Cisco Anomaly Guard Module Configuration Guide (Software Version 6.0)
Protecting Zones
Download this chapter
Protecting ZonesProtecting Zones
Download the complete book
Cisco Anomaly Guard Module Configuration Guide (Software Version 6.0), Book-Length PDFCisco Anomaly Guard Module Configuration Guide (Software Version 6.0), Book-Length PDF (PDF - 9 MB)
 Feedback

Table Of Contents

Protecting Zones

Understanding Zone Protection Requirements and Options

Activating On-Demand Protection

Configuring the Zone Protection Mode of Operation

Configuring the Protection Activation Method

Configuring the Sensitivity for Activating Zone Protection

Configuring the Protection Activation Extent

Understanding Subzones

Configuring the Protection Inactivity Timeout

Activating Zone Protection

Protecting the Entire Zone

Protecting an IP Zone that is Part of the Zone Address Range

Protecting an IP Address when the Zone Name is Not Known

Deactivating Zone Protection


Protecting Zones

This chapter describes how to configure and activate the Cisco Anomaly Guard Module (Guard module) to protect a zone.

Note The Guard module can protect several zones at the same time providing their IP address ranges do not overlap.

This chapter refers to the Cisco Detector (Detector), the companion product of the Guard. The Detector is a Distributed Denial of Service (DDoS) attack detection device that analyzes a copy of the zone traffic. The Detector can activate the Guard attack mitigation services when the Detector determines that the zone is under attack. The Detector can also synchronize zone configurations with the Guard. For more information about the Detector, see the Cisco Traffic Anomaly Detector Module Configuration Guide and Cisco Traffic Anomaly Detector Configuration Guide.

This chapter contains the following sections:

Understanding Zone Protection Requirements and Options

Activating On-Demand Protection

Configuring the Zone Protection Mode of Operation

Configuring the Protection Activation Method

Configuring the Sensitivity for Activating Zone Protection

Configuring the Protection Activation Extent

Understanding Subzones

Configuring the Protection Inactivity Timeout

Activating Zone Protection

Deactivating Zone Protection

Understanding Zone Protection Requirements and Options

Before you activate zone protection, observe the following requirements and recommendations:

Configure traffic diversion—You must configure traffic diversion to enable the Guard module to hijack zone traffic from its normal network path for analysis and attack mitigation and then to inject the legitimate traffic only back into the network. See Chapter 5, "Configuring Traffic Diversion" for more information.

Update the zone configuration—We recommend that you use one of the following methods to ensure that the zone configuration is up to date, enabling the Guard module to accurately discern between normal traffic conditions and attack traffic:

Learning process—The Guard module creates a set of zone-specific policies and poly thresholds based on the zone traffic characteristics. See Chapter 9, "Learning the Zone Traffic Characteristics" for more information.

Zone synchronization—The Detector learns the zone traffic for the Guard module and synchronizes the zone configuration with the Guard module (automatically or manually). See the "Synchronizing a Guard Module with a Detector Zone Configuration" section on page 6-8 for more information.

Activate the protect and learn function—The Guard module monitors the zone traffic for anomalies (attacks) while performing the threshold tuning phase of the learning process. If the Guard module detects an attack, it suspends the threshold tuning phase while it mitigates the attack.

Note Activate the protect and learn option only when you are sure that the zone is not under attack.

See the "Enabling the Protect and Learn Function" section on page 9-12 for more information.

Define the protection characteristics—You can configure the following optional protection characteristics:

Operation mode—Configure how the Guard module performs zone protection and define whether the Guard module applies measures to protect the zone automatically or in an interactive manner (see the "Configuring the Zone Protection Mode of Operation" section).

Activation method—Define whether to activate the zone according to the zone name, the zone address range, or the received traffic (see the "Configuring the Protection Activation Method" section). You should configure the activation method if zone protection is activated by an external device, such as a Detector.

Activation extent—Define whether to activate zone protection for the entire zone address range or only for a specific IP address within the zone (see the "Configuring the Protection Activation Extent" section). The activation extent applies to zones where zone protection is activated by an external device, such as a Detector only.

Protection termination timeout—Define the timeout after which the Guard module terminates zone protection (see the "Configuring the Protection Inactivity Timeout" section).

Activating On-Demand Protection

On-demand protection is the act of using one of the predefined zone templates to mitigate an attack on a zone that occurs before the Guard module has learned the specifics of the zone traffic. Each policy template contains a set of predefined policies and filters that provide immediate zone protection. The default thresholds of these zone policies are tuned so that the Guard module activates the anti-spoofing functions quickly if it identifies traffic anomalies in the zone traffic.

The default thresholds used to block (drop) source IP addresses are set to high values and because they are not tuned specifically to the zone traffic, on-demand protection requires that you monitor the mitigation process for nonspoofed attacks. You must monitor the zone legitimate rate, malicious traffic rate, and the Guard module mitigation actions.

You may require on-demand protection for a zone if there is an attack on the zone and one of the following conditions apply:

The Guard module is currently learning the zone traffic.

You have enabled the protect and learn function and the Guard module has not had enough time to learn the zone traffic.

The current policy thresholds of the zone configuration do not accurately represent normal zone traffic.

To activate on-demand protection, perform the following steps:

Step 1 Create a new zone by entering the following command: 

zone new-zone-name [template-name] [interactive]

See the "Creating a New Zone from a Zone Template" section on page 6-4 for more information.

Step 2 Define the zone IP address by entering the following command: 

ip address ip-addr [ip-mask]

See the "Configuring Zone Attributes" section on page 6-5 for more information.

Step 3 Activate zone protection by entering the following command: 

protect

See the "Activating Zone Protection" section for more information.

Step 4 Analyze the zone traffic patterns. See Chapter 15, "Analyzing Guard Module Mitigation" for more information.

Configuring the Zone Protection Mode of Operation

During an attack on a zone, the Guard creates dynamic filters that determine how the Guard mitigates the attack. You can configure the Guard to execute the mitigation action associated with each dynamic filter automatically or wait until you decide whether or not to execute the proposed action. To control the execution of the mitigation actions, you configure the Guard to perform zone protection in one of the following modes:

Automatic protect mode—The Guard activates the dynamic filter actions as soon as the Guard creates the filter. This operation mode is the default.

Interactive protect mode—The Guard saves the dynamic filters as recommendations. You review the list of recommendations and decide which recommendations to accept, ignore, or direct to automatic activation.

Use the show command in zone configuration mode to display the current operation mode of the zone.

To enable the interactive protect mode, use the following command in zone configuration mode:

interactive

To disable the interactive protect mode and use the automatic protect mode, use the following command in zone configuration mode

no interactive

See Chapter 11, "Using Interactive Protect Mode" for information about the following interactive protection operations:

Enabling the interactive protect mode when you create a new zone.

Managing the protection recommendations.

Determining when you must switch to the automatic protect mode.

Configuring the Protection Activation Method

The protection activation method defines how the Guard module identifies the zone requiring protection when it receives an external indication, which can be a command from an external device, such as a Detector, or traffic that is destined to the zone as determined by the packet IP address.

You can configure the Guard module to use one of the following methods to activate protection:

IP address—Activates zone protection when it receives a command from an external device, such as a Detector, that consists of an IP address or subnet that is part of the zone.

Packet—Activates zone protection when it receives traffic that is destined to the zone.

Packet or IP address—Activates zone protection when it receives traffic (a packet) that is destined to the zone or when it receives a command from an external device, such as the Detector, that consists of an IP address or subnet that is part of the zone address range.

Zone name only—Activates zone protection based on the zone name.

Perform the following tasks when you configure zones with a protection activation method of packet, or packet or IP address:

Manually divert the zone traffic to the Guard module using an external device so the Guard can monitor the zone traffic.

Ensure that you do not configure multiple zones with the same IP address range or zone protection may not function properly.

(Optional) Configure the minimum received traffic rate that is required for the Guard module to activate zone protection by entering the protect-packet activation-sensitivity command (see the "Configuring the Sensitivity for Activating Zone Protection" section for more information).

The Guard module activates the entire zone or a specific IP address range according to the zone activation extent unless the protection activation method is zone name only, in which case the Guard module activates the entire zone (see "Configuring the Protection Activation Extent" section).

To configure the protection activation method, use the following command in zone configuration mode:

activation-interface {ip-address | packet [divert] | packet-or-ip-address [divert] | zone-name-only}

The default is zone-name-only. If you create a zone by duplicating an existing zone, the protection activation method is set to the zone-name-only, regardless of the configuration of the source zone. See the "Creating a New Zone by Duplicating an Existing Zone" section on page 6-5.

Table 10-1 provides the keywords for the activation-interface command.

Table 10-1 Keywords for the activation-interface Command 

Parameter
Description

ip-address

Activates zone protection when it receives a command from an external device, such as a Detector, that consists of an IP address or subnet that is part of the zone. The Guard module scans the zone database and activates the zone that has an address range that includes the received IP address or subnet. If you have configured several zones with an address range that includes the received IP address, the Guard module activates the zone with the longest prefix match (the zone that has the most specific address range that includes the received IP address). The received IP address or subnet must be completely included in the zone IP address range.

packet

Activates zone protection when it receives traffic for the zone as determined by the packet IP address. The Guard module scans the zone database and activates the zone that has an address range that includes the received packet IP address. If you have configured several zones with an address range that includes the received packet IP address, the Guard module activates the zone with the longest prefix match (the zone that has the most specific address range that includes the received packet IP address). The received IP address or subnet must be completely included in the zone IP address range.

Note When you configure a zone with a protection activation method of packet, the Guard module changes the way that it handles traffic that is not destined to an active zone. If you have configured injection for that traffic, the Guard module forwards the traffic instead of dropping it.

divert

(Optional) Enables the Guard module to send RHI1 announcements to the supervisor engine when you configure the Guard module to activate zone protection when it receives packets. Use the divert keyword when a Detector appliance activates the upstream Guard module by issuing a BGP announcement to an adjacent router to start diverting the traffic to the Guard module. When the Guard module receives the packets, it activates zone protection and issues the RHI announcements to keep the traffic diverted to it. Responsibility for maintaining traffic diversion during the attack shifts to the Guard module because the Detector stops issuing the BGP announcements to the router when it can no longer see the attack as a result of the Guard module attack mitigation processes.

See the Cisco Trafiic Anomaly Detector Module Configuration Guide for more information.

packet-or-ip-address

Activates zone protection when it receives traffic (a packet) that is destined to the zone or when it receives a command from an external device, such as the Detector, that consists of an IP address or subnet that is part of the zone address range. See the ip-address and packet protection activation methods in this table for more information.

zone-name-only

Activates zone protection based on the zone name. The Guard module activates zone protection for the zone called out in the command that the Guard module receives from an external device such as a Detector. This activation method is the default.

1 RHI = Route Health Injection


The following example shows how to configure the protection activation method so that the Guard module activates protection when it receives a packet that is within the zone IP address range: 

user@GUARD-conf-zone-scannet# activation-interface packet

Note If the activation extent is ip-address-only (see the "Configuring the Protection Activation Extent" section) and the protection activation method is not zone-name-only, we recommend that you configure the timer that the Guard module uses to identify that an attack on the zone has ended by using the protection-end-timer command (see the "Configuring the Protection Inactivity Timeout" section). If you enter the protection-end-timer forever command, the Guard module does not terminate zone protection when the attack ends and does not delete the subzone that it has created to protect the specific IP address.

You can create a default zone for the Guard module to protect if the received IP address or packet is not part of any other zone. You can define a default zone only if the network is homogenous and can use the same zone template. You cannot perform the learning process with a default zone. Create the default zone with the following required parameters:

Configure the default zone with the following two IP addresses:

0.0.0.0 128.0.0.0

128.0.0.0 128.0.0.0

Define the activation extent as ip-address (see the "Configuring the Protection Activation Extent" section). To display the zone activation method, use the show running-config command in zone configuration mode.

Configuring the Sensitivity for Activating Zone Protection

You can configure the activation sensitivity parameter that determines when the Guard module activates zone protection based on the traffic rate to a single IP address. The Guard module activates zone protection only if the received traffic rate to a single IP address is higher than the activation sensitivity value that you define. The Guard module applies the activation sensitivity parameter to all of the zones that you configure with a protection activation method of packet or packet-or-ip-address (see the "Configuring the Protection Activation Method" section).

To define the minimum packet rate that is required to activate zone protection, use the following command in configuration mode:

protect-packet activation-sensitivity min-rate

The min-rate argument defines the minimum packet rate that is destined to a single zone destination IP address that causes the Guard module to activate zone protection. The default is 1 packet per second (pps).

The following example shows how to configure the activation sensitivity to 10 pps: 

user@GUARD-conf# protect-packet activation-sensitivity 10

Configuring the Protection Activation Extent

The protection activation extent defines whether the Guard module activates zone protection for the entire zone or for a partial zone when it receives an external indication from an external device, such as the Detector, or traffic that is destined to the zone as determined by the packet IP address.

The Guard module supports the following activation extent methods:

Entire zone—Activates zone protection for the entire zone. The Guard module activates zone protection when it receives traffic that is destined to the zone or when it receives an external indication that consists of an IP address or subnet that is part of the zone.

IP Address only—Activates zone protection only for the specified IP address or subnet. When the Guard module receives traffic that is destined to the zone or when it receives a command from an external device, such as the Detector, which consists of an IP address or subnet that is part of the zone, the Guard module creates a new zone (subzone). This activation extent is the default. See the "Understanding Subzones" section for more information.

To configure the activation extent, use the following command in zone configuration mode:

activation-extent {entire-zone | ip-address-only}

Table 10-2 provides the keywords for the activation-extent command.

Table 10-2 Keywords for the activation-extent Command 

Parameter
Description

entire-zone

Activates zone protection for the entire zone.

ip-address-only

Activates zone protection only for the specified IP address or subnet. This activation extent is the default.


The following example shows how to use the activation-extent command to configure the activation extent of zone protection for the entire zone: 

user@GUARD-conf-zone-scannet# activation-extent entire-zone

To display the zone activation extent, use the show running-config command.

Understanding Subzones

The Guard module creates a subzone when it activates zone protection for a partial zone (a zone that does not include the complete IP address range of the source zone). The IP address range of the subzone is included in the address range of the source zone.

The subzone configuration is similar to the configuration of the source zone except that the IP address and zone name are different. The name of the subzone consists of the first 30 characters of the name of the source zone, the IP address and the subnet, concatenated with underscores. If the subzone consists of a single IP address, the subnet is not added. For example, if the name of the source zone is scannet with an address range of 10.10.10.0 and a subnet of 255.255.255.0 and the Guard module activates zone protection for an internal range of IP address 10.10.10.192 and subnet 255.255.255.252, the name of the subzone is scannet_10.10.10.192_255.255.255.252.

The IP address and subnet of the subzone are the IP address and subnet that the Guard module received with the external command or the IP address of the packet that triggered the Guard module to activate zone protection.

The Guard module deletes subzones when it terminates zone protection. The Guard module terminates zone protection for a subzone according to how you configure the source zone's activation method and the protection termination timeout. The Guard module does not delete a subzone if you manually terminate zone protection by using the no protect command or the deactivate command.

Note If you configure the timer that the Guard module uses to determine when an attack on the zone has ended by using the protection-end-timer forever command, the Guard module does not terminate zone protection when the attack ends and does not delete the subzone.

When the Guard module deletes a subzone, it does not erase the logs and attack reports of the subzone. To display the subzone logs and reports after the Guard module deletes the subzone, use the following commands:

show log sub-zone-name—See the "Displaying the Guard Module Configuration" section on page 13-3 for more information.

show reports sub-zone-name [report-id | current] [details]—See the "Displaying Attack Reports" section on page 12-8 for more information.

You can display the list of the subzones that the Guard module created from the zone by entering the show log or show reports commands without specifying a subzone name.

The following example shows how to display the logs of a subzone that the Guard module deleted: 

user@GUARD-conf-zone-scannet# show logs scannet_10.10.10.192

Configuring the Protection Inactivity Timeout

You can configure the Guard module to automatically stop zone protection when a specified period of inactivity passes. The Guard module measures the inactivity period based on the dynamic filter inactivity and the dropped traffic. If for a specified span of time, no dynamic filters are in use and both the following conditions apply, the Guard module assumes the attack on the zone has ended:

No new dynamic filters are added—See the "Deactivating Dynamic Filters" section on page 7-23 for information about how the Guard module decides when to remove dynamic filters.

The rate of the zone traffic that is being dropped is lower than the defined threshold—The Guard module drops zone packets that the dynamic filters, user filters, and flex-content filters have identified as part of an attack, and the Guard module drops traffic that has exceeded the rate limit that was defined for the zone when you use the rate-limit command. The Guard module counts the dropped packets using the zone dropped counter (see the "Using Counters to Analyze Traffic" section on page 13-4 for more information). The default threshold is 1 packet per second. To change the drop counter threshold, use the following command in zone configuration mode:

attack-detection zone-malicious-rate threshold

The threshold argument defines the minimum rate of dropped zone packets. If the rate goes lower than this threshold, the Guard module may end zone protection. If the rate exceeds this threshold, the Guard module identifies an attack on the zone and creates an attack report.

If the zone activation method is packet, the Guard module checks for inactivity based on the received traffic before deactivating a zone. The Guard module deactivates protection only if the previous conditions apply and no packet to the zone was received.

To specify the inactivity timeout, use the following command in zone configuration mode:

protection-end-timer {time-seconds | forever}

Table 10-3 provides the arguments and keywords for the protection-end-timer command.

Table 10-3 Arguments and Keywords for the protection-end-timer Command

Parameter
Description

time-seconds

Timeout in seconds. Enter an integer greater than 60.

forever

Sets an indefinite timeout.


The default is forever. If you do not change the default value, you must deactivate zone protection manually.

The following example shows how to configure the protection inactivity timeout: 

user@GUARD-conf-zone-scannet# protection-end-timer 300

Activating Zone Protection

You can configure the Guard module to activate zone protection when it receives a command from an external device (such as a Detector) or you can activate zone protection manually at any time after you configure the zone. If the zone is under attack before the Guard module has learned the zone traffic characteristics, use on-demand protection to protect the zone. The Guard module default policy thresholds for a new zone enable effective on-demand protection. See the "Activating On-Demand Protection" section for more information.

Note You must manually divert the zone traffic to the Guard module using an external device if you configure the activation extent to packet by using the activation-interface packet command or the Guard module cannot monitor the zone traffic (see the "Configuring the Protection Activation Extent" section).

You can verify that the Guard module is receiving the zone traffic after you activate zone protection by waiting at least 10 seconds after activating zone protection and then entering the show rates command. Verify that the value of at least one of the rates is greater than zero. If the value of all rates equals zero, a diversion problem could exist. See the "Recognizing a Traffic Diversion Problem" section on page 15-2 for more information.

You can activate zone protection for the entire zone or for only a portion of the zone as described in the following sections:

Protecting the Entire Zone

Protecting an IP Zone that is Part of the Zone Address Range

Protecting an IP Address when the Zone Name is Not Known

Protecting the Entire Zone

You can protect the entire zone by entering the following command in zone configuration mode:

protect [learning]

The optional learning keyword enables the Guard module to protect the zone and tune the policy thresholds using the protect and learn function (see the "Enabling the Protect and Learn Function" section on page 9-12 for more information).

The following example shows how to activate zone protection: 

user@GUARD-conf-zone-scannet# protect

Protecting an IP Zone that is Part of the Zone Address Range

You can protect an IP-specific zone that is a part of the zone address range. In this case, the Guard module creates a new zone. The name of the new zone consists of the first 30 characters of the major zone and the specific IP address concatenated by an underscore. If a zone by the same name already exists, the Guard module activates zone protection for the existing zone instead of creating another zone by the same name.

To activate zone protection for an IP-specific zone, use the following command in global mode:

protect zone-name ip-address-general

Table 10-4 provides the arguments for the protect command.

Table 10-4 Arguments for the Zone Configuration Mode protect Command

Parameter
Description

zone-name

Name of the zone

ip-address-general

Specific IP address within the zone address range. Enter the IP address in dotted-decimal notation. For example, enter 192.168.5.6.


To remove this zone, use the no form of the zone command.

The following example shows how to activate zone protection for IP address 192.168.5.6 that is included in the IP address range of the zone scannet: 

user@GUARD# protect scannet 192.168.5.6

creating zone scannet_192.168.5.6

user@GUARD#

Protecting an IP Address when the Zone Name is Not Known

You can protect a specific IP address within a zone's range of IP addresses even if you do not know the name of the zone by entering the following command in global mode:

protect ip-address-general [subnet-mask]

Table 10-5 provides the arguments for the protect command.

Table 10-5 Arguments for the Global Mode protect Command 

Parameter
Description

ip-address-general

Specific IP address within a zone address range. Enter the IP address in dotted-decimal notation. For example, enter 192.168.5.6.

subnet-mask

(Optional) Subnet mask for which zone protection is activated. Enter the IP address in dotted-decimal notation. For example, enter 255.255.255.252.


The Guard module activates zone protection for the zone that the IP address is included in its IP address range based on the IP address activation method. See the "Configuring the Protection Activation Extent" section for more information.

The following example shows how to activate zone protection for IP address 192.168.5.6: 

user@GUARD# protect 192.168.5.6

Note You can enter the protect-related commands for several zones at the same time. Enter the command in global mode and use an asterisk (*) as a wildcard. For example, to activate zone protection for all zones, enter the protect * command in global mode. To activate zone protection for all zones with names that begin with scan (such as scannet and scanserver), enter the protect scan* command in global mode.

Deactivating Zone Protection

When there is no attack on a zone and you rely on another source for detecting zone traffic anomalies, you may want to deactivate zone protection and end traffic diversion to the Guard module.

To deactivate zone protection, use one of the following commands in zone configuration mode:

no protect—Ends zone protection. If you have the protect and learn function enabled when you enter the no protect command, the Guard module continues to learn the policy thresholds.

Note You can enter the protect-related commands for several zones at the same time by entering the command in global mode and using an asterisk (*) as a wildcard. For example, to stop zone protection for all zones, enter the no protect * command in global mode. To stop zone protection for all zones with names that begin with scan (such as scannet and scanserver), enter the no protect scan* command in global mode.

deactivate—Ends both zone protection and the threshold tuning phase of the learning process.

The following example show how to deactivate zone protection and the learning process: 

user@GUARD-conf-zone-scannet# deactivate