Cisco DDoS Multi-Device Management System Configuration Guide (Software Release 1.0)
Managing Zone Policy Templates
Download this chapter
Managing Zone Policy TemplatesManaging Zone Policy Templates
Download the complete book
Cisco DDoS MultiDevice Manager Configuration Guide (Software Version 1.0), Book-Length PDFCisco DDoS MultiDevice Manager Configuration Guide (Software Version 1.0), Book-Length PDF (PDF - 4 MB)
give_us_feedback

Table Of Contents

Managing Zone Policy Templates

Using a Policy Template

Displaying a List of Policy Templates

Modifying a Policy Template

Adding or Deleting a Policy Template Service

Adding a Service

Deleting a Service


Managing Zone Policy Templates

This chapter describes how to use the Cisco DDoS MultiDevice Manager (MDM) to manage the policy templates of a zone configuration.

Note This guide refers to the Cisco Traffic Anomaly Detector Module and the Cisco Traffic Anomaly Detector appliance as Detector and the Cisco Anomaly Guard Module and the Cisco Guard appliance as Guard. When referring to both the Detector and the Guard, this guide uses the term device.

This chapter contains the following sections:

Using a Policy Template

Displaying a List of Policy Templates

Modifying a Policy Template

Adding or Deleting a Policy Template Service

Using a Policy Template

A policy template is a collection of policy construction rules that a device uses during the policy construction phase to create a set of policies that are specific to a zone.

During the policy construction phase of the learning process, the zone traffic flows transparently through the device as each enabled policy template produces a group of policies based on the policy template definitions and the zone traffic characteristics. The device ranks the services (protocol and port numbers) that the policy template monitors by the level of traffic volume. The device selects the services that have the highest traffic volume and that have exceeded the defined minimum threshold of the policy template. The device then creates a new policy for each service. The device uses policy templates to create additional policies with a service of any to handle all traffic flows for which a specific policy was not added. Each policy is configured with an action that the device executes when the zone traffic violates the conditions of the policy.

The name of the policy template is derived from the characteristics that are common to all the policies that it creates. The name can be a protocol (such as DNS), an application (such as HTTP), or the objective (such as ip_scan). For example, the policy template tcp_connections produces policies that refer to a connection, such as the number of concurrent connections. When you create a new zone, the device includes a set of policy templates in the zone configuration. Changes that you make to a zone policy template configuration affect the policy construction phase of the learning process.

Some policy templates are designed for use by a specific device type. For example, the policy template tcp_services_ns applies to Guard operation only and not to Detector operation. When you create a zone using a Guard zone template that contains policy templates for both device types, the MDM includes all policies in the zone configuration. A device ignores any policies not intended for use by its device type. For example, the policies in a zone configuration that are designed for the Guard are ignored by the Detector.

Table 7-1 describes each of the policy template types.

Table 7-1 Policy Templates 

Policy Template
Produces a set of policies relating to. . .
Applies to...

dns_tcp

DNS-TCP protocol traffic.

Guard and Detector

dns_udp

DNS-UDP protocol traffic.

Guard and Detector

fragments

Fragmented traffic.

Guard and Detector

http

HTTP traffic that flows, by default, through port 80 (or other user-configured ports).

Guard and Detector

ip_scan

IP scanning. A situation in which a client from a specific source IP address tries to access many destination IP addresses in the zone. This policy template is designed for zones where the IP address definition is a subnet.

By default, this policy template is disabled. The default action for this policy template is notify.

Note The policies that are produced from this policy template are resource consuming and can affect performance.

Guard and Detector

other_protocols

Non-TCP and non-UDP protocols.

Guard and Detector

port_scan

Port scanning. A situation in which a client from a specific source IP address tries to access many ports in the zone.

By default, this policy template is disabled. The default action for this policy template is notify.

Note The policies that are produced from this policy template are resource consuming and can affect device performance.

Guard and Detector

tcp_connections

TCP connection characteristics.

Guard and Detector

tcp_not_auth

TCP connections that the Guard antispoofing feature have not authenticated.

Guard and Detector

tcp_outgoing

TCP connections initiated by the zone.

Guard and Detector

tcp_ratio

Ratios between different types of TCP packets, such as SYN packets versus FIN/RST packets.

Guard and Detector

tcp_services

TCP services on ports other than HTTP-related ports, such as ports 80 and 8080.

Guard and Detector

tcp_services_ns

TCP services. By default, the policies created by the tcp_services_ns template relate to IRC ports (666X), SSH, and Telnet. This policy template does not create policies with actions that apply the strong protection level to the traffic flow.

Guard

udp_services

UDP services.

Guard and Detector


The zone configuration contains additional policy templates if the zone was created from zone templates that are designed for specific types of attacks or specific services. Table 7-2 details the policy templates that the devices add to a zone configuration based on a specific zone template.

Table 7-2 Specific Policy Templates 

Zone Template
Policy Template
Applies to...

GUARD_VOIP

sip_udp—Constructs a group of policies that relate to Voice over IP (VoIP) sessions that use Session Initiated Protocol (SIP) over UDP to establish the VoIP sessions and Real-Time Transport Protocol/Real-Time Control Protocol (RTP/RTCP) to transmit voice data between the SIP endpoints after sessions are established.

Guard

GUARD_TCP_NO_PROXY

tcp_connections_ns—Constructs a group of policies that relate to TCP connection characteristics.

tcp_outgoing_ns—Constructs a group of policies that relate to TCP connections initiated by a zone.

http_ns—Constructs a group of policies that relate to HTTP traffic flowing (by default) through port 80 or other user-configured ports.

Use these policy templates for protecting zones when you do not want to use the TCP proxy antispoofing functions, and where the Guard serves as a proxy. You can use these policy templates if the zone is controlled based on the IP addresses, such as an Internet Relay Chat (IRC) server-type zone, or if you do not know the type of services that are running on the zone.

When you create a zone with the GUARD_TCP_NO_PROXY zone template, the Guard uses these policy templates. The Guard replaces the policy templates http, tcp_connections, and tcp_outgoing with the policy templates http_ns, tcp_connections_ns, and tcp_outgoing_ns policies. The http_ns, tcp_connections_ns, and tcp_outgoing_ns policy templates do not create policies with actions that require the Guard to apply the strong protection level to the traffic flow.

Guard


Note When a device is learning traffic for a zone created with a Guard zone template, it relates first to indicators of TCP traffic on dedicated ports 6660 to 6670 and 21 to 23.

If traffic is traced on these ports, the tcp_services_ns policy template constructs a group of policies, and the tcp_services policy template monitors TCP services on other ports.

If no traffic is traced on these ports, the tcp_services_ns policy template is not used.

You can add services to policies that were created from the tcp_services_ns policy template.

Displaying a List of Policy Templates

To display a list of zone policy templates, follow these steps:

Step 1 From the navigation pane, choose a zone. The zone menu appears.

Step 2 From the zone menu, choose Configuration > Policy templates > View. The Policy Templates screen appears.

Table 7-3 describes the fields in the Policy Template table.

Table 7-3 Field Description for the Policy Template Table 

Field
Description

State

Operating state of the policy template. The operating state can be one of the following conditions:

enabled—The policy template produces policies during the policy construction phase.

disabled—The policy template does not produce policies during the policy construction phase.

Note When the condition of the State field is enabled, the MDM does not display a value.

Min Threshold

Minimum traffic volume required for the device to detect a service. When traffic conditions exceed the threshold value, the device constructs policies to manage the traffic based on the particular traffic flow that exceeded the threshold.

The minimum threshold field applies only to policy templates that detect services in the traffic flow, such as tcp_services, tcp_services_ns, udp_services, other_protocols, and http.

The MDM displays only the value that applies to the Min Threshold field.

Max Services

Maximum number of services (protocol numbers or port numbers) that the policy template selects to create policies.

The Max Services field applies only to policy templates that detect services, such as tcp_services, tcp_services_ns, udp_services, and other protocols.

The MDM displays only the value that applies to the Max Services field.


Modifying a Policy Template

You can modify the configuration of the following policy template parameters to manage the policy construction phase:

State—Defines whether the device produces policies from the policy template.

Maximum number of services—Defines the maximum number of services that the device picks up so that the policy template can create specific policies.

Minimum threshold—Defines the minimum threshold that must be exceeded for the device to rank the service.

To manage a policy template, follow these steps:

Step 1 From the navigation pane, choose a zone. The zone menu appears.

Step 2 From the zone menu, choose Configuration > Policy templates > View. The Policy Templates screen appears.

Step 3 Click the name of the policy template that you want to modify. The Config Policy Template screen appears.

Step 4 Modify the policy template parameters as described in Table 7-4, which describes the policy template parameters in the Policy Template Form screen. Not all of the template parameters apply to the various policy template types. The Policy Template Form scren displays only the parameters that apply to the policy template that you select.

Table 7-4 Policy Template Parameters 

Parameter
Description

State

Operating state of the policy template as follows:

enable—Activates the policy template, which allows the device to use the template during the policy construction phase to produce policies.

disable—Deactivates the policy template, which prevents the device from using the template during the policy construction phase to produce policies.

Caution Do not disable a policy template because you may seriously compromise zone protection. When you disable a policy template, the device cannot produce policies to manage the type of malicious traffic that the policy template is designed to manage. For example, if you disable the dns_udp policy template, the device cannot create zone policies that manage DNS (UDP) attacks.

Min Threshold

Minimum traffic volume required by the device to detect a service. When the threshold is exceeded, the device creates policies to manage the service traffic based on the particular traffic flow that exceeded the threshold. By setting the threshold, you can adapt the operation of the device to the traffic volume of the zone services.

The minimum threshold parameter applies only to policy templates that detect services in the traffic flow, such as tcp_services, tcp_services_ns, udp_services, other_protocols, and http.

Enter a real number (a floating point number with 2 decimal places), equal to or greater than 0, that defines the minimum threshold rate in packets per second (pps). When measuring concurrent connections and the SYN/FIN ratio, the threshold is an integer that defines the total number of connections.

Max Services

Maximum number of services (protocol numbers or port numbers) that the policy template selects to creates policies. The device ranks the services that the policy template monitors by the level of traffic volume for each service. The device then selects the services that have the highest traffic volume and that have exceeded the defined minimum threshold (as defined by the min-threshold parameter). The device then creates policies for each service. The device may add an additional policy with a service of any to handle all other traffic flows with the characteristics of the policy template.

Note A high number of maximum services results in the use of more memory by the zone.

You can define the maximum number of services parameter for policy templates that detect services, such as tcp_services, tcp_services_ns, udp_services, and other protocols. You cannot configure the maximum number of services parameter for policy templates that monitor a specific service, such as dns_tcp, which monitors service 53, or for policy templates that relate to a specific traffic characteristic, such as fragments.

The device measures the traffic rate of the service based on the traffic characteristics of the policy. The traffic characteristic can be the source IP addresses or the destination IP addresses. A policy that monitors the service any measures the rate of source IP addresses on all services that are not handled by a specific policy.

By limiting the number of services, you can customize the policies to your traffic requirements for the zone.


Step 5 Click OK. The MDM saves the modified zone configuration on the master device.

Step 6 (Optional) Synchronize the new information with the other zone devices by using one of the following methods:

Manually by choosing Activation > Sync from the zone menu.

Automatically according to how you configured the synchronization feature in the zone configuration (see the "Modifying the Zone General Configuration Attributes" section on page 5-9).

Adding or Deleting a Policy Template Service

You can manually add a service (application port or protocol) to a zone policy template. This feature allows you to add a service that the MDM did not discover during the policy construction phase of the learning process.

Note When you add or delete a service, the MDM marks the zone policies (and the zone) as untuned. Because the zone is untuned, the devices cannot provide zone protection until you perform one of the following actions:

(Recommended) Perform the threshold tuning phase of the learning process and accept the results (see the "Starting the Threshold Tuning Phase" section on page 9-9)

Mark the zone as tuned (see the "Marking the Zone Policies as Tuned or Untuned" section on page 9-15)

This section contains the following topics:

Adding a Service

Deleting a Service

Adding a Service

You can manually add services to all policies that were created from a specific policy template. The MDM adds the new service to the zone configuration with the services that the master device discovered during the policy construction phase. When you add a new service, the MDM configures the associated policies with default threshold values. You can manually modify the thresholds to tune the policies to the zone traffic. However, we recommend that you run the threshold tuning phase of the learning process for this purpose.

You may need to manually add a service in the following situations:

A new application or service was added to the zone network and you do not want to run the policy construction phase of the learning process.

The policy construction phase was activated for a short period, so the policies do not reflect all the network services. For example, known applications or services may not have been detected because they were not active while the policy construction phase was running.

Caution Do not add the same service (port number) to more than one policy because it may cause unexpected behavior. For example, adding port 80 to both tcp_services and tcp_service_ns may cause the device to monitor port 80 with the wrong policy.

You can add a new service to policies that were created from the following policy templates:

tcp_services, udp_services, tcp_services_ns, worm_tcp (the service designates a port number)

tcp_services, udp_services, tcp_services_ns (the service designates a port number)

other_protocols (the service designates a protocol number)

Note If you activate the policy construction phase after you add a service, new services might override the service that you added.

To add a service to a policy type, follow these steps:

Step 1 Choose a zone from the navigation pane. The zone main menu appears.

Step 2 Initiate the Add Service process by using one of the following methods:

From the zone main menu, choose Configuration > Policy Templates > Add Service.

From the zone main menu, choose Configuration > Policy templates > View and click Add service in the Policies Templates screen.

From the zone main menu, choose Configuration > Policies > View and click Add service in the Policies screen.

The Add service step 1 screen appears.

Step 3 From the Policy Template list choose a policy template, and then click Next. The Add Service — step 2, Add Service Form screen appears. See the "Using a Policy Template" section for details on policy template types.

Step 4 Enter the new service in the Add Service Form screen.

Step 5 Click OK. The MDM adds the new policies for the service to the zone configuration on the master device, configures the new services with default threshold values, and marks the zone policies as untuned.

Step 6 (Optional) Synchronize the new information with the other zone devices by using one of the following methods:

Manually by choosing Activation > Sync from the zone menu.

Automatically according to how you configured the synchronization feature in the zone configuration (see the "Modifying the Zone General Configuration Attributes" section on page 5-9).

Step 7 (Optional) Define the thresholds of the new policies. You can define the threshold manually, but we recommend that you run the threshold tuning phase of the learning process to tune the policies to the zone traffic. See the"Starting the Threshold Tuning Phase" section on page 9-9 for more information.

You can mark the zone policies as tuned even without running the threshold tuning phase of the learning process (see the "Marking the Zone Policies as Tuned or Untuned" section on page 9-15).

Deleting a Service

You can delete a specific service from a policy template. The MDM deletes the service from all policies that were created from the policy template.

Caution If you delete a service, the zone policies cannot monitor the associated traffic, which may compromise zone protection.

You can remove services from the following policy template types:

tcp_services, udp_services, tcp_services_ns, worm_tcp (the service designates a port number)

tcp_services, udp_services, tcp_services_ns (the service designates a port number)

other_protocols (the service is a protocol number)

If you do not activate the policy construction phase of the learning process, you may need to remove a service manually in the following situations:

An application or service was removed from the network.

An application or service that you do not want to enable (because it is uncommon for the network environment) was identified during the policy construction phase.

Note If you activate the policy construction phase after you remove a service, the service might get added back to the zone configuration.

To delete a service from a policy, follow these steps:

Step 1 Choose a zone from the navigation pane. The zone main menu appears.

Step 2 Use one of the following methods to initiate the Remove Service process:

From the zone main menu, choose Configuration > Policy Templates > Remove service.

From the zone main menu, choose Configuration > Policy templates > View and click Remove service in the Policies Templates screen.

From the zone main menu, choose Configuration > Policies > View and click Remove service in the Policies screen.

The Remove service screen appears.

Step 3 Choose the service that you want to remove from the list and click Delete. The delete verification screen appears.

Step 4 Click OK. The MDM removes the selected service from the zone configuration on the master device and marks the zone as untuned. The MDM saves the modified zone configuration on the master device.

Step 5 (Optional) Change the zone configuration from untuned to tuned after deleting a service by performing one of the following actions:

Perform the threshold tuning phase of the learning process and accept the phase results (see the "Starting the Threshold Tuning Phase" section on page 9-9).

Mark the zone as tuned (see the "Marking the Zone Policies as Tuned or Untuned" section on page 9-15).

Step 6 (Optional) Synchronize the new information with the other zone devices by using one of the following methods:

Manually by choosing Activation > Sync from the zone menu.

Automatically according to how you configured the synchronization feature in the zone configuration (see the "Modifying the Zone General Configuration Attributes" section on page 5-9).