7

modifying 7-6

other_protocols 7-2

overview 7-1

port_scan 7-2

sip_udp 7-4

State parameter 7-6

tcp_connections 7-2

tcp_connections_ns 7-4

tcp_not_auth 7-2

tcp_outgoing_ns 7-4

tcp_ratio 7-2

tcp_services 7-3

tcp_services_ns 7-3

tcp-outgoing 7-2

types 7-2

udp_services 7-3

Policy template, Policy Filter screen parameter 8-2

Policy Template table fields 7-5

port_scan policy template 7-2

preparing Detector and Guard devices 3-1

preventing unwanted dynamic filters 10-12

protection-end time attack detection/termination parameter 5-11

Protection level, Policy Filter screen parameter 8-2

Protect IP screen

IP address parameter 10-6

IP mask parameter 10-6

opening 10-6

Protect-IP state zone general parameter 5-10

Protocol parameter

Bypass Filter Form 6-12

flex-content filter 6-7

User filter 6-17

R

Rate User filter parameter 6-17

Real-Time Transport Protocol/Real-Time Control Protocol 5-5

Recommendations screen 10-13

Recommendations table fields 10-14

removing

all MDM-related information from the server 2-11

old reports 2-10

reports, removing 2-10

resolving

back-end service problem 12-2

database connection problem 12-2

device disconnected problem 12-4

device initialization problem 12-5

device suspended problem 12-4

MDM database conflicts 4-1

Tomcat server problem 12-3

S

screen

Add Bypass Filter 6-11

Config 5-9

Config Device 3-3

Config Policy Template 7-6

Conflicts Resolution 4-2

Counters 11-3

Device List 3-4

Dynamic filters 10-8

Pending Dynamic Filters 10-15

Policies 8-1

Policy Comparison 9-21

Protect IP 10-6

Recommendations 10-13

Zombie List 11-27

Secure Copy Protocol, using to export data files 2-8

security

configuring server firewall 2-3

defining users and user groups 2-6

exporting data files 2-8

hardening MySQL and user accounts 2-7

using TACACS 2-6

selecting zones to perform the learning process 9-5

service

adding to base zone 9-22

adding to policy 7-8

deleting from base zone 9-22

deleting from policy 7-9

restart problem 12-2

Service, Policy Filter screen parameter 8-2

Session Initiated Protocol (SIP) 5-5

severity levels for network event log 11-5

severity levels for zone event log 11-14

sip_udp policy template 7-4

SIP User filter action 6-15

snapshot

comparing 9-20

current learning process results 9-17

deleting 9-20

displaying 9-19

displaying policy differences 9-21

regular intervals of learning process 9-17

viewing, modifying, or saving to the zone configuration 9-18

zone configuration policies 9-18

Snapshot List table fields 9-19

Source IP parameter

Bypass Filter Form 6-11

User filter 6-17

Source subnet parameter

Bypass Filter Form 6-11

User filter 6-17

spoofed attacks 1-3

Spoofed Statistics table fields 11-30

SSH File Transfer Protocol, using to export data files 2-8

starting

policy construction phase 9-7

threshold tuning phase 9-9

Start Offset Flex-Content filter parameter 6-7

State parameter

Flex-Content filter parameter 6-8

Policy Filter screen 8-2

policy template 7-6

Zone Policy Form and Zone Policy Parameter Form 8-6

state preserving removal operation 2-10

status icons 2-17

Stop Learning window

opening 9-10

Threshold selection method parameter 9-11

weight parameter 9-11

stopping

policy construction phase 9-8

threshold tuning phase 9-10

subzone

created by Guard 10-3

reports 11-17

synchronization

Immediate synchronization parameter 5-13

initiating manually 4-5

initiating on an active zone 4-6

modifying automatic 4-4

Periodic synchronization time parameter 5-13

synchronizing zone configuration information 4-4

system requirements, MDM 2-2

T

TACACS

keywords 2-7

using 2-6

tcp_connections_ns policy template 7-4

tcp_connections policy template 7-2

tcp_not_auth policy template 7-2

tcp_outgoing_ns policy template 7-4

tcp_outgoing policy template 7-2

tcp_ratio policy template 7-2

tcp_services_ns policy template 7-3

tcp_services policy template 7-3

tcpdump-expression elements 6-3

threshold

Filter-rate termination 5-11

filter rate termination 10-8

malicious-rate detection 5-11

malicious-rate termination 5-11, 10-8

Threshold IP Entry Form

IP parameter 8-9

Threshold parameter 8-9

Threshold multiplier parameter for Zone Policy Form and Zone Policy Parameter Form 8-8

Threshold parameter

Threshold IP Entry Form 8-9

Zone Policy Form and Zone Policy Parameter Form 8-7

Threshold selection method

Deactivate window parameter 9-14

Stop Learning window parameter 9-11

Threshold selection method parameter

Accept Thresholds screen 9-17

Threshold selection method parameter, Accept Thresholds screen 9-10

threshold tuning

activating with Detect and Protect 9-13

deactivating with Detect and Protect 9-13

threshold tuning phase

accepting results 9-9

definition 9-2

starting 9-9

stopping 9-10

Timeout parameter for Zone Policy Form and Zone Policy Parameter Form 8-8

tip, symbol overview ii-xi

Total Attacks Statistics table fields 11-16

tracking device-to-zone associations 1-6

traffic counter, displaying 10-6

Traffic Rate table fields 11-9

Triggers table fields 10-10

troubleshooting

device communication problem 12-4

resolving back-end service problem 12-2

resolving database connection problem 12-2

resolving device disconnected problem 12-4

resolving device initialization problem 12-5

resolving device suspended problem 12-4

resolving Tomcat server problem 12-3

service restart problem 12-2

Type, Policy Filter screen parameter 8-2

U

udp_service policy template 7-3

uninstalling MDM software 2-10

updating zone policies after modifying IP address or subnet 5-16

user filter

actions 6-15

actions associated with 6-15

adding 6-16

definition 6-2

deleting 6-18

displaying 6-15

overview 6-14

User filter parameters

Action 6-18

Burst 6-18

Dst Port 6-17

Fragments 6-17

Protocol 6-17

Rate 6-17

Source IP 6-17

Source subnet 6-17

User Filters table fields 6-16

users and user groups, adding 2-6

using

TACACS 2-6

zone diagnostic tools 11-6

V

verifying zone protection 10-6

Voice over IP applications, User filter action 6-15

Voice over IP server, zone template protecting zone containing 5-5

W

weight parameter

Accept Thresholds screen 9-10, 9-18

Deactivate window 9-14

Stop Learning window 9-11

window

Accept Thresholds 9-17

Deactivate 9-13

Stop Learning 9-10

Z

zombie

HTTP detected 11-25

list 11-27

Zombie List screen 11-27

zombies 1-3

zone

activating ondemand protection 10-5

adding IP address 5-14

adding service 8-10

attack report 11-17

automatic operation modes 10-3

comparing policy in configurations 9-20

creating 5-3

creating from a template 5-6

creating from existing zone 5-8

deleting 5-18

deleting IP address 5-15

displaying current status 11-6

displaying policy differences 9-21

displaying status information 10-6

excluding IP address 5-15

icons 2-17

initiating manual synchronization 4-5

initiating synchronization on an active zone 4-6

interactive operation modes 10-3

modifying current automatic synchronization parameters 4-4

modifying general configuration 5-9

overview 1-5, 5-1

selecting for the learning process 9-5

synchronizing configuration information 4-4

verifying protection 10-6

zone attack summary report, displaying 11-15

zone counters

analyzing traffic flow 11-11

clearing 11-13

displaying 11-10

Zone Current Counters/Rates table fields 11-11

zone device list

adding Detector or Guard 5-17

deleting Detector or Guard 5-17

zone diagnostic tools, using 11-6

zone event log, displaying 11-15

zone filter overview 6-1

zone general parameters

Burst 5-10

Description 5-10

Max. rate 5-10

Operation mode 5-10

Protect-IP state 5-10

zone operation mode

changing to automatic 10-18

changing to interactive 10-18

changing when Dynamic filter exceeds 1000 10-18

zone policies

adding an IP address and threshold 8-9

adding a service 7-8

creating snapshot 8-5

deleting a service 7-9

displaying 8-1

marking as tuned or untuned 9-15

updating after modifying IP address or subnet 5-16

Zone Policy Form and Zone Policy Parameter Form

Action parameter 8-7

Learning parameters 8-8

State parameter 8-6

Threshold multiplier parameter 8-8

Threshold parameter 8-7

Timeout parameter 8-8

zone protection activation

IP address 5-12

packet 5-12

zone name 5-12

zone protection options 10-2

zone recent events table 11-10

zone status, displaying 11-7

zone status bar 11-8

Zone Status screen 11-7

zone status table fields 11-9

zone template

available 5-3

creating zone from 5-6

DETECTOR_WORM 5-4

GUARD_DEFAULT 5-4

GUARD_LINK 5-5

GUARD_TCP_NO_ PROXY 5-5

zone traffic rate statistics and graph 11-9

	Cisco DDoS Multi-Device Management System Configuration Guide (Software Release 1.0)
	Index
Cisco DDoS Multi-Device Management System Configuration Guide (Software Release 1.0) Index Preface Product Overview Getting Started Managing Devices on the MDM Network Resolving Conflicts and Synchronizing Zones Creating and Configuring Zones Managing Zone Filters Managing Zone Policy Templates Managing Zone Policies Learning Zone Traffic and Taking Snapshots Activating Anomaly Detection and Zone Protection Monitoring Zone and Device Operations Troubleshooting Problems with the MDM	Download this chapter Index Download the complete book Cisco DDoS MultiDevice Manager Configuration Guide (Software Version 1.0), Book-Length PDF (PDF - 4 MB) Table Of Contents Symbols - A - B - C - D - E - F - G - H - I - L - M - N - O - P - R - S - T - U - V - W - Z Index Symbols # (number sign) 11-22, 11-24 * (wildcard) 11-22, 11-24 A accepting pending dynamic filter 10-17 Accept Thresholds screen Threshold selection method parameter 9-10, 9-17 weight parameter 9-10, 9-18 Action parameter flex-content filter 6-8 Policy Filter screen 8-2 user filter 6-18 Zone Policy Form and Zone Policy Parameter Form 8-7 activating anomaly detection and zone protection 10-1, 10-4 dst-ip-by-ip Protect-IP state 5-10 dst-ip-by-name Protect-IP state 5-10 dynamic filter automatically 5-10 dynamic filter interactively 5-10 entire zone Protect-IP state 5-10 IP address protection 10-6 ondemand protection 10-5 policy-type Protect-IP state 5-10 threshold tuning with Detect or Protect 9-13 zone protection based on zone name 5-12 zone protection by Guard 5-12 zone protection by IP address 5-12 zone protection by packet 5-12 activation options for Guard 10-2 activation parameter Activation extent 5-12 Activation interface 5-12 active dynamic filters 11-9 Add Bypass Filter screen 6-11 Add Dynamic Filter Form 10-11 adding bypass filter 6-11 Detector or Guard to the MDM 3-3 Detector or Guard to zone device list 5-17 dynamic filter to Guard 10-11 flex-content filter 6-6 IP address and threshold to policy 8-9 IP address to zone 5-14 service to base zone 9-22 service to policy 7-8 service to zone 8-10 user filter 6-16 users and user groups 2-6 analyzing traffic flow through zone counters 11-11 anomaly detection and zone protection activating 10-1, 10-4 managing 10-4 options 10-2 attack detection/termination parameters Filter-rate termination threshold 5-11 malicious-rate detection threshold 5-11 malicious-rate termination threshold 5-11 protection-end time 5-11 attack report deleting 11-27 detected anomalies 11-20, 11-22 displaying current details 11-18 displaying details 11-17 displaying past details 11-17 dropped/bounced packets 11-19 exporting 11-25 general information 11-19 HTTP detected zombies 11-25 mitigated attack details 11-24 mitigated attacks 11-23 statistics 11-19 understanding report details 11-18 attack statistics table fields 11-19 attack summary 11-16 automatic learning, configuring 9-5 automatic learning and snapshot overview 9-4 automatic operation mode 10-3 Auto Packet Dump parameter 5-14 B back-end service problem 12-2 backing up and restoring the MySQL database 2-9 backing up MDM server configuration information 2-9 base zone adding or deleting service 9-22 copying policy parameters 9-23 Base Zone Policy Comparison screen parameter 9-21 Berkley Packet filter 6-5 Burst parameter user filter 6-18 zone general 5-10 bypass filter adding 6-11 definition 6-2 deleting 6-13 displaying 6-12 match criteria parameters 6-11 Bypass Filter Form parameters Dst Port 6-12 Fragments 6-12 Protocol 6-12 Source IP 6-11 Source subnet 6-11 Bypass Filters table fields 6-13 C caution, symbol overview ii-xi certificate, initiating exchange 3-5 changing zone operation mode to automatic 10-18 zone operation mode to interactive 10-18 zone operation mode when dynamic filters exceeds 1000 10-19 clearing Guard global counters 11-5 zone counters 11-13 client, launching MDM 2-11 client browser requirement 2-2 client monitor requirement 2-2 Compared Zone Policy Comparison screen parameter 9-21 comparing snapshot or policies in zones 9-20 Config Device screen Description parameter 3-3 Enable parameter 3-3 Hostname parameter 3-3 IP Address parameter 3-3 Config Policy Template screen 7-6 Config screen 5-9 configuring attack detection/termination parameter 5-11 automatic learning 9-5 bypass filter match criteria parameters 6-11 flex-content filter match criteria parameters 6-7 packet-dump parameters 5-13 server firewall 2-3 snapshot interval of learning process 9-17 snapshots of current learning process results 9-17 synchronization parameters 5-13 zone general attributes 5-10 Conflicts Resolution screen 4-2 consolidation, MDM 1-7 copying policy parameters to base zone 9-23 counters clearing Guard global 11-5 displaying device-specific 11-13 displaying zone 11-10 Counters screen 11-3 creating snapshot of policy 9-18 zone 5-3 zone from existing zone 5-8 zone from template 5-6 zone policies snapshot 8-5 D database connection problem 12-2 DDoS nonspoofed attacks 1-3 overview 1-3 spoofed attacks 1-3 zombies 1-3 Deactivate window opening 9-13 Threshold selection method parameter 9-14 weight parameter 9-14 deactivating Detect or Protect operations 10-7 threshold tuning, Detect, and Protect 9-13 deleting attack report 11-27 bypass filter 6-13 Detector or Guard from MDM device list 3-7 Detector or Guard from zone device list 5-17 dynamic filter 10-12 flex-content filter 6-10 IP address and threshold from policy 8-10 IP address from zone 5-15 service from base zone 9-22 service from policy 7-9 snapshot 9-20 user filter 6-18 zone 5-18 Description parameter Config Device screen 3-3 flex-content filter 6-7 zone general screen 5-10 Detect and Protect, deactivating operations 10-7 detected anomalies 11-22 Detected Anomalies Details table fields 11-22 Detected Anomalies table fields 11-20 Detector adding to MDM device list 3-3 adding to zone device list 5-17 deleting from MDM device list 3-7 deleting from zone device list 5-17 disabling or enabling communication with MDM 3-7 MDM requirement 2-2 overview 1-4 preparing for operation with MDM 3-1 DETECTOR_WORM zone template 5-4 device communication problem 12-4 device disconnected problem 12-4 device initialization problem 12-5 Device List screen 3-4 Device List table fields 3-4, 11-13 device recommendations displaying 10-13 displaying dynamic filters 10-15 Devices and Master table fields 5-6 device suspended problem 12-4 disabling communication with Detector or Guard 3-7 displaying bypass filter 6-12 current zone attack 11-18 device recommendations 10-13 device-specific counter information 11-13 drop statistics table 11-28 dynamic filters 10-8 flex-content filters 6-8 global Guard counters 11-3 HTTP zombies list 11-27 MDM device list 3-4 network event log 11-5 past zone attack 11-17 pending dynamic filters of recommendation 10-15 policy differences in zone configuration or snapshot 9-21 policy templates 7-5 snapshot 9-19 traffic counter and zone status information 10-6 user filter 6-15 zone attacks summary report 11-15 zone counters 11-10 zone event log 11-15 zone policies 8-1 zone status 11-6, 11-7 dns_tcp policy template 7-2 dns_udp policy template 7-2 documentation, related ii-x dropped/bounced packets 11-19 Dropped/Bounced table fields 11-19 Drop Statistics table fields 11-28 Dst Port Bypass Filter Form parameter 6-12 Dst Port Flex-Content filter parameter 6-7 Dst Port User filter parameter 6-17 dynamic filter accepting pending 10-17 activating automatically 5-10 activating interactively 5-10 active 11-9 adding to Guard 10-11 definition 6-2 deleting 10-12 displaying 10-8 displaying pending dynamic filters of a recommendation 10-15 managing 10-8 managing recommendations 10-13 pending 10-13 preventing unwanted 10-12 Dynamic Filters Form fields 10-11 Dynamic filters screen 10-8 Dynamic Filter table fields 10-9 E elements used in flex-content filter expression 6-3 Enable Config Device parameter 3-3 enabling communication with Detector or Guard 3-7 MDM service 3-2 End Offset Flex-Content filter parameter 6-8 exchanging certificates and keys 3-5 excluding IP address from zone 5-15 exporting attack report from Attack Summary screen 11-25 attack report from zone menu option 11-26 data files from the MDM server 2-8 Expression Flex-Content filter parameter 6-7 expression rules for flex-content filter 6-4 F filter bypass 6-2 dynamic 6-2 flex-content 6-2 user 6-2 Filter consolidation error Bypass Filters table 6-13 Flex-Content Filters table 6-9 User Filters table 6-16 Filter-rate termination threshold attack detection/termination parameter 5-11 flex-content filter Action parameter 6-8 adding 6-6 definition 6-2 deleting 6-10 Description parameter 6-7 displaying 6-8 Dst Port parameter 6-7 elements 6-3 End Offset parameter 6-8 Expression parameter 6-7 expression rules 6-4 expression syntax 6-3 Match Case parameter 6-7 match criteria parameters 6-7 modifying 6-10 Pattern parameter 6-7 pattern syntax 6-5 Protocol parameter 6-7 qualifiers 6-3 special characters used in pattern 6-6 Start Offset parameter 6-7 State parameter 6-8 Flex-Content Filter Form 6-7 Flex-Content Filters table fields 6-9 Fragments Bypass Filter Form parameter 6-12 fragments policy template 7-2 Fragments User filter parameter 6-17 G Global Current Counters/Rates table fields 11-4 Guard activating dst-ip-by-ip Protect-IP state 5-10 activating dst-ip-by-name Protect-IP state 5-10 activating entire zone Protect-IP state 5-10 activating ondemand protection 10-5 activating policy-type Protect-IP state 5-10 activating zone protection 5-12 activation options 10-2 adding dynamic filter 10-11 adding to MDM device list 3-3 adding to zone device list 5-17 clearing global counters 11-5 deleting from MDM device list 3-7 deleting from zone device list 5-17 disabling or enabling communication with MDM 3-7 displaying global counters 11-3 MDM requirement 2-2 ondemand protection overview 10-2 overview 1-5 preparing for operation with MDM 3-1 subzones created by 10-3 GUARD_DEFAULT zone template 5-4 GUARD_LINK zone template 5-5 GUARD_TCP_NO_ PROXY zone template 5-5 GUARD_VOIP zone template 5-5 H Hostname Config Device parameter 3-3 http_ns policy template 7-4 http policy template 7-2 HTTP zombie attack 11-25 HTTP zombies list, displaying 11-27 HTTP Zombies table fields 11-28 I icons 2-17 Immediate synchronization parameter 5-13 initiating synchronization manually 4-5 installing MDM 2-2 interactive operation mode 10-3 interactive protection mode 10-3 ip_scanpolicy template 7-2 IP address activating protection 10-6 adding to zone 5-14 Config Device screen parameter 3-3 deleting from zone 5-15 excluding from zone 5-15 Protect IP screen parameter 10-6 updating zone policies after modifying 5-16 IP mask Protect IP screen parameter 10-6 IP Threshold IP Entry Form parameter 8-9 L launching MDM from the client 2-11 learning activation extent 9-3 Learning parameters for Zone Policy Form and Zone Policy Parameter Form 8-8 learning process accepting the threshold tuning phase results 9-9 automatic snapshots of 9-17 device activation 9-3 overview 1-6 performing 9-7 phase 9-2 results of 9-3 snapshot, managing 9-16 snapshots of current results 9-17 starting policy construction phase 9-8 starting threshold tuning phase 9-9 stopping policy construction phase 9-8 stopping threshold tuning phase 9-10 learning process phase policy construction 9-2 threshold tuning 9-2 learning traffic overview 9-4 Linux requirements for MDM 2-2 M malicious-rate detection threshold attack detection/termination parameter 5-11 malicious-rate termination threshold 10-8 attack detection/termination parameter 5-11 managing anomaly detection and zone protection 10-4 Detector and Guard devices on the MDM network 3-1 device recommendations for dynamic filters 10-13 dynamic filter 10-8 learning process snapshot 9-16 network statistical and status information 1-7 zone configurations 1-7 marking zone policies tuned or untuned 9-15 Match Case Flex-Content filter parameter 6-7 match criteria parameters bypass filter 6-11 flex-content filter 6-7 Max. disk space packet dump parameter 5-14 Max. rate zone general parameter 5-10 Max Services policy template parameter 7-7 MDM backing up server configuration information 2-9 backing up the MySQL database 2-9 consolidation 1-7 Detector requirement 2-2 disabling or enabling communication with Detector or Guard 3-7 enabling service 3-2 exporting data files 2-8 Guard requirement 2-2 installing 2-2 Linux requirements 2-2 managing network statistical and status information 1-7 managing zone configurations 1-7 network 1-1 overview 1-1, 1-6 permitting network access to a device 3-2 providing security 2-3 removing related information from the server 2-11 resolving database conflicts 4-1 system requirements 2-2 tracking device-to-zone associations 1-6 uninstalling 2-10 MDM browser window navigating 2-14 overview 2-12 zone icons 2-17 MDM device list adding Detector or Guard 3-3 deleting Detector or Guard 3-7 displaying 3-4 MDM network, managing Detector and Guard devices 3-1 MDM service, enabling 3-2 Minimal difference Policy Comparison screen parameter 9-21 Min Threshold policy template parameter 7-7 mitigated attack details 11-24 Mitigated Attack Details table fields 11-24 mitigated attacks 11-23 Mitigated Attacks table fields 11-23 modifying current zone automatic synchronization parameters 4-4 flex-content filter 6-10 policy 8-6 policy template 7-6 zone general configuration 5-9 MySQL and user accounts, hardening 2-7 MySQL database, backing up and restoring 2-9 N navigating the MDM browser window 2-14 network, MDM 1-1 network event log displaying 11-5 severity levels 11-5 Network Summary table fields 11-3 nonspoofed attacks 1-3 note, symbol overview ii-xi O ondemand protection overview 10-2 Operation mode zone general parameter 5-10 other_protocols policy template 7-2 overview automatic learning and snapshot 9-4 Detector 1-4 Guard 1-5 learning process device activation 9-3 learning traffic 9-4 MDM 1-1, 1-6 MDM browser window 2-12 ondemand protection by Guard 10-2 policy template 7-1 user filter 6-14 zone 1-5, 5-1 zone filters 6-1 P packet dump parameter Auto Packet Dump 5-14 Max. disk space 5-14 Pattern Flex-Content filter parameter 6-7 pattern syntax used by flex-content filter 6-5 Pending Dynamic Filters screen 10-15 Pending Dynamic filters table fields 10-15 Per Attack Summary table fields 11-16 performing learning process 9-7 state preserving removal operation 2-10 Periodic synchronization time synchronization parameter 5-13 permitting network access to a device from the MDM 3-2 pinging a Detector or Guard device 3-6 Policies, Policy Filter screen parameter 8-2 Policies screen 8-1 policy adding IP address and threshold 8-9 adding service 7-8 comparing in two zone configurations 9-20 creating snapshot 9-18 deleting IP address and threshold 8-10 deleting service 7-9 displaying differences in zone configurations or snapshots 9-21 modifying 8-6 Policy, Policy Filter screen parameter 8-2 Policy Comparison screen Base Zone parameter 9-21 Compare Zone parameter 9-21 Minimal difference parameter 9-21 opening 9-21 policy comparison table 9-22 policy construction phase definition 9-2 starting 9-7 stopping 9-8 Policy Filter screen parameters Action 8-2 Policies 8-2 Policy 8-2 Policy template 8-2 Protection level 8-2 Service 8-2 State 8-2 Type 8-2 policy parameter, copying to base zone 9-23 Policy table fields 8-2 policy template displaying 7-5 dns_tcp 7-2 dns_udp 7-2 fragments 7-2 http 7-2 http_ns 7-4 ip_scan 7-2 Max Services parameter 7-7 Min Threshold parameter 7-7 modifying 7-6 other_protocols 7-2 overview 7-1 port_scan 7-2 sip_udp 7-4 State parameter 7-6 tcp_connections 7-2 tcp_connections_ns 7-4 tcp_not_auth 7-2 tcp_outgoing_ns 7-4 tcp_ratio 7-2 tcp_services 7-3 tcp_services_ns 7-3 tcp-outgoing 7-2 types 7-2 udp_services 7-3 Policy template, Policy Filter screen parameter 8-2 Policy Template table fields 7-5 port_scan policy template 7-2 preparing Detector and Guard devices 3-1 preventing unwanted dynamic filters 10-12 protection-end time attack detection/termination parameter 5-11 Protection level, Policy Filter screen parameter 8-2 Protect IP screen IP address parameter 10-6 IP mask parameter 10-6 opening 10-6 Protect-IP state zone general parameter 5-10 Protocol parameter Bypass Filter Form 6-12 flex-content filter 6-7 User filter 6-17 R Rate User filter parameter 6-17 Real-Time Transport Protocol/Real-Time Control Protocol 5-5 Recommendations screen 10-13 Recommendations table fields 10-14 removing all MDM-related information from the server 2-11 old reports 2-10 reports, removing 2-10 resolving back-end service problem 12-2 database connection problem 12-2 device disconnected problem 12-4 device initialization problem 12-5 device suspended problem 12-4 MDM database conflicts 4-1 Tomcat server problem 12-3 S screen Add Bypass Filter 6-11 Config 5-9 Config Device 3-3 Config Policy Template 7-6 Conflicts Resolution 4-2 Counters 11-3 Device List 3-4 Dynamic filters 10-8 Pending Dynamic Filters 10-15 Policies 8-1 Policy Comparison 9-21 Protect IP 10-6 Recommendations 10-13 Zombie List 11-27 Secure Copy Protocol, using to export data files 2-8 security configuring server firewall 2-3 defining users and user groups 2-6 exporting data files 2-8 hardening MySQL and user accounts 2-7 using TACACS 2-6 selecting zones to perform the learning process 9-5 service adding to base zone 9-22 adding to policy 7-8 deleting from base zone 9-22 deleting from policy 7-9 restart problem 12-2 Service, Policy Filter screen parameter 8-2 Session Initiated Protocol (SIP) 5-5 severity levels for network event log 11-5 severity levels for zone event log 11-14 sip_udp policy template 7-4 SIP User filter action 6-15 snapshot comparing 9-20 current learning process results 9-17 deleting 9-20 displaying 9-19 displaying policy differences 9-21 regular intervals of learning process 9-17 viewing, modifying, or saving to the zone configuration 9-18 zone configuration policies 9-18 Snapshot List table fields 9-19 Source IP parameter Bypass Filter Form 6-11 User filter 6-17 Source subnet parameter Bypass Filter Form 6-11 User filter 6-17 spoofed attacks 1-3 Spoofed Statistics table fields 11-30 SSH File Transfer Protocol, using to export data files 2-8 starting policy construction phase 9-7 threshold tuning phase 9-9 Start Offset Flex-Content filter parameter 6-7 State parameter Flex-Content filter parameter 6-8 Policy Filter screen 8-2 policy template 7-6 Zone Policy Form and Zone Policy Parameter Form 8-6 state preserving removal operation 2-10 status icons 2-17 Stop Learning window opening 9-10 Threshold selection method parameter 9-11 weight parameter 9-11 stopping policy construction phase 9-8 threshold tuning phase 9-10 subzone created by Guard 10-3 reports 11-17 synchronization Immediate synchronization parameter 5-13 initiating manually 4-5 initiating on an active zone 4-6 modifying automatic 4-4 Periodic synchronization time parameter 5-13 synchronizing zone configuration information 4-4 system requirements, MDM 2-2 T TACACS keywords 2-7 using 2-6 tcp_connections_ns policy template 7-4 tcp_connections policy template 7-2 tcp_not_auth policy template 7-2 tcp_outgoing_ns policy template 7-4 tcp_outgoing policy template 7-2 tcp_ratio policy template 7-2 tcp_services_ns policy template 7-3 tcp_services policy template 7-3 tcpdump-expression elements 6-3 threshold Filter-rate termination 5-11 filter rate termination 10-8 malicious-rate detection 5-11 malicious-rate termination 5-11, 10-8 Threshold IP Entry Form IP parameter 8-9 Threshold parameter 8-9 Threshold multiplier parameter for Zone Policy Form and Zone Policy Parameter Form 8-8 Threshold parameter Threshold IP Entry Form 8-9 Zone Policy Form and Zone Policy Parameter Form 8-7 Threshold selection method Deactivate window parameter 9-14 Stop Learning window parameter 9-11 Threshold selection method parameter Accept Thresholds screen 9-17 Threshold selection method parameter, Accept Thresholds screen 9-10 threshold tuning activating with Detect and Protect 9-13 deactivating with Detect and Protect 9-13 threshold tuning phase accepting results 9-9 definition 9-2 starting 9-9 stopping 9-10 Timeout parameter for Zone Policy Form and Zone Policy Parameter Form 8-8 tip, symbol overview ii-xi Total Attacks Statistics table fields 11-16 tracking device-to-zone associations 1-6 traffic counter, displaying 10-6 Traffic Rate table fields 11-9 Triggers table fields 10-10 troubleshooting device communication problem 12-4 resolving back-end service problem 12-2 resolving database connection problem 12-2 resolving device disconnected problem 12-4 resolving device initialization problem 12-5 resolving device suspended problem 12-4 resolving Tomcat server problem 12-3 service restart problem 12-2 Type, Policy Filter screen parameter 8-2 U udp_service policy template 7-3 uninstalling MDM software 2-10 updating zone policies after modifying IP address or subnet 5-16 user filter actions 6-15 actions associated with 6-15 adding 6-16 definition 6-2 deleting 6-18 displaying 6-15 overview 6-14 User filter parameters Action 6-18 Burst 6-18 Dst Port 6-17 Fragments 6-17 Protocol 6-17 Rate 6-17 Source IP 6-17 Source subnet 6-17 User Filters table fields 6-16 users and user groups, adding 2-6 using TACACS 2-6 zone diagnostic tools 11-6 V verifying zone protection 10-6 Voice over IP applications, User filter action 6-15 Voice over IP server, zone template protecting zone containing 5-5 W weight parameter Accept Thresholds screen 9-10, 9-18 Deactivate window 9-14 Stop Learning window 9-11 window Accept Thresholds 9-17 Deactivate 9-13 Stop Learning 9-10 Z zombie HTTP detected 11-25 list 11-27 Zombie List screen 11-27 zombies 1-3 zone activating ondemand protection 10-5 adding IP address 5-14 adding service 8-10 attack report 11-17 automatic operation modes 10-3 comparing policy in configurations 9-20 creating 5-3 creating from a template 5-6 creating from existing zone 5-8 deleting 5-18 deleting IP address 5-15 displaying current status 11-6 displaying policy differences 9-21 displaying status information 10-6 excluding IP address 5-15 icons 2-17 initiating manual synchronization 4-5 initiating synchronization on an active zone 4-6 interactive operation modes 10-3 modifying current automatic synchronization parameters 4-4 modifying general configuration 5-9 overview 1-5, 5-1 selecting for the learning process 9-5 synchronizing configuration information 4-4 verifying protection 10-6 zone attack summary report, displaying 11-15 zone counters analyzing traffic flow 11-11 clearing 11-13 displaying 11-10 Zone Current Counters/Rates table fields 11-11 zone device list adding Detector or Guard 5-17 deleting Detector or Guard 5-17 zone diagnostic tools, using 11-6 zone event log, displaying 11-15 zone filter overview 6-1 zone general parameters Burst 5-10 Description 5-10 Max. rate 5-10 Operation mode 5-10 Protect-IP state 5-10 zone operation mode changing to automatic 10-18 changing to interactive 10-18 changing when Dynamic filter exceeds 1000 10-18 zone policies adding an IP address and threshold 8-9 adding a service 7-8 creating snapshot 8-5 deleting a service 7-9 displaying 8-1 marking as tuned or untuned 9-15 updating after modifying IP address or subnet 5-16 Zone Policy Form and Zone Policy Parameter Form Action parameter 8-7 Learning parameters 8-8 State parameter 8-6 Threshold multiplier parameter 8-8 Threshold parameter 8-7 Timeout parameter 8-8 zone protection activation IP address 5-12 packet 5-12 zone name 5-12 zone protection options 10-2 zone recent events table 11-10 zone status, displaying 11-7 zone status bar 11-8 Zone Status screen 11-7 zone status table fields 11-9 zone template available 5-3 creating zone from 5-6 DETECTOR_WORM 5-4 GUARD_DEFAULT 5-4 GUARD_LINK 5-5 GUARD_TCP_NO_ PROXY 5-5 zone traffic rate statistics and graph 11-9
	© 1992-2008 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.