Résumé du contenu de la page N° 8
Chapter 4 Zone Configuration Basic Zone Configuration – ip-mask—(Optional) The zone IP subnet mask. Note If no mask is specified, the Detector assumes the default subnet mask 255.255.255.255. 2. Choose ENTER. Below is an example of the ip address command implementation: admin@DETECTOR-conf-zone-scannet# ip address 192.168.100.34 admin@DETECTOR-conf-zone-scannet# Note When initially defined, the zone IP address should be inserted when the zone is undetected. However, a zone’s subnet IP ad
Résumé du contenu de la page N° 9
Chapter 4 Zone Configuration Zone Remote Guard List Note If no mask is specified, the Detector assumes the default subnet mask 255.255.255.255. 2. Choose ENTER. Below is an example of the no ip address command implementation: admin@DETECTOR-conf-zone-scannet# no ip address 192.168.100.34 admin@DETECTOR-conf-zone-scannet# Removing all Zone IP Addresses The user may remove all the zone IP addresses. Caution Removing all zone IP addresses eliminates the zone DDoS detection. To remove all the
Résumé du contenu de la page N° 10
Chapter 4 Zone Configuration Zone Remote Guard List This section contains the following procedures: � Adding a Guard to the Zone Remote Guard List � Removing a Guard from the Zone Remote Guard List � Interactive Recommendations Mode Adding a Guard to the Zone Remote Guard List The user may add one or more Guards to the zone remote Guard list. To add a remote Guard or Guards to the zone remote Guard list perform the following: 1. From the Zone command group level type the following: admin@D
Résumé du contenu de la page N° 11
Chapter 4 Zone Configuration Zone Remote Guard List Where remote-guard-address specifies the remote Guard IP address. Use ‘*’ to remove all remote Guards from the remote Guard list. Caution The user should verify that the Detector has at least one remote Guard on its default remote Guard list (see the “Default Remote Guard List” section in Chapter 3, “Detector Configuration” for further details). 2. Choose ENTER. 3. Repeat steps one and two as many times as required. Below is an example
Résumé du contenu de la page N° 12
Chapter 4 Zone Configuration Zone Traffic Learning To create a new zone with interactive recommendations mode perform the following: 1. From the Configuration command group level type the following: admin@DETECTOR-conf# zone interactive 2. Choose ENTER. The new zone is created with a DEFAULT zone template configured for interactive recommendations mode. See the “Defining a New Zone” section for further details. Deactivating the Interactive Recommendation Mode The user may
Résumé du contenu de la page N° 13
Chapter 4 Zone Configuration Zone Traffic Learning The Detector’s tools for constructing detection policies are the Policy Templates. These define the policies according to the Minimum Threshold and Maximum Services parameters the user provides (this chapter will not cover those advanced procedures see Chapter 7, “Policy Procedures” for further details). Once supplied with the appropriate parameters, the Detector’s Policy Templates construct the detection policies based on the zone tra
Résumé du contenu de la page N° 14
Chapter 4 Zone Configuration Zone Traffic Learning Where zone-name specifies a zone name. Note that the Guard enables the use of an asterisk (*) as a wildcard denoting either of the following options: – All of the Guard’s zones. Issuing learning policy-construction* means setting the policy construction phase for all of the Detector’s zones. – A wildcard denoting zone names (i.e. OBL*). 2. Choose ENTER. Note Cisco recommends letting the Learning Phase 1 - Policy Construction continue f
Résumé du contenu de la page N° 15
Chapter 4 Zone Configuration Zone Traffic Learning Accepting Learning Phase 1 – Policy Construction The user may accept the Detector’s suggested policies. To accept the results of the initial Policy Construction phase perform the following: 1. From the Global command group level type the following: admin@DETECTOR# no learning accept Or alternatively: From the Zone command group level type the following: admin@DETECTOR-conf-zone-# no learning accept Where zone-name sp
Résumé du contenu de la page N° 16
Chapter 4 Zone Configuration Zone Traffic Learning Note that the Detector enables the use of an asterisk (*) as a wildcard denoting either of the following options: – All of the Detector’s zones. Issuing no learning* reject means aborting the learning phase for all of the Detector’s zones. – A wildcard denoting zone names (i.e. OBL*). 2. Choose ENTER. Learning Phase 2 – Threshold Tuning During this stage the Detector constructs its detection policies and begins to tune its traffic type
Résumé du contenu de la page N° 17
Chapter 4 Zone Configuration Zone Traffic Learning Terminating Learning Phase 2 – Threshold Tuning After a sufficient period of time (see the above note) the user ends the Threshold Tuning phase. The user may accept the Detector’s suggested policies or decide to abort the second phase of the learning process. The Detector would stop the Threshold Tuning phase and adopt the Policy Construction Phase results and the former thresholds results the Detector has. This results in a situation i
Résumé du contenu de la page N° 18
Chapter 4 Zone Configuration Zone Traffic Learning Aborting Learning Phase 2 – Tuning Threshold The user may wish to abort the second phase of learning procedure. In this case the Detector stops the process and erases the data learned on the second phase. The data gathered on the first learning phase and on the previous learning phase 2 remain unchanged. This results in a situation in which newly constructed policies have thresholds that were obtained according to past traffic characte
Résumé du contenu de la page N° 19
Chapter 4 Zone Configuration Zone Detection 2. Choose ENTER. The following (partial sample) screen appears: admin@DETECTOR-conf-zone-scannet# show policies statistics Key Rate Policy 192.168.100.34 73.17 http/80/analysis/syns/dst_ip N/A 0.17 http/80/analysis/syns/global Key Ratio Policy 192.168.100.34 1.44 tcp_ratio/any/analysis/syn_by_fin/dst_ip_ratio 80 1.44 tcp_ratio/any/analysis/syn_
Résumé du contenu de la page N° 20
Chapter 4 Zone Configuration Zone Detection Note that the Detector enables the use of an asterisk (*) as a wildcard denoting either of the following options: – All of the Detector’s zones. Issuing detect * means beginning detection for all of the Detector’s zones. – A wildcard denoting zone names (i.e. OBL*). 2. Choose ENTER. Guard-Protection Activation Forms The Detector enables the user to apply different Guard-protection forms designed to save Guard-protection resources and better fo