background image

4-11

Cisco Traffic Anomaly Detector User Guide

OL-6109-01

Chapter 4      Zone Configuration

Zone Remote Guard List

Where 

remote-guard-address

 specifies the remote Guard IP address. Use ‘*’ 

to remove all remote Guards from the remote Guard list.

Caution

The user should verify that the Detector has at least one remote Guard on its 
default remote Guard list (see the 

“Default Remote Guard List”

 section in

 

Chapter 3, “Detector Configuration”

 for further details).

2.

Choose 

ENTER

3.

Repeat steps one and two as many times as required.

Below is an example of the 

no remote-guard

 command implementation:

admin@DETECTOR-conf-zone-scannet# 

no remote-guard 192.168.100.33

admin@DETECTOR-conf-zone-scannet#

Interactive Recommendations Mode

In the Interactive Recommendation mode the Detector enables the user to decide 
on the activation of the filters the policies launch (see the 

“Interactive 

Recommendations Mode”

 section in 

Chapter 6, “Filter Procedures”

for details). 

The Detector functions in accordance with the user’s decision to accept, ignore, 
or time the filter’s activation. In this way the Detector lets the user decide on the 
production of its detection measures in real time.

Activating the Interactive Recommendation Mode

The user may activate the interactive recommendations mode for any desired zone 
and continue to apply the procedure over a number of zones. The user may 
activate the interactive mode when a zone is defined, or later, either before or after 
initiating zone detection. The Detector enables the user to apply the interactive 
recommendations mode from the Configuration or from the desired zone’s 
command group levels.

To activate the interactive recommendation mode perform the following:

1.

From the Zone command group level type the following (sample):

admin@DETECTOR-conf-zone-<

zone-name

># 

interactive

2.

Choose

 ENTER

Содержание OL-6109-01

Страница 1: ... Zone Traffic Learning Zone Detection Basic Zone Configuration This section describes the initial Zone configuration procedures that relate to zone parameters such as zone name description and zone IP address It describes the following procedures Defining a New Zone Duplicating a Zone Removing a Zone Removing All Zones Displaying Zone Templates Entering a Zone Command Level Describing a Zone Defin...

Страница 2: ... up to 63 characters The string may contain underscores template Optional A template that defines the zone configuration Options are Default The Guard default zone template Bandwidth limited Link Templates Templates designed and specifically tailored for detection of large subnets segmented according to zones with known bandwidth Detection on zones defined by these templates can be assumed without...

Страница 3: ...ult zone template 2 Choose ENTER Below is an example of the zone command implementation admin DETECTOR conf zone scannet admin DETECTOR conf zone scannet Duplicating a Zone The user may duplicate a desired zone and define a new identically configured zone To duplicate a zone from the Configuration command group level perform the following 1 From the Configuration command group level type the follo...

Страница 4: ... of up to 63 characters The string may contain underscores 2 Choose ENTER Below is an example of the zone command implementation admin DETECTOR conf zone scannet zone mailserver copy from this admin DETECTOR conf zone mailserver Removing a Zone The user may remove a desired zone Caution Removing a zone eliminates its DDoS detection To remove a desired zone perform the following 1 From the Configur...

Страница 5: ...Displaying Zone Templates The Detector enables the user to display a specific zone template or all zone templates To display all zone templates perform the following 1 From the Configuration command group level type the following admin DETECTOR conf show templates 2 Choose ENTER The following sample screen appears admin DETECTOR show templates DEFAULT LINK_1M LINK_4M LINK_128K LINK_512K admin DETE...

Страница 6: ...ist of zone templates is displayed 2 Choose ENTER The following sample screen appears admin DETECTOR conf show templates DEFAULT Zone is INACTIVE Operation Mode AUTOMATIC Description Zone ID 0 Template DEFAULT PROTECT IP STATE all zone FLEX FILTER FLEX FILTER ACTION disable admin DETECTOR conf Entering a Zone Command Level The user should enter a zone command level to perform zone specific operati...

Страница 7: ...ecifies a string that describes the zone The string length is limited to a maximum of 80 characters 2 Choose ENTER Below is an example of the description command implementation admin DETECTOR conf zone scannet description Scannet Zone used for demonstration purposes admin DETECTOR conf zone scannet Note To modify a zone s description repeat the zone description procedure The new description overri...

Страница 8: ...erted when the zone is undetected However a zone s subnet IP address or its additional IP addresses may be added when the zone is in the detected mode Note The zone IP address procedure should repeat per each zone IP address or subnet mask Removing a Zone IP Address The user may remove a zone IP address Caution Removing a zone s IP address may compromise the zone s DDoS detection To remove a zone ...

Страница 9: ...one s IP addresses perform the following 1 From the desired Zone command group level type the following admin DETECTOR conf zone zone name no ip address 2 Choose ENTER Zone Remote Guard List The Detector has a list containing a Guard or Guards to remotely activate when a traffic abnormality is detected The zone remote Guard list is part of the zone configuration When the Detector detects a traffic...

Страница 10: ...n DETECTOR conf zone zone name remote guard remote guard address description Where remote guard address The desired remote Guard IP address description Optional The remote Guard description a maximum of 63 characters 2 Choose ENTER 3 Repeat steps one and two as many times as required Below is an example of the remote guard command implementation admin DETECTOR conf zone scannet remote guard 192 16...

Страница 11: ...ivation of the filters the policies launch see the Interactive Recommendations Mode section in Chapter 6 Filter Procedures for details The Detector functions in accordance with the user s decision to accept ignore or time the filter s activation In this way the Detector lets the user decide on the production of its detection measures in real time Activating the Interactive Recommendation Mode The ...

Страница 12: ...tomatic detection functioning such as automatically producing dynamic filters etc The user may deactivate the interactive recommendations mode from the desired zone s command group level To deactivate the interactive recommendation mode perform the following 1 Type the following sample admin DETECTOR conf zone zone name no interactive 2 Choose ENTER Zone Traffic Learning As the user initializes th...

Страница 13: ...cts its policies with its user defined or self configured Policy Templates This phase consists of traffic flowing transparently through the Detector enabling it to discover which services are used by the zone This chapter will detail a procedure based on the Detector s Minimum Threshold and Maximum Services default parameters see Chapter 7 Policy Procedures for further details Learning Phase 2 Thr...

Страница 14: ...t be performed for zones based on the bandwidth limited link templates LINK_128K LINK_1M LINK_4M LINK_512K Terminating Learning Phase 1 Policy Construction After a sufficient period of time see the above note the user ends the Policy Construction phase The user may accept the Detector s suggested policies The user may decide to abort the first phase of the Learning process In this case the Detecto...

Страница 15: ...wing options All of the Detector s zones Issuing no learning accept means ending and accepting the learning results for all of the Detector s zones A wildcard denoting zone names i e OBL 2 Choose ENTER Aborting Learning Phase 1 Policy Construction The user may decide to abort the first phase of the Learning procedure In this case the Detector stops the process erases all its learned data and rever...

Страница 16: ...es for further details To begin the second Learning phase perform the following 1 From the Global command group level type the following admin DETECTOR learning threshold tuning zone name Or alternatively From the zone command group level type the following admin DETECTOR conf zone zone name learning threshold tuning Where zone name specifies a zone name Note that the Detector enables the use of a...

Страница 17: ...earning Phase Snapshot section in Chapter 7 Policy Procedures for further details Accepting Learning Phase 2 Threshold Tuning The user may accept the Detector s suggested thresholds To accept the results of the Threshold Tuning phase perform the following 1 From the Global command group level type the following admin DETECTOR no learning zone name accept Or alternatively From the Zone command grou...

Страница 18: ...he Global command group level type the following admin DETECTOR conf zone zone name no learning reject Where zone name specifies a zone name Note that the Detector enables the use of an asterisk as a wildcard denoting either of the following options All of the Detector s zones Issuing no learning reject means aborting the learning phase for all of the Detector s zones A wildcard denoting zone name...

Страница 19: ... tcp_connections any analysis in_nodata_conns global The sample screen displays that the detector policies are receiving traffic and functioning properly Zone Detection After learning the zone traffic characteristics the Detector is ready for zone detection The user may wish to command the Detector to detect right after completing the zone configurations The Detector would then begin applying its ...

Страница 20: ...s detected This strategy is recommended when the overall zone consists of intra related zones that cannot be risked Τhe Detector activates the Guard protection over a particular zone once a traffic abnormality is traced as destined to that particular zone This is recommended when the overall zone consists of unrelated particular zones This is since the user may want to assume protection per an att...

Страница 21: ...r further details 2 Choose ENTER Zone Detection Verification The user may wish now to issue the show counters command to display the zone status to verify that the detection process is functioning properly To verify that the zone detection is functioning properly perform the following 1 From the Zone command group level type the following admin DETECTOR conf zone zone name show counters history Wh...

Страница 22: ...mand group level type the following admin DETECTOR no detect zone name Or alternatively From the Zone command group level type the following admin DETECTOR conf zone zone name no detect Where zone name specifies a zone name Note that the Detector enables the use of an asterisk as a wildcard denoting either of the following options All of the Detector s zones Issuing no detect means ending detectio...

Отзывы: