Table Of Contents
Creating and Configuring Zones
Understanding Zones and Zone Attributes
Creating a Zone
Creating a Zone Using a Zone Template
Creating a Zone from an Existing Zone
Modifying the Zone General Configuration Attributes
Adding, Excluding, or Deleting a Zone IP Address
Adding an IP Address to the Zone
Excluding an IP Address from a Zone Subnet
Deleting an IP Address from the Zone
Updating the Zone Policies After Modifying the Zone IP Address Range
Managing a Zone Device
Adding a Device to the Zone Device List
Deleting a Device from the Zone Device List
Managing the Remote Guard List on a Zone Detector
Adding a Remote Guard
Deleting a Remote Guard
Deleting a Zone
Creating and Configuring Zones
This chapter describes how to use the Cisco DDoS MultiDevice Manager (MDM) to create, define, and manage the network zones that you want to protect against DDoS attacks.
Note 
This guide refers to the Cisco Traffic Anomaly Detector Module and the Cisco Traffic Anomaly Detector appliance as Detector and the Cisco Anomaly Guard Module and the Cisco Guard appliance as Guard. When referring to both the Detector and the Guard, this guide uses the term device.
This chapter contains the following sections:
•Understanding Zones and Zone Attributes
•Creating a Zone
•Modifying the Zone General Configuration Attributes
•Adding, Excluding, or Deleting a Zone IP Address
•Managing a Zone Device
•Managing the Remote Guard List on a Zone Detector
•Deleting a Zone
Understanding Zones and Zone Attributes
A zone is a network element that your Detector and Guard devices protect against DDoS attacks by looking for anomalies in the traffic that flows to the network element. A zone can be any combination of the following elements:
•A network server, client, or router
•A network link, a subnet, or an entire network
•An individual Internet user or a company
•An Internet Service Provider (ISP)
To define a zone and configure the operation of the devices used to protect the zone, you create a zone configuration that includes the following attributes:
•Zone identification—Identifier that you assign to the zone.
•Network definition—Attributes of the network elements such as the IP address and subnet mask.
•Zone devices—Detector and Guard devices that you associate with the zone to monitor the zone traffic for anomalies and to protect the zone against attacks.
•Zone master device—Zone device that the MDM accesses for zone configuration information. When the master device is Detector, this device is also used for synchronizing configuration information with other zone devices when you have the synchronization operation enabled. You choose one device as the zone master device.
•Policy templates—Collection of policy construction rules that the device uses during the policy construction phase to create the zone policies. During the policy construction phase, the device learns the behavioral patterns of normal zone traffic and creates zone traffic policies from this information.
•Policies—Reference points that the device uses to detect the existence of anomalies in the zone traffic. When a traffic anomaly is detected, the policy applies the specified zone filter to the traffic.
•User, bypass, and flex-content traffic filters—Filters that define how a device handles specific traffic flows.
When you create a zone configuration, the MDM propagates the information to all of the zone devices. The MDM maintains a record that associates a zone name with the devices that you specify. The MDM sessions with the zone master device to access and display configuration information when you want to display or modify a zone configuration. If you modify a zone configuration, the zone configuration information stored on the master device can be synchronized with other zone devices manually, or you can configure the zone so that the MDM performs synchronization automatically. You enable or disable the synchronization operation when defining the zone configuration.
Note When defining the zone configuration, you can also configure the MDM to perform a partial synchronization of the zone configuration, excluding the zone policies or remote Guard lists as defined on the master device. Excluding these attributes enables you to maintain a unique set of policies on each device and unique remote Guard lists on each Detector.
The process of creating and modifying a zone configuration consists of the following tasks:
•Creating a zone—Create a new zone (or copy an existing zone) and configure the basic attributes, such as the zone name, IP addresses, and devices that protect the zone. When you create a new zone, the MDM immediately distributes the basic attributes that you define to all of the zone devices and applies a set of default general configuration attributes, zone filters, policy templates, and policies to the zone. See the "Creating a Zone" section for more information.
•Configuring the zone general configuration attributes—(Optional) Configure additional zone attributes such as the protect-IP state, the activation extent, or the synchronization feature. See the "Modifying the Zone General Configuration Attributes" section for more information.
•Configuring the zone filters—(Optional) Configure the user, bypass, and flex-content zone filters that define how a device handles specific traffic flows. See Chapter 6, "Managing Zone Filters," for more information.
•Configuring the zone policy templates—(Optional) Control the policies developed during the learning process. See the "Modifying a Policy Template" section in Chapter 7, "Managing Zone Policy Templates" for more information.
•Modifying the zone policies manually—(Optional) Manually modify the policies of a zone configuration to adjust the attack detection and protection capabilities of the zone devices. Policy modification includes adding or deleting services or adjusting policy threshold levels. See the "Modifying a Policy Parameter" section in Chapter 8, "Managing Zone Policies" for more information.
•Modifying the zone policies using the learning feature—(Recommended) Enable learning and allow the device to analyze normal traffic flow and fine tune the policies of the zone configuration. Learning consists of two phases:
–Policy construction—The device creates new policies for services that it discovers that were not included in the current zone configuration. The policies that the device creates are based on the policy templates associated with the zone.
–Threshold tuning—The device adjusts the policy thresholds to reflect the actual traffic rates of normal traffic.
See Chapter 9, "Learning Zone Traffic and Taking Snapshots," for more information about the learning process.
Creating a Zone
You create a zone using one of the following methods:
•Use a zone template—Create a new zone from system-defined zone templates. Use this method to create a new zone with the default policies and filters of the zone template. After you create a new zone, you must configure the zone general configuration attributes to define the scope of the network elements to protect and the operation of the devices (see the "Modifying the Zone General Configuration Attributes" section).
•Copy an existing zone—Create a new zone by copying the configuration of an existing zone, which includes the zone general configuration attributes. Use this method if the new zone has traffic patterns that are similar to the patterns of an existing zone.
This section contains the following topics:
•Creating a Zone Using a Zone Template
•Creating a Zone from an Existing Zone
Creating a Zone Using a Zone Template
A zone template defines the default configuration of a new zone. The MDM contains two sets of zone templates with the following prefixes:
•DETECTOR_—Designed for Detector use only. Choose the DETECTOR_ version of the zone template when the zone contains only Detectors (no Guards).
•GUARD_—Designed for use on both Detectors and Guards. If the zone contains both Detector and Guard devices, you must create the zone using a GUARD_ template, which contains the zone configuration attributes for both device types. Creating a zone with a GUARD_ template allows you to activate the learning process on the Detector master device and to synchronize the results of the learning process with the associated zone Guards.
Note Zones that you create with a GUARD_ template consume more memory than zones that you create with a DETECTOR_ template and reduce the possible number of concurrent active zones on the Detector. If the zone contains only Detectors and you do not plan to add any Guards in the future, we recommend that you use a DETECTOR_ zone template.
Table 5-1 lists the available zone templates.
Table 5-1 Zone Templates
Template
|
Description
|
DETECTOR_DEFAULT
|
Default Detector zone template. This template applies to most all Detector applications. The exceptions would be applications that require a DETECTOR_LINK or DETECTOR_WORM template.
|
DETECTOR_LINK Templates
|
Zone templates that detect anomalies on large subnets segmented according to zones with known bandwidths. You can activate anomaly detection for zones defined with one of these templates without performing the learning process. To enable the Detector to activate zone protection on a Guard for the attacked IP address or subnet only, configure the Protect-IP State parameter to Only Dst IP (see the "Modifying the Zone General Configuration Attributes" section for more information).
The following bandwidth-limited link zone templates are available for 128-Kb, 1-Mb, 4-Mb, and 512-Kb links:
DETECTOR_LINK_128K
DETECTOR_LINK_1M
DETECTOR_LINK_4M
DETECTOR_LINK_512K
The Detector can perform only the threshold tuning phase of the learning process on zones that you create with a link template. It cannot perform the policy construction phase.
|
DETECTOR_WORM
|
Zone template that enables the Detector to detect TCP worm attacks. Zones that you create using the DETECTOR_WORM zone template contain policies that are produced from the worm_tcp policy template.
|
GUARD_DEFAULT
|
Default Guard zone template. This template applies to all Guard, or Guard and Detector applications, unless the application requires a GUARD_ template (GUARD_LINK, GUARD_TCP_NO_PROXY, or GUARD_VOIP).
The Guard may change the packet source IP address to the Guard TCP-proxy IP address. Use this zone template if you do not use access control lists (ACLs), access policies, or load-balancing policies that are based on the incoming IP address for the zone network.
|
GUARD_LINK templates
|
Zone templates designed for ondemand protection of large subnets segmented according to zones with a known bandwidth. To focus on the zone protection requirements and save Guard resources, we recommend that you activate zone protection on these zones for the attacked address range only. Configure the method that the Guard uses to activate zone protection for the attacked subnet or range by setting the activation-extent parameter to IP address only (see Table 5-5 for more information). To enable a Detector to activate zone protection on the Guard for the attacked IP address or subnet only, configure the Detector Protect-IP State parameter to Only Dst IP (see the "Modifying the Zone General Configuration Attributes" section for more information).
The following templates are available for 128-Kb, 1-Mb, 4-Mb, and 512-Kb links:
•GUARD_LINK_128K
•GUARD_LINK_1M
•GUARD_LINK_4M
•GUARD_LINK_512K
The Guard can perform only the threshold tuning phase of the learning process on zones that you create with a link template. It cannot perform the policy construction phase.
|
GUARD_TCP_NO_
PROXY
|
Zone template that protects a zone in which no TCP proxy is used. Use this zone template if the zone is controlled based on the IP addresses, such as an Internet Relay Chat (IRC) server-type zone, or if you do not know the type of services running on the zone.
|
GUARD_VOIP
|
Zone template that protects a zone containing a VoIP server using the following protocols:
•Session Initiation Protocol (SIP) over UDP to establish VoIP sessions
•Real-Time Transport Protocol/Real-Time Control Protocol (RTP/RTCP) to transmit voice data between SIP end points after sessions are established
Zones that you create using the GUARD_VOIP zone template contain policies for mitigating attacks on a VoIP server. These policies are produced using the sip_udp policy template.
Note The GUARD_VOIP zone template contains special policies for mitigating an attack on a VoIP server. No special policies are required for detecting such an attack. If the zone consists of only Detectors that can detect an attack on the VoIP server, use the DETECTOR_DEFALUT zone template.
|
When you create a zone using a predefined zone template, the MDM applies the default settings of the template to all of the zone attributes.
To create a zone using a zone template, follow these steps:
Step 1 From the navigation pane, click Network Summary. The Network Summary menu appears.
Step 2 From the Network Summary menu, use one of the following methods to open the Zone Form:
•Choose Zones > Create Zone.
•Choose Zones > Zone list, and then click Add.
Step 3 In the Name field, enter a name for the zone. Enter an alphanumeric string that starts with a letter and contains from 1 to 63 characters. The string can contain underscores but cannot contain any spaces.
Step 4 From the Zone Template drop-down list, choose a zone template (see Table 5-1 for information on each of the zone templates).
Step 5 In the IP Address field, enter the zone IP address. Enter the IP address in dotted-decimal notation (for example, 192.168.100.1). The IP address must match the subnet mask. If you enter a Class A, Class B, or Class C subnet mask, the host bits in the IP address must be 0.
Note You may still add one or more IP addresses to the zone configuration after you create the zone. See the "Adding an IP Address to the Zone" section.
Step 6 In the IP Mask field, enter the IP subnet mask. Enter the subnet mask in dotted-decimal notation (for example, 255.255.255.0).
Step 7 (Optional) If you want to specify multiple IP addresses when creating the zone configuration, in the IP List text box enter a list of IP addresses, space delimited, in dotted-decimal notation using a slash to specify the subnet mask (for example, 192.168.100.1/32).
Note You may still add one or more IP addresses to the zone configuration after you create the zone. See the "Adding an IP Address to the Zone" section.
Step 8 In the Devices and Master table, check the check box next to the devices to use for anomaly detection or zone protection. See Table 5-2 for details on the fields displayed in the Devices and Master table.
Step 9 From the Master column in the Devices and Master table, choose a master device from the devices that you associated with the zone in Step 7. If the zone contains both device types, you must choose a Detector as the master device.
Step 10 Click OK. The MDM performs the following actions:
•Creates the new zone on the master device, including a default set of general configuration attributes, and then distributes the zone configuration to the other zone devices. For information on the general configuration attributes and how to modify them, see the "Modifying the Zone General Configuration Attributes" section.
•Creates a new entry in the MDM database that associates the zone name with the devices that you specified in the zone configuration (the MDM does not save a local copy of the zone configuration).
Step 11 (Optional) Perform one or more of the following tasks to modify the zone configuration:
•Add additional IP addresses to the zone configuration (see the "Adding an IP Address to the Zone" section).
•Modify the zone general configuration attributes, such as the protect-IP state, activation extent, or synchronization parameters (see the "Modifying the Zone General Configuration Attributes" section).
•Configure the zone learning parameters as follows:
–The master device learns the zone traffic for all of the zone devices and the MDM distributes the policy information to the other zone devices. This is the default setting.
–All zone devices perform learning, enabling you to maintain a unique set of zone policies on each device.
See the "Defining the Tuned State of the Zone and Setting Up Automatic Learning Parameters" section in Chapter 9, "Learning Zone Traffic and Taking Snapshots."
•(Recommended) Perform the learning process to adjust the policies to the characteristics of the zone's normal traffic (see Chapter 9, "Learning Zone Traffic and Taking Snapshots").
Table 5-2 describes the fields in the Devices and Master table.
Table 5-2 Field Description for Devices and Master Table
Field
|
Description
|
Hostname
|
Hostname of the device.
|
IP Address
|
IP address of the device.
Note We recommend that you use the out-of-band channel to connect to the MDM and this IP address should be the management address.
|
Type
|
Device type: Guard or Detector.
|
State
|
Connection state between the device and the MDM. Possible states are as follows:
•Connected—A session with the device exists.
•Disconnected—A session with the device cannot be created.
•Initializing—A session with the device is being established. This state frequently displays while the MDM is upgrading the Remote Agent on the device.
•Suspended—A user-disabled communication with the device.
|
Master
|
Master device for the zone. Choose the master device using the following guidelines:
•If the zone contains both device types, the master device must be a Detector because you can synchronize zone configuration information from a Detector to a Guard only (you cannot synchronize configuration information from a Guard to a Detector).
•A device must have a Connected state before you can choose it as the master device.
|
#DF
|
Number of dynamic filters that are currently active. Because the device only creates a dynamic filter when it detects an anomaly, a #DF value greater that zero indicates that the device is currently handling one or more attacks.
|
Mem Usage
|
Statistical anomaly engine memory usage. The memory usage of the device is affected by the number of active zones associated with the device and the number of services that each of the associated zones monitors. If the memory usage for a Guard is higher than 90 percent and you plan to immediately activate zone protection, we recommend that you reduce the memory usage before you associate the device with the zone. You can reduce Guard memory usage by deactivating other zones associated with the device.
|
Legitimate Rate
|
Current rate of legitimate traffic (in bps) forwarded by the device to the zones.
|
Malicious Rate
|
Current rate of malicious traffic (in bps) that the device is handling.
|
Creating a Zone from an Existing Zone
Using the Save as feature, you can use an existing zone as a template for creating a new zone. The new zone contains the same configuration attributes as the template zone with the following exceptions:
•The MDM marks the policies of the new zone as untuned. We recommend that you tune the policy thresholds to the zone traffic by performing the threshold tuning phase. If, however, the traffic characteristics of the new zone are identical, or very similar to the traffic characteristics of the originating zone, you can mark the policy thresholds as tuned (see the "Marking the Zone Policies as Tuned or Untuned" section in Chapter 9, "Learning Zone Traffic and Taking Snapshots").
•The MDM sets the value of the Activation Interface parameter of the new zone to Zone Name, regardless of the configuration of the source zone (see the "Modifying the Zone General Configuration Attributes" section).
To create a new zone from an existing zone, follow these steps:
Step 1 From the navigation pane, choose a zone that you want to use as a template for the new zone. The zone menu appears.
Step 2 From the zone menu, choose Main > Save as. The Save Zone As New Zone Form screen appears.
Step 3 In the Name field, enter a zone name. The name is an alphanumeric string from 1 to 63 characters that begins with an alphabetic character. The string can contain underscores but cannot contain any spaces.
Step 4 From the Policy Threshold drop-down list, choose the policy threshold model to use. The MDM sets the policy threshold values to the model that you select, which by default is the current policy configuration. If previously recorded zone snapshots are available, the MDM adds them to the list of policy threshold model options.
Step 5 Click OK. The MDM performs the following actions:
•Creates the new zone on the master device, including a default set of general configuration attributes, and then distributes the zone configuration to the other zone devices. For information on the general configuration attributes and how to modify them, see the "Modifying the Zone General Configuration Attributes" section.
•Creates a new entry in the MDM database that associates the zone name with the devices that you specified in the zone configuration (the MDM does not save a local copy of the zone configuration).
Step 6 (Optional) Perform one or more of the following tasks to modify the zone configuration:
•Add additional IP addresses to the zone configuration (see the "Adding an IP Address to the Zone" section).
•Modify the zone general configuration attributes, such as the protect-IP state, activation extent, or synchronization parameters (see the "Modifying the Zone General Configuration Attributes" section).
•Configure the zone learning parameters as follows:
–The master device learns the zone traffic for all of the zone devices and the MDM distributes the policy information to the other zone devices. This is the default setting.
–All zone devices perform learning, enabling you to maintain a unique set of zone policies on each device.
See the "Defining the Tuned State of the Zone and Setting Up Automatic Learning Parameters" section in Chapter 9, "Learning Zone Traffic and Taking Snapshots."
•(Recommended) Perform the learning process to adjust the policies to the characteristics of the zone's normal traffic (see Chapter 9, "Learning Zone Traffic and Taking Snapshots").
Modifying the Zone General Configuration Attributes
Each zone is configured with a set of general configuration attributes that you define as follows:
•General zone setup parameters, including:
–Template used to create the zone
–Protect-IP state
–Rate and burst limits
•Attack and termination parameters, including:
•Protection-end timer
•Thresholds for malicious-rate detection, malicious-rate termination, and filter-rate termination
•Activation parameters, including:
–Activation interface
–Activation extent
•Synchronization parameters, including:
–Triggers—Before manual protection or after manual learning accepted
–Delay time—Amount of time to wait after a configuration change before synchronizing
–Exclusions—Exclude the zone polices and/or the remote guard list (Detector only) of a zone configuration when synchronizing from the master device
•MDM Learning Parameters (learning activation extent), including:
–The MDM initiates the learning process on the master device only and synchronizes the learning results with the other devices
–The MDM initiates learning on each of the zone devices. The results of each device learning the traffic is either maintained on each device or the MDM merges the results from each device to create a common set of policies and thresholds that is used by all zone devices.
•Packet dump attributes—State of packet dump feature (on or off)
When you create a zone using a zone template, these attributes are set to the default values of the template that you select. If you create the zone by creating a copy of an existing zone, the zone attributes are set to the values of the source zone configuration.
Not all zone attributes apply to all device types or to just the MDM, which is why each attribute is classified as one of the following types:
•Guard—Attributes that apply to Guards only. These zone attributes are not copied to any Detectors within the zone.
•Detector—Attributes that apply to Detectors only. These zone attributes are not copied to any Guards within the zone.
•Shared—Attributes that apply to both Guards and Detectors. These zone attributes are copied to the zone Guards and Detectors.
•MDM—Attributes that apply to the zone configuration on the MDM. These zone attributes are not copied to the zone Guards or the Detectors.
To modify the zone attributes, follow these steps:
Step 1 From the navigation pane, choose a zone. The zone menu appears.
Step 2 From the zone menu, choose Configuration > General. The zone General screen appears.
Step 3 Click Config (located below the first table). The Config screen appears.
Step 4 (Optional) Configure the zone general attributes. Table 5-3 describes the fields in the general parameters section.
Table 5-3 General Parameters
Field
|
Description
|
Attribute Type
|
Description
|
Text that describes the zone. Enter an alphanumeric string from 1 to 80 characters.
|
Shared
|
Master Device
|
The name of the master device is the device through which the MDM manages a zone configuration. Every zone has one master device, which you select when you define the zone.
|
Shared
|
Operation mode
|
Mode that defines how the Guard performs zone protection and the Detector performs zone anomaly detection. The operation modes are as follows:
•Automatic—After creating a dynamic filter, the device automatically activates the filter.
•Interactive—After creating a dynamic filter, the device groups the filter with other filters that it created and presents them as recommended actions. You decide whether to accept, ignore, or direct the recommendations to automatic activation.
|
Shared
|
Zone Templates
|
The name of the zone template assigned to a zone. A zone template defines the default configuration of a new zone. See Table 5-1 for information on each of the zone templates.
|
Shared
|
Protect-IP state
|
Guard-protection method that the Detector uses to activate the remote Guards associated with it. The Guard-protection method that you select can save Guard resources by allowing the Guard to focus on specific zone protection requirements.
The Protect-IP state can be one of the following:
•entire-zone—Activates the Guard to protect the entire zone.
•policy-type—Activates the Guard to protect the entire zone or to protect a particular IP address within the zone address range. The Detector activates the Guard based on the policy that caused the Detector to activate the Guard.
•dst-ip-by-name—Activates the Guard to protect a particular IP address when it detects an anomaly in the zone traffic that is destined to that IP address.
•dst-ip-by-ip—Activates the Guard to protect a specific IP address when it detects an anomaly in the zone traffic that is destined to the IP address. The IP address must be in the address range of a zone that you have defined on the Guard.
|
Detector
|
Rate
|
Amount of traffic that the Guard is allowed to inject back into the network. Enter an integer greater than 64 for the maximum rate, and then choose the unit of measurement from the drop-down list. The maximum rate limit can be up to 10 times greater than the burst limit (Burst).
|
Guard
|
Burst
|
Highest traffic peak that the Guard is allowed to inject back into the network. Enter an integer greater than 64 for the burst size. The units are bits, kilobits, kilopackets, megabits, and packets that correspond to the rate units that are specified by the maximum rate (Max. Rate) unit of measurement. The burst limit can be up to eight times greater than the maximum rate limit.
|
Guard
|
Step 5 (Optional) Configure the attack detection/termination parameters. Table 5-4 describes the fields in the general details section.
Table 5-4 Attack Detection/Termination Parameters
Field
|
Description
|
Attribute Type
|
Malicious-rate detection threshold
|
Minimum rate of zone packets that are dropped. If the rate goes lower than this threshold, the Guard may end zone protection. If the rate exceeds this threshold, the Guard identifies an attack on the zone and creates an attack report.
|
Guard
|
Filter-rate termination threshold
|
Threshold value, specified in packets per second (pps). This value and the malicious-rate termination threshold specify when the Guard can deactivate dynamic filters. See the "Managing a Dynamic Filter" section in Chapter 10, "Activating Anomaly Detection and Zone Protection" for more information.
|
Guard
|
Filter-rate-pph-
termination threshold
|
Threshold value, specified in packets per hours (pph). This value and the malicious-rate termination threshold specify when the Guard can deactivate dynamic filters. Filter-rate-pph-termination threshold is used for the reqs_pph (request packets) and syns_pph (synchronization packets) packet types and are used exclusively with the tcp_services (see Table 8-2). See the "Managing a Dynamic Filter" section in Chapter 10, "Activating Anomaly Detection and Zone Protection" for more information.
|
Guard
|
Malicious-rate termination threshold
|
Threshold value. This value and the filter-rate termination threshold specify when the Guard can deactivate dynamic filters. Define this threshold in packets per second (pps). See the "Managing a Dynamic Filter" section in Chapter 10, "Activating Anomaly Detection and Zone Protection" for more information.
|
Guard
|
Protection-end Timer
|
Inactivity timeout that the Guard uses to terminate zone protection when there is no attack on the zone. The Guard measures the inactivity based on the inactivity of the dynamic filters and the dropped traffic. Enter a value in seconds or specify an infinite amount of time (the Never option).
|
Guard
|
Step 6 (Optional) Configure the activation parameters. Table 5-5 describes the fields in the Activation Parameters section.
Table 5-5 Activation Parameters
Field
|
Description
|
Attribute Type
|
Activation interface
|
Protection activation method that defines how the Guard identifies the zone for which it activates zone protection when it receives an external indication. This indication can be a command from an external device, such as a Detector, or traffic that is destined to the zone (packet). The activation method can be one of the following:
•Zone name—Activates zone protection based on the zone name. This is the default activation method.
To configure the activation method to zone name, uncheck the By packet and By IP address check boxes.
•By packet—Activates zone protection when it receives traffic that is destined to the zone.
To configure the activation method to by packet, check the By packet check box.
•By IP address—Activates zone protection when it receives a command from an external device, such as a Detector, that consists of an IP address or subnet that is part of the zone.
To configure the activation method by packet, check the By IP address check box.
•By IP Address or By Packet—Activates zone protection when it receives traffic (a packet) that is destined to the zone or when it receives a command from an external device, such as a Detector, that consists of an IP address or subnet that is part of the zone address range.
To configure the activation method to By IP Address or By Packet, check both the By IP address check box and the By packet check box.
When you configure the Activation Interface to By Packet or By IP Address or By Packet, you must manually divert traffic to the Guard when the zone is attacked.
|
Guard
|
Activation extent
|
Method that defines whether the Guard activates zone protection for the entire zone or for a part of the zone when the Guard receives an external indication to activate zone protection. The activation extent options are as follows:
•IP address only—Activate protection only for the specified IP address or subnet within the zone. This is the default setting.
•Entire zone—Activate protection for the entire zone.
|
Guard
|
Step 7 (Optional) Configure the synchronization parameters that define when the master device synchronizes zone configuration information with the other zone devices. Enabling synchronization causes the zone configuration information on the zone devices to be overwritten by the configuration on the master device (for more information, see the "Managing Zone Configurations" section in Chapter 1, "Product Overview").
Table 5-6 describes the fields in the synchronization parameters section.
Table 5-6 Synchronization Parameters
Field
|
Description
|
Attribute Type
|
Immediate synchronization triggers:
|
Defines which event causes the MDM to synchronize the zone configuration information on the master device with the other zone devices. The event can be one of the following:
•Before Manual Protection—Synchronizes the zone devices before activating the device to protect the zone.
•After Manual Learning Accept—Synchronizes the zone configuration each time that you accept the results of the learning process (policy construction or threshold tuning).
Check the check box next to the events that you want to use. By default, both event choices are not enabled.
|
MDM
|
Delayed synchronization time:
|
Defines the amount of time that the MDM waits after the zone configuration was changed before synchronizing the devices. The values are as follows:
•Never—Enter this value to disable this function.
•minutes—Enter the number of minutes for the MDM to wait. There is no limit on the number of minutes that you can enter. The default is 5 minutes.
|
MDM
|
Synchronization Exclusions
|
Allows the MDM to perform a partial synchronization by excluding zone policies or remote Guard lists when synchronizing the zone devices with the zone information from the zone master device. Excluding zone policies is useful when a zone's network configuration requires each zone device to maintain its own unique set of policies and policy thresholds because each device sees a different portion of the zone traffic.
Excluding remote Guards lists allows you to maintain a unique remote Guard list on each of the zone Detectors. This is useful when each Detector is responsible for activating different Guards when it detects an attack on the zone.
The selections are as follows:
•Check the Exclude Policies checkbox to instruct the MDM not to override the policies of the devices in a zone during the synchronization process. This selection allows you to activate the learning process independently on each device. Check this option when you want to perform separate learning on each device, and to preserve the results on a per device basis.
Note When you configure the MDM to exclude the synchronization of policies on the master device, you must configure the MDM to enable each device to perform its own learning and maintain its own set of policies and thresholds as described in Step 8. Choose All Zone Devices/Separate Results and Keep Separate Results.
•Check the Exclude Remote Guards checkbox to instruct the MDM not to override the remote Guard list defined on Detectors that are not the zone master device.
Note The option to select the Exclude Remote Guards checkbox is available only when you associate two or more Detectors with the zone.
After you configure the MDM to exclude the list of remote Guards on the master device, you must add the list of remote Guards to be defined with a zone Detector. See the "Managing the Remote Guard List on a Zone Detector" section for details.
|
MDM
|
Step 8 (Optional) From the MDM Learning Parameters options, choose the device that is to perform the learning process when you activate policy construction or threshold tuning:
•Master Device—Only the zone master device learns the zone traffic. The MDM issues all learning related instructions (such as accept the results or stop learning) to the master device only. Configuration changes made as a result of the learning process are made to the zone configuration on the master device only. Synchronization of the new configuration information with the other zone devices is required. For example, when you accept the results of the learning phase and enable synchronization, the MDM immediately updates the zone devices with the master device's new policy information.
•All Zone Devices/Separate Results—Each zone device learns the zone traffic and you can choose to either merge the learning results of each device to create a common set of policies for all zone devices to use, or preserve the different learning results on each device, enabling each device to maintain a unique set of policies. You specify the method in which the zone devices maintain the different policies and thresholds:
–Merge Results—The MDM merges the policies and policy thresholds that it obtains from each device to create a common set of policies that it synchronizes with all zone devices. For example, if one Guard observes traffic for port 30 and creates policies for this port and another device observes traffic for port 40, the merged result contains policies for both port 30 and for port 40. When merging the results of the policy thresholds, the MDM takes the maximum threshold value detected for a given policy by each of the devices and applies it to the policy. After the MDM completes the policy merging process, it distributes the complete set of policies to all of the zone devices.
Merging the results is useful in a network topology where the zone's traffic is being load-balanced or to simplify management of the zone policy thresholds by creating a single set of policy thresholds rather than multiple sets of device-specific thresholds.
Note The MDM merges the results of the learning process only when you manually accept the results of the learning process. The MDM does not merge the results when the devices automatically accept the learning phase results.
–Keep Separate Results—The policies (including the policy thresholds) are preserved on each zone device. In certain network topologies, a zone that is configured on a few devices may receive different amounts of traffic volume on each peering point in the network. In this case, you may want to each device to perform its own learning and maintain its own unique set of policies and policy thresholds. Maintaining separate results enables you to view, configure, and maintain the different policies on each zone device.
Note When you enable the All Zone Devices/Separate Results operation, the MDM automatically sets the Synchronization Exclusions options to Exclude Policies. This prevents overwriting the policies of the zone devices with the master device policies during synchronization (see Step 7).
Step 9 (Optional) Configure the packet dump parameters. The packet dump parameters enable the devices to record traffic directly from the network through nonintrusive taps and to create a database from the recorded traffic. By querying the recorded traffic database, you can analyze past events, generate signatures of an attack, or compare current network traffic patterns with traffic patterns that the devices recorded previously under normal traffic conditions.
To view the contents of the packet-dump or compare the contents of two packet dumps, you must use the Web-Based Manager (WBM) to log into the device that captured the traffic. See the "Related Documentation" section in the Preface for a list of all related documentation.
Table 5-7 describes the fields in the packet dump parameters section.
Table 5-7 Packet Dump Parameters
Field
|
Description
|
Type
|
Auto Packet Dump
|
Defines whether the automatic packet-dump feature is enabled or disabled on the devices.
Note When enabled, packets dumps are created on each of the devices and cannot be displayed or managed using the MDM.
Choose one of the following options:
•On—Enable the automatic packet dump
Note The automatic packet-dump feature must be enabled on the zone Guards to view the IP summarizations report on the MDM. See the "Displaying an IP Summarization Report (Guard-only Function)" section in Chapter 11, "Monitoring Zone and Device Operations".
•Off—Disable the automatic packet dump
|
Shared
|
Max. disk space
|
Maximum amount of disk space (in MB) that the device is to use for auto packet dumps.
|
Shared
|
Step 10 Click OK. The MDM saves the zone configuration on the master device.
Step 11 (Optional) Synchronize the new information with the other zone devices by using one of the following methods:
•Manually by choosing Activation > Sync from the zone menu.
•Automatically according to how you configured the synchronization feature in the zone configuration (see Table 5-6).
Adding, Excluding, or Deleting a Zone IP Address
You define each zone with at least one IP address. Using MDM, you can add or delete a zone configuration IP address. If a zone configuration contains an IP address for a subnet, you can exclude specific IP addresses from within the subnet. Excluding an IP address removes the associated network element from the zone and the protection services of the associated Detector or Guard.
This section contains the following topics:
•Adding an IP Address to the Zone
•Excluding an IP Address from a Zone Subnet
•Deleting an IP Address from the Zone
•Updating the Zone Policies After Modifying the Zone IP Address Range
Adding an IP Address to the Zone
To add an IP address to the zone configuration, follow these steps:
Step 1 From the navigation pane, choose a zone. The zone menu appears.
Step 2 From the zone menu, choose Configuration > General. The zone General screen appears.
Step 3 In the zone IP Address table, click Add. The Add Zone IP screen appears.
Step 4 In the IP Address field, enter the IP address that you want to add. Enter the IP address in dotted-decimal notation (for example, 192.168.100.32).
Step 5 In the IP Mask field, enter the IP subnet mask. Enter the subnet mask in dotted-decimal notation (for example, 255.255.255.224).
Step 6 Click OK. The MDM saves the information to the master device.
Step 7 (Optional) Repeat Steps 3 though 5 for each IP address that you want to add to a zone.
Step 8 Update the zone policies. See the "Updating the Zone Policies After Modifying the Zone IP Address Range" section for more information.
Excluding an IP Address from a Zone Subnet
If you configure the zone with a subnet IP address, you can exclude specific IP addresses from that subnet so that the associated network elements are not included as part of the zone IP address range.
To exclude an IP address from an IP address range, follow these steps:
Step 1 From the navigation pane, choose a zone. The zone menu appears.
Step 2 From the zone menu, choose Configuration > General. The zone General screen appears.
Step 3 In the zone IP Address table, click Add. The Add Zone IP screen appears.
Step 4 In the IP Address field, enter the IP address that you want to exclude. Enter the IP address in dotted-decimal notation (for example, 192.168.100.32).
Step 5 In the IP Mask field, enter the IP subnet mask. Enter the subnet mask in dotted-decimal notation (for example, 255.255.255.224).
Step 6 Check the Exclude check box.
Step 7 Click OK. The MDM saves the information to the master device.
Step 8 (Optional) Repeat Steps 3 though 5 for each IP address that you want to exclude from the subnet.
Step 9 Update the zone policies. See the "Updating the Zone Policies After Modifying the Zone IP Address Range" section for more information.
Deleting an IP Address from the Zone
To delete an IP address from the zone IP address range, follow these steps:
Step 1 From the navigation pane, choose a zone. The zone menu appears.
Step 2 From the zone menu, choose Configuration > General. The zone General screen appears.
Step 3 Check the check box next to each IP address that you want to delete.
Step 4 Click Delete. The MDM saves the information to the master device.
Step 5 Update the zone policies. See the "Updating the Zone Policies After Modifying the Zone IP Address Range" section for more information.
Note If you delete all of the IP addresses configured with the zone, the device cannot provide any protection services.
Updating the Zone Policies After Modifying the Zone IP Address Range
If you modify the zone IP address or subnet, perform one of the following tasks:
•If the new IP address or subnet consists of a new service that was not previously defined in the zone configuration, perform one of the following actions before activating zone anomaly detection or zone protection:
–Activate the policy construction phase and accept the results of the phase (see the "Starting the Policy Construction Phase" section in Chapter 9, "Learning Zone Traffic and Taking Snapshots").
–Add the service manually (see the "Adding or Deleting a Service" section in Chapter 8, "Managing Zone Policies").
•If you made a modification while the device is performing the threshold tuning phase and actively detecting for anomalies (Detector) or protecting the zone (Guard), mark the zone policies as untuned.
Caution Do not mark the policies as untuned if the zone is currently under attack. If you change the zone policies status to untuned during an attack, the devices cannot detect the attack and will learn the thresholds of malicious traffic.
See the "Marking the Zone Policies as Tuned or Untuned" section in Chapter 9, "Learning Zone Traffic and Taking Snapshots".
•If you made the modification while the device was not performing the threshold tuning phase and also actively detecting for anomalies (Detector) or protecting the zone (Guard) and you do not plan to activate these functions, you should activate the threshold tuning phase and accept the results of the phase before you activate zone protection or zone anomaly detection. See the "Starting the Threshold Tuning Phase" section in Chapter 9, "Learning Zone Traffic and Taking Snapshots" for more information.
After you update the zone policies on the master device using one of the methods in this section, the MDM updates the zone devices with the new configuration information if you enable synchronization in the zone configuration (see the "Modifying the Zone General Configuration Attributes" section). To manually synchronize the zone configuration information, choose Activation > Sync from the zone menu.
Managing a Zone Device
With the exception of the zone master device, you can add or delete a device from a zone configuration. You manage the zone devices from the Device List table on the zone General Configuration screen. For a complete description of the information that the Device List table provides, see the "Displaying the Device Status and Device-Specific Counter Information" section in Chapter 11, "Monitoring Zone and Device Operations."
This section contains the following topics:
•Adding a Device to the Zone Device List
•Deleting a Device from the Zone Device List
Adding a Device to the Zone Device List
To add a device to the zone configuration, follow these steps:
Step 1 From the navigation pane, choose a zone. The zone menu appears.
Step 2 From the zone menu, choose Configuration > General. The zone General Configuration screen appears.
Step 3 From the Device List table, click Add. The Add Device to Zone screen appears, displaying the devices you have defined on the MDM device list. See Table 5-2 for a description of the fields in the Add Device to Zone screen.
Step 4 Verify that the memory usage (statistical anomaly engine memory usage) of the device that you want to add is lower than 90 percent if you plan to immediately activate the device.
The memory usage of the device is affected by the number of active zones associated with the device and the number of services that each of the associated zones monitors. If the memory usage for a Guard is higher than 90 percent and you plan to immediately activate zone protection, we recommend that you reduce the memory usage before you associate the device with the zone. You can reduce Guard memory usage by deactivating other zones associated with the device.
Step 5 Check the check box next to the device to add to the zone device list. To add all the devices in the table, check the check box in the table header.
Step 6 Click Add (located below the table). The MDM modifies its database to show an association between the device and the zone. The MDM also pushes the zone configuration out to the new device.
Deleting a Device from the Zone Device List
Caution When you delete a device from the zone device list, the device cannot provide protection services for the zone.
To delete a device from the zone device list, follow these steps:
Step 1 From the navigation pane, choose a zone. The zone menu appears.
Step 2 From the zone menu, choose Configuration > General. The zone General screen appears.
Step 3 In the Devices and Master table, check the check boxes next to the device that you want to delete.
Step 4 Click Delete (located below the table). The MDM modifies its database to remove the association between the device and the zone. The MDM also removes the zone configuration from the device.
Managing the Remote Guard List on a Zone Detector
When the zone consists of more than one Detector, you can define a unique remote Guard list on each Detector. This capability allows you to define a separate remote Guard list on each of the Detectors associated with a zone. When a Detector detects an attack on the zone, it activates the Guards identified on its remote Guard list to mitigate the attack.
Note To use different remote Guard lists on each of the zone Detectors, ensure that you enable the partial synchronization feature. Check the Exclude Remote Guards checkbox to instruct the MDM to exclude the remote Guard list when it performs synchronization. If you do not exclude the remote Guard list from synchronization, the list on the master device overwrites any exiting lists on the other Detector devices. For more information, see the "Excluding Zone Policies and Remote Guard Lists From Zone Synchronization" section in Chapter 4, "Resolving Conflicts and Synchronizing Zones."
This section contains the following topics:
•Adding a Remote Guard
•Deleting a Remote Guard
Adding a Remote Guard
To add a remote Guard to a zone Detector, follow these steps:
Step 1 From the navigation pane, choose a zone. The zone menu appears.
Step 2 From the zone menu, choose Configuration > Remote Guards. The zone Remote Guards screen appears. The list of previously configured remote Guards associated with each zone Detector appears in the Remote Guards table (Table 5-8).
Table 5-8 Remote Guards Table
Parameter
|
Description
|
Detector
|
Name of the Detector associated with the remote Guards in the zone.
|
Guard
|
Remote Guard name and IP address.
|
Communication Channel
|
Form of communication between the Detector and remote Guard device: SSH or SSL.
|
Description
|
Device description to help identify the remote Guard in the zone.
|
Step 3 To add a remote Guard to a zone detector, click Add. The Remote Guard Form screen appears.
Step 4 In the Guard: drop-down list, select the name of a remote Guard that is available for use with the Detector.
Step 5 In the Communication Channel: drop-down list, specify the form of communication to be used between the Detector and Guard device. Choices include:
–SSH—Secure Shell (SSH) connection.
–SSL—Secure Sockets Layer (SSL) communication channel.
Note The SSH or SSL connection should be established between the Guard and the Detector. See "Enabling or Disabling Communication with a Device" section in Chapter 3, "Managing Devices on the MDM Network" for details.
Step 6 In the Description: text box, enter a device description to help identify the remote Guard in the zone. Enter an alphanumeric string with a maximum of 15 characters.
Step 7 In the To Be Applied On: parameter box, click the checkbox of the Detectors that are permitted to activate this Guard.
Step 8 Click OK. The MDM saves the remote Guard list to the selected Detector. The zone Remote Guards screen appears with an updated list of configured remote Guards.
Step 9 (Optional) Repeat Steps 3 though 8 for each remote Guard that you want to add to a Detector.
Deleting a Remote Guard
To delete one or more remote Guards from a zone Detector, follow these steps:
Step 1
