Cisco DDoS Multi-Device Management System Configuration Guide (Software Release 1.0)
Managing Zone Policies
Download this chapter
Managing Zone PoliciesManaging Zone Policies
Download the complete book
Cisco DDoS MultiDevice Manager Configuration Guide (Software Version 1.0), Book-Length PDFCisco DDoS MultiDevice Manager Configuration Guide (Software Version 1.0), Book-Length PDF (PDF - 4 MB)
give_us_feedback

Table Of Contents

Managing Zone Policies

Displaying a List of Zone Policies

Creating a Snapshot (Copy) of the Zone Policies

Modifying a Policy Parameter

Configuring an IP Address and Threshold

Adding an IP Address and Threshold

Deleting an IP Address and Threshold

Adding or Deleting a Service


Managing Zone Policies

This chapter describes how to use the Cisco DDoS MultiDevice Manager (MDM) to manage the policies of a zone configuration, including how to make policy modifications that adjust the protection capabilities of the zone configuration.

Note This guide refers to the Cisco Traffic Anomaly Detector Module and the Cisco Traffic Anomaly Detector appliance as Detector and the Cisco Anomaly Guard Module and the Cisco Guard appliance as Guard. When referring to both the Detector and the Guard, this guide uses the term device.

This chapter contains the following sections:

Displaying a List of Zone Policies

Creating a Snapshot (Copy) of the Zone Policies

Modifying a Policy Parameter

Configuring an IP Address and Threshold

Adding or Deleting a Service

Displaying a List of Zone Policies

To display the list of existing zone policies, follow these steps:

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 From the zone main menu, choose Configuration > Policies > View. The Policies screen appears (see Figure 8-1).

Figure 8-1 Policies Screen

If you created the zone using a GUARD_ zone template, the View Detector/View Guard toggle button appears above the policy list.

Step 3 Choose one of the following to display policies:

Click View Detector to display the policies for use by the Detector.

Click View Guard to display the policies for use by the Guard.

Step 4 (Optional) Set a screen filter to display only the policies that you want to display or configure. To set a screen filter, perform the following steps:

a. Click Set screen filter. The Policy Filter screen opens.

b. Configure the screen filters to use and click OK. Table 8-1 describes the screen filter parameters listed in the Policy Filter screen. Choose the desired display parameters from the corresponding drop-down lists.

To change multiple filter parameters, begin from the top and work your way down the parameters of the Policy Filter screen. When you change one of the filtering parameters, all the parameters listed below it are automatically reset to their default values by the MDM.

Table 8-1 Policy Filter Parameters 

Parameter
Restricts the display to. . .

Policy template

Policies that were created from the selected policy template.

Service

Policies that were created for the selected service.

Protection level

Policies of the selected protection level.

Type

Policies of the selected packet type.

Policy

Policies of the selected key.

State

Policies of the selected operating state.

Action

Policies configured with the selected action.

Policies

Policies of the current configuration or of a snapshot (if available).


The MDM displays a list of the policies that meet the criteria that you specify. Details of the selected path, state, and action display in the Screen Filter screen.

Table 8-2 describes the fields in the Policy Table.

Table 8-2 Field Descriptions for Policy Table 

Field
Description

Policy Template

Template used to construct the policy. Each policy template deals with the characteristics that the device requires to protect a zone against a specific DDoS threat.

Service

Service in the traffic flow that the policy monitors. A service is either a port number or a protocol number. See the "Adding or Deleting a Service" section for information on adding or deleting a service.

The table displays a service value of any for all traffic that does not specifically match other services created from the same policy template.

Level

Protection level that the policy applies to the traffic flow. For the Detector, the protection level is always Analysis. For the Guard, the possible protection levels are as follows:

Analysis—The Guard monitors the traffic only. If the Guard detects an anomaly, it applies a basic or strong protection level.

Basic—The Guard activates antispoofing and antizombie functions to authenticate the suspicious traffic by verifying the traffic source.

Strong—The Guard activates severe antispoofing functions to inspect and verify the legitimacy of the traffic flow.

Type

Packet types that the MDM monitors. Unless otherwise specified, the following packet type values apply to both the Detector and Guard:

auth_pkts—Packets for which either a TCP handshake or a UDP authentication was performed.

auth_tcp_pkts—(Guard only) Packets for which a TCP handshake was performed.

auth_udp_pkts—(Guard only) Packets for which UDP authentication was performed.

in_nodata_conns—Incoming zone connections that have no data transfer on the connection (packets without a data payload).

in_conns—(Guard only) Incoming zone connections.

in_pkts—Zone incoming DNS query packets.

in_unauth_pkts—Incoming zone unauthenticated DNS queries.

num_sources—(Guard only) Packets that have TCP source IP addresses that are destined to the zone and that have been authenticated by the device antispoofing functions.

out_pkts—Incoming zone DNS reply packets.

reqs—Request packets with data payload.

syns—Synchronization packets (TCP SYN flagged packets).

syn_by_fin—SYN and FIN flagged packets. The MDM verifies the ratio between the number of SYN flagged packets and the number of FIN flagged packets.

unauth_pkts—Packets that did not undergo a TCP handshake.

pkts—All packet types that do not fall under any other category in the same protection level.

non-estb-conns—(Detector only) Nonestablished connections. Incoming zone failed connections and TCP connection requests (SYN packets) for which no reply was received.

Key

Traffic characteristic that was used to aggregate the policies. Click the keyname to display the details. Unless otherwise specified, the following possible key values apply to both the Detector and Guard:

dst_ip—Traffic destined to a zone IP address.

dst_ip_ratio—Ratio of SYN and FIN flagged packets destined to a specific IP address.

dst_port_ratio—Ratio of SYN and FIN flagged packets destined to a specific port.

global—Summation of all traffic flow as defined by the other policy sections.

src_ip—Traffic destined to the zone aggregated according to the source IP address.

dst_portTraffic destined to a specific zone port.

protocol—Traffic destined to the zone aggregated based on the protocol.

src_ip_many_dst_ips—Traffic from a single IP address that probes a large number of zone IP addresses on the same port. This key is used for IP scanning.

src_ip_many_portsTraffic from a single IP address that probes a large number of ports on a zone destination IP address. This key is used for port scanning.

scanners—(Detector only) A histogram of the number of source IP addresses that scan zone destination IP addresses on a specific destination port.

State

Current operating state of the policy. The policy operates in one of the following states:

Active—Applies the policy to the traffic flow and executes the policy action when the traffic flow exceeds the policy threshold.

Inactive—Applies the policy to the traffic flow but does not execute the policy action when the traffic flow exceeds the policy threshold.

Disabled—Does not apply the policy to the traffic flow.

Action

Policy action. The device executes the action when the traffic flow exceeds the policy threshold. See the "Modifying a Policy Parameter" section for a list of possible actions.

Threshold

Policy threshold traffic rate. When the traffic flow exceeds the policy threshold, the device executes the policy action. You can configure the policy threshold manually or allow the device to configure it during the threshold tuning phase of the learning process.

By default, the threshold is set to a value appropriate for ondemand protection.

Proxy Threshold

Threshold for the HTTP proxy client. The proxy threshold defines the traffic rate for clients that connect to the zone in HTTP through proxies. Configure the proxy threshold using the CLI of the device.

Threshold List

Number of entries in a threshold list for a particular policy. A dash (-) indicates that you cannot configure a threshold list for the policy.

Timeout

Minimum amount of time that the device applies the policy action to the traffic flow. If the device is a Guard, when the timeout expires, it determines whether to deactivate the dynamic filter produced by the policy. The timeout value can be set to never.

Fixed

Policy threshold operating status. A check mark indicates the threshold is a fixed value that cannot be modified during the threshold tuning phase of the learning process. An x indicates that the threshold value is not fixed, which means that the device can modify the policy threshold during the threshold tuning process.

Learning Multiplier

Factor by which the master device multiplies the threshold when it accepts the results of the threshold tuning phase.


Creating a Snapshot (Copy) of the Zone Policies

Use the snapshot feature allows you to create a copy of the current version of zone policies on the master device. We recommend that you create a copy of the current zone policies before you make any policy modifications. Creating a copy of the policies allows you to revert back to the policies of the copy if needed.

Note Snapshots that you create on the master device are not copied to the other zone devices during synchronization. To create a snapshot on a device other than the master device, use the device's CLI or Web-Based Manager (WBM) connection.

To create a snapshot, follow these steps:

Step 1 From the navigation pane, choose a zone that is not currently in a learning phase. The zone main menu appears.

Step 2 From the zone main menu, choose Learning > Snapshot. The Create Snapshot screen appears.

Step 3 Enter a name for the snapshot in the Snapshot name field.

Step 4 Click OK. The master device assigns a consecutive ID number to the snapshot and saves the snapshot.

In addition to creating a backup of the zone polices used by the master device, you can use the snapshot feature to save samples of the zone policy configurations at different points of the learning process. Using the compare feature, you can compare the results of a snapshot with other snapshots or zone policy configurations on the master device. For more information about using the snapshot, see Chapter 9, "Learning Zone Traffic and Taking Snapshots."

Modifying a Policy Parameter

You can modify a zone policy only when the zone master device is not learning zone traffic or activated, or providing DDoS detection or protection services. The MDM allows you to modify the parameters of a single policy or the parameters of several policies at the same time.

Note You will lose any changes that you make to a policy parameter if you perform the policy construction phase after changing the parameter. When you accept the results of the policy construction phase, the device replaces the current zone policies with the new policies that it created during policy construction.

Before modifying a policy, we recommend that you use the snapshot feature to create a copy of the current configuration (see the "Creating a Snapshot (Copy) of the Zone Policies" section).

To modify the policy parameters, follow these steps:

Step 1 Choose a zone from the navigation pane. The zone menu appears.

Step 2 From the zone main menu, choose Configuration > Policies > View. The Policies screen appears.

Step 3 Choose the policies to configure using one of the following methods:

To configure a single policy, click the Key value of the desired policy (the Policy details screen appears), and then click Configure, which is located under the Learning parameters table. The Zone Policy Form screen appears, displaying the current policy parameter values.

To configure a group of policies, check the check box next to the policies that you want to reconfigure, and then click Config Selection. The Zone Policy Parameter Form screen appears.

A value of Multiple for a policy section specifies that the policy section does not have the same value in all the policies that you selected.

Step 4 Reconfigure the desired policy parameter as listed in Table 8-3, which describes the policy parameters in the Zone Policy Form and the Zone Policy Parameter Form. If you leave the field of a policy parameter blank, the MDM does not change the current value of the parameter in the policies that you selected.

Table 8-3 Zone Policy Parameter Form and Zone Policy Form Parameters

Parameter
Description

State

State of the policy. Possible values are as follows:

active—Applies the policy to the traffic and executes the assigned policy action when the traffic exceeds the policy threshold.

inactive—Applies the policy to the traffic, but does not execute the assigned policy action when the traffic exceeds the policy threshold.

disabled—Does not apply the policy to the traffic.

Caution If you set the policy state to inactive or disabled, you may compromise zone protection. When you set the policy state to disable, the enabled zone policies assume responsibility for the traffic that was managed by the disabled policy. After you disable a policy and before the device performs zone protection, you must perform the threshold tuning phase to update the thresholds of the enabled policies.

Action

Action that the device executes when the traffic exceeds the policy threshold.

Configure the policy action so that it enhances the protection that the policy defines. For example, configure the policy action to the to-user-filters selection for policies with a protection level of analysis, or configure the policy action to filter/drop for policies with a protection level of strong. Do not configure the policy action so that it reduces the protection level that the policy defines. For example, do not configure the policy action to the to-user-filters selection for policies with a protection level of basic or strong.

The policy actions are as follows:

notify—Issues a notification when zone traffic exceeds the policy threshold.

block-unauthenticated—Adds a filter that blocks traffic that was not authenticated by the antispoofing functions, such as an ACK with no prior handshake.

Configure this policy action for policies with a packet type of in_unauth_pkts and unauth_pkts only.

to-user-filters—Adds a filter directing the traffic to the user filters.

Configure this policy action for policies with a protection level of analysis.

filter/strong—Adds a filter that applies the strong protection level to the traffic flow.

Configure this policy action for policies with a protection level of analysis and basic. We recommend that you use this policy action on TCP (incoming) policies with traffic characteristics of src_ip only and do not use it on policies with traffic characteristics of global because it may cause problems in networks that use a load balancer or an ACL to manage traffic.

filter/drop—Adds a filter that directs the device to drop the specified traffic.

Configure this policy action for policies that monitor traffic after the device has applied the antispoofing functions (policies with a protection level of basic and strong). We do not recommend that you use this action for policies with a protection level of analysis because this action may cause the device to consume all the device filters when mitigating a spoofed attack.

redirect/zombie—Adds a filter that enhances authentication for all user filters with an action of redirect.

This policy action applies to the tcp_connections/any/basic/num_sources/global policy only.

Threshold

Threshold traffic rate for the policy. When the traffic exceeds the threshold, the policy executes an action to protect the zone.

You can configure the threshold for a single policy only.

The threshold is measured in packets per second except for policies that are constructed from the following policy templates:

num_soruces—The threshold is measured by the number of IP addresses or ports.

tcp_connections—The threshold is measured by the number of connections.

tcp_ratio—The threshold is measured as the ratio number.

Threshold multiplier

Factor by which the thresholds of the policies are increased or decreased.

You can configure a threshold multiplier for a group of policies only. Enter a factor to increase or decrease the thresholds of the policies when the thresholds are not appropriate for the zone traffic.

Note The new value may change in subsequent threshold tuning phases if you do not set it as fixed.

Timeout

Minimum time for dynamic filters that are produced by the policy to apply their action. Enter the timeout value in seconds.

Learning parameters

Manner in which the device accepts the results of a threshold tuning phase and modifies the policy threshold.

To configure the learning parameters, check the Learning parameters check box. You can configure the following learning parameters:

Set as fixed—Defines the current threshold of the policy as a fixed value. When the device accepts the results of a threshold tuning phase, it does not modify this policy threshold.

Learning multiplier—Calculates a new policy threshold by multiplying the learned threshold by the specified multiplier before accepting the result of subsequent threshold tuning phases. The device accepts the results of the threshold tuning phase using the configured threshold selection method. Enter a real positive number (a floating point number with 2 decimal places) by which the policy threshold is multiplied. Enter a number less than 1 to decrease the policy threshold.


Step 5 Click OK. The MDM saves the modified zone configuration on the master device.

Step 6 (Optional) Synchronize the new information with the other zone devices by using one of the following methods when the zone is inactive:

Manually by choosing Activation > Sync from the zone menu.

Automatically according to how you configured the synchronization feature in the zone configuration (see the "Modifying the Zone General Configuration Attributes" section on page 5-9).

Configuring an IP Address and Threshold

To avoid false attack detections by the MDM when traffic increases on a known high traffic source or destination IP address, you can configure a policy with a threshold for traffic that is associated with that IP address. Add an IP address and threshold to a policy for the following network applications:

High volume source IP address—When the zone normally receives a high volume of traffic from a specific source IP address, you can configure a policy with a threshold that the MDM applies to traffic that originates from the source IP address.

High volume destination IP address—When you define a zone with two or more IP addresses and sections of the zone normally receive a high volume of traffic, you can configure a policy with a threshold that the MDM applies to traffic that targets the destination IP address within the zone.

You can configure IP thresholds only for the following policies:

Policies with traffic characteristic of destination IP (dst_ip).

Policies with traffic characteristics of source IP address (src_ip) where the default policy action is drop. The default policy action is the action that the MDM applies to the policy when you create a new zone. You can configure the threshold list for such policies even if you change the policy action.

You can configure a maximum of 10 IP addresses and thresholds for each policy.

This section contains the following topics:

Adding an IP Address and Threshold

Deleting an IP Address and Threshold

Adding an IP Address and Threshold

To add an IP address and threshold to a policy, follow these steps:

Step 1 Choose a zone from the navigation pane. The zone main menu appears.

Step 2 From the zone main menu, choose Configuration > Policies > View. The Policies screen appears.

Step 3 Click the Key type (located under the Key column) of the policy that you want to configure. The Policy details screen appears.

Step 4 Click Add (located under the Threshold list table). The Add Threshold IP Entry screen appears.

Step 5 Define the source or destination IP address and the threshold value as listed in Table 8-4, which describes the parameters in the Threshold IP Entry Form.

Table 8-4 Threshold IP Entry Form

Parameter
Description

IP

IP address. Enter the source or destination IP address.

Threshold

IP address threshold. When the traffic exceeds the threshold, the policy executes its configured action. Enter the threshold value in packets per second (pps) except for the following policy types:

tcp_connections—The threshold is measured by the number of connections.

tcp_ratio—The threshold is measured by the ratio number.


Step 6 Choose OK. The MDM saves the modified zone configuration on the master device.

Step 7 (Optional) Synchronize the new information with the other zone devices by using one of the following methods:

Manually by choosing Activation > Sync from the zone menu.

Automatically according to how you configured the synchronization feature in the zone configuration (see the "Modifying the Zone General Configuration Attributes" section on page 5-9).

Deleting an IP Address and Threshold

To delete a policy IP address and threshold, follow these steps:

Step 1 Choose a zone from the navigation pane. The zone menu appears.

Step 2 From the zone main menu, choose Configuration > Policies > View. The Policies screen appears.

Step 3 Click the Key parameter of the desired policy. The Policy details screen appears.

Step 4 Check the check box of the IP listing or listings that you want to delete from the Threshold list table.

Step 5 Click Delete. The MDM saves the modified zone configuration on the master device.

Step 6 (Optional) Synchronize the new information with the other zone devices by using one of the following methods:

Manually by choosing Activation > Sync from the zone menu.

Automatically according to how you configured the synchronization feature in the zone configuration (see the "Modifying the Zone General Configuration Attributes" section on page 5-9).

Adding or Deleting a Service

You can manually add a service (application port or protocol) to the zone configuration that the master device did not discover during the policy construction phase. We recommend that you define the specific policies for the zone main services to obtain protection for your network needs.

Adding or deleting a service involves modifying the associated policy template (see the "Adding or Deleting a Policy Template Service" section on page 7-8).