background image

WANGUARD 5.2 User Manual & Administrator's Guide

IP Traffic Monitoring, Anomalies Detection & DDoS Mitigation 

with WANGUARD

Unforeseen trafc paterns afect user satsfacton, pressure over-subscripton plans, and clog costly transit 

links. Providing high performance and reliable network services is central to the success of today's organizatons. As 

the business cost of network malfunctons contnues to increase, rapid identfcaton and mitgaton of threats to 

network performance and reliability becomes critcal in order to meet expected SLAs and network availability 

requirements. Such threats can include propagatng worms, botnet atacks, Denial Of Service atacks ( SYN food, 

UDP food etc.), misuse of services, and data trafc interfering with real-tme trafc. WANGUARD's network-wide 

surveillance of complex, multlayer, switched and routed environments together with its unique combinaton of 

features is specifcally designed to meet the challenge of pin-pointng and resolving any such threats.

WANGUARD Key Features & Benefits

DDOS DETECTION & MITIGATION – It contains an innovatve anomaly detecton engine that you can 

use to defne trafc policies, detect atacks and flter them.

POWERFUL ALERTING – You can automate responses to threats using pre-defned, extensible actons: 

send emails, announce prefxes in BGP, null-routng, send SNMP traps etc.

DETAILED ATTACK INFORMATION – View atack details with atackers and packet samples. Atack 

reports can be emailed automatcally to you or to your customers.

TRAFFIC MONITORING – Supports the latest trafc monitoring technologies: 10 Gbps packet snifng, 

NetFlow v5, v7 and v9, sFlow, IPFIX, NetStream, jFlow and more.

FULLY-FEATURED CONSOLE – Consolidated management through a single, interactve and confgurable 

web portal with custom Dashboards and user Roles.

COMPLEX ANALYTICS – Provides the most complex Reports with aggregated data for hosts, 

departments, interfaces, applicatons, ports, protocols etc.

REAL-TIME REPORTING – The fastest soluton on the market with an accuracy of just 5 seconds. The 

high accuracy makes trafc graphs appear animated.

HISTORICAL REPORTING – You view the last half hour to last 10 years Reports, and also select any 

custom tme period. Supports 95th percentle.

SCHEDULED REPORTING – You can generate Scheduled Reports and email them to you or to your 

customers at preconfgured intervals of tme.

NETFLOW ANALYZER – Provides a fully featured NetFlow Analyzer and Collector. Also works with 

sFlow, jFlow, cFlow, NetStream and IPFIX.

PACKET SNIFFER – A distributed Packet Snifer can save packet dumps from diferent parts of your 

network. Access the dumps from a Wireshark-like web interface.

ADVANCED CONFIGURATION – You can fne-tune most parameters, from the accuracy of IP graphs and  

authentcaton methods to the data retenton intervals.

- 4 -

Содержание Wanguard 5.2

Страница 1: ......

Страница 2: ...ment ANDRISOFT S R L 2013 All rights reserved All rights reserved This document is copyrighted and all rights are reserved by ANDRISOFT S R L No part of this document may be reproduced or transmited i...

Страница 3: ...s Tools Reports Anomalies Tools 7 7 Anomalies 7 Actve Anomalies 7 Anomalies Archive 9 Anomalies Overview 9 BGP Prefxes 9 BGP Operatons 9 BGP Logs 10 Flow Collector 10 List Flows 10 Flows Tops 11 Auton...

Страница 4: ...necton Confguraton BGP Connecton Confguraton 51 51 17 17 Filter Confguraton Filter Confguraton 53 53 18 18 Scheduled Reports Scheduled Reports 57 57 19 19 Events Reportng Events Reportng 58 58 20 20 U...

Страница 5: ...fxes in BGP null routng send SNMP traps etc DETAILED ATTACK INFORMATION View atack details with atackers and packet samples Atack reports can be emailed automatcally to you or to your customers TRAFFI...

Страница 6: ...o efectvely monitor and protect their network through a single integrated package The components have been built from the ground up to be high performing reliable and secure WANGUARD relies on the Sni...

Страница 7: ...n sessions Panels are refreshed automatcally every 5 to 10 seconds The Reports secton ttle bar contains a Quick Search functonality buton Shortcut Ctrl S Central Region home of tabbed Reports and Dash...

Страница 8: ...of the anomaly Click it to open a detailed Anomaly Report Prefx The IP address or IP class of the trafc anomaly and the reverse DNS In the front of the Prefx the graphic arrow indicates the directon...

Страница 9: ...bits from the total trafc during the anomaly Overall Trafc The percent between the anomaly trafc and the overall trafc Threshold The threshold s value IP Zone The IP Zone of the Sensor Click it to op...

Страница 10: ...afc anomalies sorted by tme in descending order By clicking the down arrow on any column header you can apply flters change sortng directon and hide or show columns The sign from the frst column expan...

Страница 11: ...e Acton feld is visible only for Administrator or Operator roles BGP Logs BGP Logs shows all BGP announcements sent by WANGUARD sorted by tme in descending order By clicking the down arrow on any colu...

Страница 12: ...ump opton to view the CLI command used to generate the data You can execute the command locally forward the output to a fle etc Aggregaton By default the fows are not aggregated By clicking on the che...

Страница 13: ...fows are not aggregated By clicking on the checkboxes you can select how you want to have your fows aggregated You may also aggregate entre subnets when selectng srcIPv4 subnet bits Limit Limit the ou...

Страница 14: ...ed trafc data is generated for all Flow Sensors Stack ASNs If you entered multple AS Numbers then you can sum all of them in a single AS graph Useful with ISPs and AS owners that have more than 1 allo...

Страница 15: ...ton it will name the fles with enough leading 0s to support the maximum number of fles allowing them to sort correctly Time Rotaton s If specifed it rotates the fle every number seconds Sampling Type...

Страница 16: ...size of the latest dump fle Packets The number of packets captured Actons Click the frst icon to view the latest dump fle in a Wireshark like web interface Click the second icon to download the lates...

Страница 17: ...nd To collapse a widget click the frst icon on the widget ttle bar To edit a widget click the second icon from it s ttle bar To delete a widget click the third icon from it s ttle bar Along with speci...

Страница 18: ...ng format Status If the Console is functoning properly a green checked arrow is displayed If there s a red cross instead re start the WANsupervisor daemon from the Console server Online Users The numb...

Страница 19: ...pen a new tab with data specifc to the Sensor Administrators and Operators can right click it to open the Sensor s confguraton IPs The number of IP addresses that sent or received trafc Only your netw...

Страница 20: ...ton and outbound usage percent Flows s The rate of fows per second received by the Flow Sensor Flows Delay Because trafc data must be aggregated frst fow devices export fows with a confgured delay Som...

Страница 21: ...Load The load of the operatng system for the last 5 minutes Peak CPU The maximum CPU percent used by the Filter process RAM The amount of memory used by the Filter process Start Time The date when the...

Страница 22: ...ow Sensors it represents the rate of received fows before validaton Dropped frames For Snifng Sensors it represents the number of packets dropped in the capturing process When the number is high it in...

Страница 23: ...enter your own text that will be rendered as a ttle Graph Legend Select the details of the graph s legend Consolidaton If you are interested in spikes select the MAXIMUM aggregaton type If you are int...

Страница 24: ...top generaton The number of top items and decoders can be modifed in the Storage Graphs Confguraton see page 32 Generatng tops for many Sensors and large tme frames may take minutes It may require th...

Страница 25: ...WANGUARD 5 2 User Manual Administrator s Guide Anomalies Overview Here you can view trends and summarizatons of atacks detected by Sensor s for the selected tme frame and decoders 24...

Страница 26: ...Groups opens the same type of tab that contains few sub tabs on the botom side All sub tabs use the following common toolbar felds Sensors Select the Sensors you re interested in or All to select all...

Страница 27: ...s HTTP and HTTPS the graph will display stacked decoders to show the most specifc ones This generates both accurate and intuitve trafc graphs In the example TOTAL will show as TOTAL OTHER and TCP as T...

Страница 28: ...s available only if there is at least one confgured Flow Sensor Flows Tops You can process and flter the fow data to generate tops for the IP class host or IP Group The optons are documented on page 1...

Страница 29: ...n Debian Linux 6 0 free community supported distributon Ubuntu 12 x Other distributons may work but haven t been tested yet The WANGUARD architecture is completely scalable By installing the sofware o...

Страница 30: ...Fast Ethernet for management 1 x 10 GbE Cards with 82599 chipset 1 x Fast Ethernet for management Operatng System RHEL 5 CentOS 5 RHEL CentOS 6 Debian 6 Ubuntu Server 12 OpenSUSE 12 RHEL 5 CentOS 5 RH...

Страница 31: ...ntextual Help you must install Adobe PDF Reader Software Installation Download Sofware installaton instructons are listed and updated on the Andrisof website for RedHat based SuSE based and Debian bas...

Страница 32: ...ents review decoders and graphs parameters page 32 Setup the anomalies detecton parameters and decoders page 33 Confgure the reacton to trafc anomalies page 34 Add your IP address ranges and important...

Страница 33: ...ached rrdcached sock and you must confgure it frst The frst accuracy parameter or Archive default is 5 minutes specifes the granularity of the graphs for recent data It can be set as high as 5 seconds...

Страница 34: ...decoders for the trafc for which you will apply thresholds Decoders determine the underlying protocols of each packet or fow Profle Anomalies Are detected through a behavioral recogniton approach The...

Страница 35: ...u to see what IP classes are confgured to use the Response All Actons have their specifc felds together with the following common felds Actve selects if the Acton is enabled or disabled Priority selec...

Страница 36: ...nsor fow for the Flow Sensor or virtual for the Virtual Sensor 9 Sensor ID Number sensor_id The unique ID of the Sensor 10 Flow Exporter IP String router_ip The Flow exporter s IP Empty when using the...

Страница 37: ...less than expected thresholds 10 Unit pkts s bits s String unit It s pkts s for packets per second anomalies or bits s for bits per second anomalies 11 Threshold Value Number rule_value It s the thres...

Страница 38: ...the IP or Subnet for all trafc 4 Latest TOTAL Bits s Number latest_total_bps The latest bits s throughput of the IP or Subnet for all trafc 5 TOTAL Packets Number sum_total_pkts The sum of packets of...

Страница 39: ...cker dest destnaton port of the victm proto the IP Protocol feld len the size of the packets tl the TimeToLive feld others 3 Filter Value String filter_value The atack patern s value String filter_ip_...

Страница 40: ...k patern s trafc String filter_log_100 The frst 100 packets of the atack patern s trafc String filter_log_500 The frst 500 packets of the atack patern s trafc String filter_log_1000 The frst 1000 pack...

Страница 41: ...l IPs When adding a new Prefx the tree below is automatcally updated The right secton contains panels with user provided setngs for the selected Prefx WANGUARD understands IPs and IP classes entered i...

Страница 42: ...per second so select pkts s to detect them For bandwidth related anomalies select bits s Response Select a previously defned Response or select None if you re not interested in reactng to the anomaly...

Страница 43: ...the trafc analysis Packet snifng provides extremely fast and accurate trafc analysis and accountng results The downside is that it needs fast CPUs and good NICs Flow Sensor for NetFlow v5 v7 v9 jFlow...

Страница 44: ...5400S series Brocade BigIron series FastIron series IronPoint series NetIron series SecureIron series ServerIron series Barracuda Barracuda NG Firewall Comtec Systems Rex 16Gi 24Gi 24Gi Combo Dell For...

Страница 45: ...the Console to group multple interfaces by locaton roles etc Graph Color The color used in graphs for this Sensor The default color is a random one but you can change it To change the color you can e...

Страница 46: ...ream MAC MAC validaton is actve and the MAC Address belongs to the downstream router The MAC Address must be writen using the Linux conventon six groups of two hexadecimal values separated by colons B...

Страница 47: ...WANGUARD 5 2 User Manual Administrator s Guide like tcpdump The syntax is tcpdump i interface_usually_eth1 n c 100 If the IP Validaton is not disabled then the IP Zone must contain all your subnets 46...

Страница 48: ...uter switch probe etc Usually the Loopback0 address of the router Each server running the Flow Sensor must have its system tme synchronized with the fow exporter Sampling 1 N Must contain the sampling...

Страница 49: ...subnet setngs For more informaton about IP Zones please consult IP Zones Setup chapter on page 40 IP Validaton This opton can be used to distnguish the directon of the trafc or to skip unwanted fows...

Страница 50: ...inutes please check the following You have correctly confgured the fow exporter to send fows to the server for each of the confgured interfaces The server is receiving the fow packets on the confgured...

Страница 51: ...olor used in graphs for this Virtual Sensor The default color is a random one but you can change it To change the color you can enter the color as a HTML Color Code or you can manually select the colo...

Страница 52: ...fer you have previously installed and confgured the bgpd daemon included in the quagga htp www quagga net package Some bgpd confguraton steps can be found on Appendix 3 Confguring Trafc Diversion at p...

Страница 53: ...ng BGP prefxes that have the IPv4 CIDR mask less than the confgured value For example a value of 32 rejects all prefxes that are not hosts Reject IPv6 under You can restrict sending BGP prefxes that h...

Страница 54: ...Interface Group Optonal descripton used within the Console to group multple interfaces by locaton roles etc Graph Color The color used in graphs for the Filter The default color is a random one but y...

Страница 55: ...ters atack paterns If an atack patern is not whitelisted then the whole trafc matched by the atack patern is dropped The rest of the trafc is forwarded through the Outbound Interface Filter the atack...

Страница 56: ...nable if you have PF_RING installed on the server PF_RING provides high speed packet analysis Trafc Diversion The Trafc Diversion feld provides a selecton of currently defned BGP Connectons that may b...

Страница 57: ...what type of trafc the rule will match ANY TCP UDP ICMP Parameter Which trafc parameter should be compared IP Address Source Port Destnaton Port Packet Length IP Packet TimeToLive IP Protocol Type Op...

Страница 58: ...y generate Reports and send them by email to you or to your customers at preconfgured intervals of tme You can include more than one email address in the Email To feld separated by comma The emails ar...

Страница 59: ...flter Events Event s severity indicates the importance of the event MELTDOWN Meltdown events are generated when a very serious error is detected such as a hardware error CRITICAL Critcal events are g...

Страница 60: ...n press Modify User The Full Name Company Positon Email Phone and Comments felds are optonal The Landing Tab list contains the tabs that can be opened immediately afer logging in The list is dynamic a...

Страница 61: ...dress and which part belongs to the node address see IP address Classes further on The locaton of the boundary between the network and host portons of an IP address is determined through the use of a...

Страница 62: ...eir frst two bits set to 1 and their third bit set to 0 Since Class C addresses have a 24 bit network mask this leaves 21 bits for the network porton of the address allowing for a maximum of 2 097 152...

Страница 63: ...000 16 256 C 1 B 65536 255 255 000 000 15 512 C 2 B 131072 255 254 000 000 14 1024 C 4 B 262144 255 252 000 000 13 2048 C 8 B 524288 255 248 000 000 12 4096 C 16 B 1048576 255 240 000 000 11 8192 C 32...

Страница 64: ...he flow For example interface FastEthernet0 ip route cache flow interface Serial2 1 ip route cache flow It is necessary to enable NetFlow on all interfaces through which trafc you are interested in wi...

Страница 65: ...nfgured listening port UDP port 2000 is used only as an example switch enable set mls nde version 5 The following command is required to set up fow mask to full fows switch enable set mls flow full Th...

Страница 66: ...r Engine 2 or 720 running IOS version 12 1 13 E or higher issue the following commands instead switch config mls flow ip interface full switch config mls nde interface Configuring NDE on a 4000 Series...

Страница 67: ...WANGUARD 5 2 User Manual Administrator s Guide accept forwarding options sampling input family inet rate 100 output cflowd 192 168 1 100 port 2000 version 5 66...

Страница 68: ...t matching prefx also known as the most specifc Afer establishing a BGP session with the router Filter sends a routng update where the Filter system is listed as the best path for the atacked destnato...

Страница 69: ...Confgure the bgpd not to send routng informaton and to drop incoming BGP routng informaton Set the bgpd BGP community atribute values to no export and no advertse A match in the community atributes en...

Страница 70: ...er The following example describes the distribute list method You can use the prefx list or route map fltering method types as long as the routng informaton is not sent to bgpd localhost config router...

Страница 71: ...onfig router neighbor WANGUARD Filter IP address soft reconfiguration inbound r7500 config router neighbor WANGUARD Filter IP address distribute list routesToWANGUARDFilter out r7500 config router nei...

Страница 72: ...ording to the routng table on the divert from router before trafc diversion is actvated Static Routing Layer 2 Forwarding Method In a Layer 2 topology the Filter system divert from router and next hop...

Страница 73: ...method is the default gateway on the Filter system so that it points to the inject to next hop router Configuring GRE IP over IP Tunneling Layer 3 Forwarding Method In the tunnel diversion method you...

Отзывы: