WANGuard Platform 3.0 User Manual
Contents
1. WANGuard Filter Syslog Action Module This module is used by WANGuard Filter to send syslog messages locally or to remote syslog monitoring hosts To send syslog messages you must enter the IP address of the syslog server 127 0 0 1 for localhost select the desired facility severity level and message content Syslog messages can be sent at the beginning Beginning branch during Polling branch or at the end Ending branch of an attack pattern The message field can contain any number of WANGuard Sensor and WANGuard Filter Dynamic 33 T Km WANGuard Platform 3 1 User Manual AAO SOFT Parameters Dynamic Parameters are explained at the beginning of the chapter A complete list of Dynamic Parameters available can be found in Appendix 2 Conditional amp Dynamic Parameters Page 96 A configuration example of this module is shown below WANGuard Console 3 1 J Views e Archive Reportsw Setup LI Helpw Traffic Anomaly Actions _ Edit Action mm a E Priority 5 m Order of execution a Egress Traffic Anomaly AS Ingress Traffic Anomaly D e Protect Gigabit Link omegememrag zeien rocas E o O meee ttack patterns in syslog j ib ch 3 actions WARNING DI EHapEndng 2 adiona New attack pattern detected filter_type filter_value Change WANGuard Filter Syslog Delete WANGuard Filter Syslog gt 34 y Am WANGuard Platform 3 1 User2. RK d X FS bp y i i Ke g fm i WW K b WANGuard Platform 3 1 gt 4 v y S WANGuard Platform 3 1 User Manual AND SOFT Copyright amp trademark notices This edition applies to version 3 1 of the licensed program WANGuard Platform and to all subsequent releases and modifications until otherwise indicated in new editions Notices References in this publication to ANDRISOFT S R L products programs or services do not imply that ANDRISOFT S R L intends to make these available in all countries in which ANDRISOFT S R L operates Evaluation and verification of operation in conjunction with other products except those expressly designated by ANDRISOFT S R L are the user s responsibility ANDRISOFT S R L may have patents or pending patent applications covering subject matter in this document Supplying this document does not give you any license to these patents You can send license inquiries in writing to the ANDRISOFT S R L marketing department sales andrisoft com Copyright Acknowledgment ANDRISOFT S R L 2008 All rights reserved All rights reserved This document is copyrighted and all rights are reserved by ANDRISOFT S R L No part of this document may be reproduced or transmitted in any form or by any means electronic or mechanical including photocopying and recording or by any information storage and retrieval system without the permission in writing from ANDRISOFT
3. c cccsscceeeeeeeeeeeeeeeeneeeeeneeeaeeneneeeeeeeeeeeeeeneeeeees 99 Understanding the BGP Diversion Method cscssssssssssssscsssssecsesssecseseesessesassesseseeseesesaesessesaesansesesansesaesensetaess 99 BOP Configuration GuIdelNES ac sasscscnsceccceccczccce snc secdee2teenataeesecxeseecqeiexsctucescsvessexecunceceiss iueten ecccucesescesensbaceseseeteevesueccee 100 WANGuard Filter System BGP Contouraton 100 WANGuard Filter System BGP Configuration Exvample 102 Cisco Router EE CAE e CM 102 Cisco Router BGP Configuration Example cccccccccsseccessecceeeeccececeusescaueecsusecssueessueessaesessueesaeeeessnees 103 Understanding Traffic Forwarding Methods cscssssssscssssssecsecssessessesessessessssesseceesessesassessesaesansesassanseeaesansataesas 103 Static Routing Layer 2 Forwarding Method 104 GRE IP over IP Tunneling Layer 3 Forwarding Method 104 Configuring Static Routing Layer 2 Forwarding Method 104 Configuring GRE IP over IP Tunneling Layer 3 Forwarding Method 104 y Am WANGuard Platform 3 1 User Manual ANDRI SOFT Traffic Monitoring amp Accounting DoS DDoS Detection amp Protection with WANGuard Platform Why WANGuard Platform Is Important Most businesses today rely more and more on network infrastructure So the computer network s reliability and speed are crucial for these businesses to be successful and an efficient use of the available resources mus
4. Setup w t Help e IP Zone Selection 14 00 57 UN IP Zone Selection d Privete Network New IP Zone Edit Description Copy Delete You can configure the selected IP Zone by clicking the lt Edit gt button To change the description of the selected IP Zone you must click the lt Description gt button and then provide a different description To copy the selected IP Zone you must click the lt Copy gt button A new IP Zone will be created that will have the same information and the same description with the word copy attached In some cases when you have multiple WANGuard Sensor systems you may have to create multiple IP Zones that share the same IP classes Instead of recreating the same IP classes for each new IP Zone you can copy an existing IP Zone and modify only the IP classes parameters To delete the selected IP Zone you must click the lt Delete gt button and then confirm the deletion gt 37 i WANGuard Platform 3 1 User Manual F ADMIN e Logout WANGuard Console 3 1 J Views w Archive Reports Setup w LI Help e IP Zone Selection 14 01 11 UN IP Zone Selection d Privete Network C Private Network copy C New IP Zone Edit Description Copy Delete IP Zone Configuration After a new IP Zone is added the IP Zone Configuration window will look like in the image below A
5. EE ie EE e RE Egress Traffic Anomaly 3 Ingress Traffic Anomaly Beginning 1 actions Add Description Protect Gigabit Link JP Protect Gigabit Linki WANGuard Filter Upstream Provider 1 DI 1 Polling F H Q Ending Change WANGuard Filter Delete WANGuard Filter Preconditions BGP Announcement Action Module d f ADMIN gt C Logout WANGuard Console 3 1 J Viewsw Archive Reportsw Setup e LI Help e Traffic Anomaly Actions 17 56 13 l Edit Action Active Iv Priority 5 DI Order of execution Parameter Operand A dE Egress Traffic Anomaly H Beginning Preconditions Polling amp QeEnding 3 Ingress Traffic Anomaly Beginning 1 actions Polling 1 actions Peak Pkts s greater than Description Blackhole attacked IP Add BGP Router Route Reflector DI Blackhole attacked IP QOEnding Change BGP Announcement 28 ve 7 WANGuard Platform 3 1 User Manual AND SOFT This module is used by WANGuard Sensor to send a BGP announcement with the traffic anomaly s IP address The BGP announcement will be automatically removed at the end of the traffic anomaly More information can be found in the BGP Router Setup chapter Page 61 WANGuard Sensor Email Action Module This module is used by WANGuard Sensor to send notification emails at the beginning Beginning bran
6. Live packets s graph 2 WANGuard Sensor a1 WANGuard Sensors DI Data Unit Packets 14 10 14 15 14 25 14 30 14 35 14 40 14 45 14 50 14 55 15 00 15 05 BH LAN Switch VLAN 900 inbound W LAN Switch VLAN 900 outbound m R12000 SPAN inbound m R12000 SPAN outbound z Refresh Interval E Peering SPAN inbound E Peering SPAN outbound O NetFlow Router LAN Interface inbound E E NetFlow Router LAN Interface outbound W NetFlow Router WAN inbound W NetFlow Router WAN outbound ION z 72 WANGuard Platform 3 1 User Manual Current Traffic Anomalies The Current Traffic Anomalies table is visible only when WANGuard Sensor detects one or more active traffic anomalies Every row in the table represents an active traffic anomaly The traffic anomalies are sorted by start time in descending order The active traffic anomalies are presented in the following format The unique index number of the traffic anomaly If this number is clicked then a new window opens with a list of activated WANGuard Filter systems for this traffic anomaly IP Address The IP address from your network involved in the traffic anomaly In the front of the IP address the graphic arrow indicates the direction of the traffic anomaly When the arrow is pointing to the right the threshold values were exceeded for inbound traffic When the arrow is pointing to the left the threshold values were exceeded for outbound traffic Inbound anomal
7. The Default View field lets you select what View will be displayed immediately after logging into WANGuard Console Systems View recommended for systems administrators e Reports View recommended for network administrators Security View recommended for IT security engineers e BGP Operations recommended for BGP operators Dk 2 1 ye WANGuard Platform 3 1 User Manual Actions Setup Understanding Actions Actions provide a unique and powerful way to automate the reaction to traffic anomalies and attack patterns An Action is a collection of commands executed by WANGuard Sensor and WANGuard Filter during the reaction phase of a traffic anomaly or DoS DDoS DrDoS attack As explained in the Basic Concepts chapter every IP class monitored and defined in the current IP Zone may have it s own Action configured When a traffic threshold value defined for an IP is reached the defined Action for the IP s IP class is executed by WANGuard Sensor and if installed and activated by WANGuard Filter Every Action runs the contained Action Modules Action Modules provide means to execute commands send notifications write logs and more There are two types of Action Modules WANGuard Sensor Action Modules are predefined commands that are executed by the WANGuard Sensor system that detected the traffic anomaly while the traffic anomaly is active e WANGuard Filter Action Modules are predefined commands that are executed b
8. announcement was sent manually through WANGuard Console s07 a 1 ye WANGuard Platform 3 1 User Manual Router The BGP router used to send the BGP announcement IP Address The announced IP address Subnet The announced subnet in CIDR form It is 32 for single IP addresses Start Time The date amp time when the BGP announcement was sent Stop Time The date amp time when the BGP announcement was deleted Status The current status of the BGP announcement FINISHED ACTIVE WAITING User If the BGP announcement was sent manually then this field contains the logged user Details If the BGP announcement was sent manually then this field contains the details field Events Logs Events Logs contain all events generated by WANGuard Platform components Each component that generates events is listed in a sub menu Each record has the following format System The name or description of the WANGuard Platform component that generated the event Anomaly If the event was generated by a WANGuard Filter system then this field contains the traffic anomaly index for which the WANGuard Filter was activated Otherwise the field is empty Module The module or internal function that generated the event Severity Events are tagged with a severity value that describes the importance of the event Severity levels descriptions are listed in the Managing Users chapter Page 22 Event
9. The scripts are executed locally on each WANGuard Filter system that uses Actions that include this module Multiple commands can be executed using the separator Scripts executed through the WANGuard Filter Action Module have the user privileges of the wanguard system account To elevate privileges for your scripts you should use the sudo prefix after editing the etc sudoers file Some possible uses of this module configure ACLs or execute PIX shun commands to filter attacking IPs issue route blackhole commands on the attacked Linux servers to filter attacking IPs ge send SNMP TRAP messages to SNMP monitoring stations The image below shows how to use this module to write a text file with logs of attack patterns that became inactive using basic Linux commands f ADMIN gll e Logout WANGuard Console 3 1 J Views e Archive Reports 7 Setup LA Help v Traffic Anomaly Actions a Edit Action New Action Add active Ga L Priority Order of execution Parameter H O Egress Traffic Anomaly ee eee Ingress Traffic Anomaly Beginning 2 actions Polling 3 actions Description write tmp logfile nce bat 2 actions Script echo filter filter_id stopped wanguardfilter_last_unixtime gt gt tmp wangu Hadd See RilGend SNMP Trap Change WANGuard Filter Script Delete WANGuard Filter Script EZ tmp logfile
10. e UDP describes all traffic that uses the UDP protocol DNS SNMP TFTP etc e ICMP describes all traffic that uses the ICMP protocol PING TRACEROUTE etc e OTHER describes all other protocols non UDP non TCP and non ICMP If you are not interested in checking traffic thresholds for an IP class you can check the Unlimited checkbox from the right side of the threshold value field To enter a threshold value the Unlimited checkbox must be unchecked first To inherit the value of the parent IP class you must leave the threshold value field empty and the Unlimited checkbox unchecked To ease the configuration of threshold values for many IP classes addresses with the same properties you can define a single Thresholds Template and then select it from the list The thresholds template will override all existing thresholds values Thresholds Templates management is described in depth in the next section Accounting If the Accounting parameter is set to Yes then WANGuard Sensor records traffic accounting data for every IP address included in the selected IP class Accounting data contains the number of inbound and outbound packets and bits and averages of packets and bits rates If the Accounting parameter is set to Inherit then the value is inherited from the parent IP class If the parameter is set to No then no accounting data is recorded Graphing If the Graphing parameter is set to Yes then WANGuard Sensor
11. telnet 127 0 0 1 2601 localhost gt enable localhost config terminal localhost config service password encryption localhost config write localhost config exit localhost exit To configure the bgpd daemon you must telnet to port 2605 and enter the previously defined password bgppass You must then switch to the privileged mode by entering the enable command root localhost telnet 127 0 0 1 2605 localhost gt enable localhost Switch to terminal configuration mode by entering the config terminal command The prompt will change indicating that the system has entered the configuration mode localhost config terminal localhost config You should then enable encrypted passwords and set a new password for the configuration mode localhost config service password encryption localhost config enable password enablepass Configure routing on bgpd using the commands shown in the following example Please note that you can use the prefix list route map or distribute list method for filtering outgoing routing information about the router The following example describes the distribute list method You can use the prefix list or route map filtering method types as long as the routing information is not sent to bgpd localhost localhost localhost localhost localhost localhost localhost localhost config router bgp lt WANGuard Filter AS number gt config router bgp router id lt
12. For WANGuard Sniff it represents the rate of packets dropped in the capturing process When the number is high it indicates a performance problem located in the network card in the network card s driver or in the CPU It may also mean a bad WANGuard Sniff installation For WANGuard Flow it represents the rate of flows dropped in the flow receiving process When the number is high it indicates a network problem between the flow exporter and the WANGuard Flow system or a bad WANGuard Flow installation Unknown packets or flows For WANGuard Sniff it represents the rate of discarded packets caused by validation or filtering For WANGuard Flow it represents the rate of discarded flows caused by validation or filtering e Refresh Interval Select the interval between consecutive refreshes of the graph The graph will update itself flicker free but it s best to keep the refresh interval big for low bandwidth monitoring stations Events Tab The Events Tab provides a list with the latest events recorded in the Events Log Every field is explained in the Events Log section of the Archive chapter Page 88 68 k ic WANGuard Platform 3 1 User Manual Kee Reports View The Reports View provides easy access to live and historical information about monitored hosts networks and network interfaces The Reports View is split vertically in two sides The left side contains three sections WANGuard Sensors IP Descriptions and IP Address
13. The IP Zone field provides a selection of currently defined IP Zones that can be used by WANGuard Sniff If the field has no options then you must first define an IP Zone For more information about IP Zones please read the previous chapter e Details You can use this field to store comments about the current WANGuard Sniff configuration An example of a working WANGuard Sniff configuration is displayed below This WANGuard Sniff system analyzes all VLAN 900 traffic it receives on the first network interface it generates Top statistics and will use IP class information found in the VLAN 900 IP Zone A WANGuard Console 3 1 J Views wv Archivew l Reportsw Setup e LI Help e WANGuard Sniff Selection WANGuard Sniff Configuration WANGuard Sniff Configuration Active E Description LAN Switch VLAN 900 IP Address 192 168 1 100 Network Interface eth0 900 vuan Support MAC Filter C Source d Destination IP Validation On z Direction Inbound amp Outbound Top Iv GraphDate Path opt wanguard rrd Graph Color Inbound e 0033CC Beal Graph Color Outbound BI cco000 BE IP Zone configuration example Deteils Add WANGuard Sniff After a new WANGuard Sniff system is added the WANGuard Sniff Selection window is updated If 49 A y A WANGuard Platform 3 1 Use
14. WANGuard Console 3 1 J Views wv Archive Reportsw Setup e LI Help e IP Zone Selection IP Zone Configuration New IP Address Subnet IP Zone Private Network The IP Zone configuration window is divided in two sections one on the left and one on the right In the upper side of the left section you will see a form that is used to add IP addresses classes to the IP Zone Below you will see the name of the current IP Zone and the allocated IP classes tree When adding a new IP class the tree is automatically updated In the right section you will see detailed information about the selected IP class or IP address The right section will be empty if there is no IP class or IP address selected As explained in the Understanding IP Zones Inheritance section every IP Zone contains the 0 0 0 0 0 supernet To edit the 0 0 0 0 0 IP class properties click 0 0 0 0 0 from the IP classes tree 38 7 Am WANGuard Platform 3 1 User Manual ADMIN E Logout WANGuard Console 3 1 J Views e Ll Archivew Reports w Setup e LI Help w gt IP Zone Selection IP Zone Configuration 13 43 33 Inbound traffic thresholds for 0 0 0 0 0 New IP Address Subnet None Threshold Value Unlimited Packets s Packets s Bitsa Packets s Bits a Peckets s Bitara Packets s Bita a Outbound traffic thresholds for 0 0 0 0 0 Thresholds Templete None mm Traf
15. 1 J Views e Archive Reports w Setup w L Help e AS Details SZ Actions BGP Routers M IP Graphs IP IP Zones iP Configuration i Users Ww ig Thresholds j WANGuard Filter b WANGuard Sensor gt The IP Zones Selection window lets you select existing IP Zones to edit change description copy or delete If no IP Zones were previously added then the form will only have the option to add a new IP Zone f ADMIN A Logout WANGuard Console 3 1 J Views w Archive w Reportsw Setup e LI Help e IP Zone Selection Pay Fig i UN IP Zones Selection d New IP Zone Edit Description Cop Delete a36 t mees WANGuard Platform 3 1 User Manual ANDI SOFT Adding a new IP Zone To add a new IP Zone you must select the New IP Zone from the IP Zone Selection form and then click lt Edit gt Then you will be asked to enter a generic description that will help you identify the new IP Zone f ADMIN gll C Logout WANGuard Console 3 1 J views wv Archives Reportsw Setup w LI Help e IP Zone Selection IP Zone Configuration 14 00 34 New IP Zone Description Description Private Netwo rk aa Changing Description Copying amp Deleting IP Zones Adding a new IP Zone will update the IP Zones Selection window F ADMIN gll e Logout WANGuard Console 3 1 J Views e Archive Reports
16. ASN or the interface type Keep in mind that WANGuard Platform defines IP classes subnets using the CIDR notation To enter individual hosts in IP Zones you must use the 32 CIDR For more about CIDR notation you can consult Chapter 4 Network Basics You Should Be Aware Of Page 16 a Be t mes WANGuard Platform 3 1 User Manual ANDI SOFT Inheritance One very special IP class that is defined by default in every IP Zone is the 0 0 0 0 0 IP class The 0 0 0 0 0 supernet contains all private and public IP addresses available for IPv4 To ease the configuration of IP Zones every new IP class that you define inherits by default the properties of the closest having the biggest CIDR IP class that includes it The only IP class that does not inherit any properties is the 0 0 0 0 0 IP class because there is no other IP class that includes it WANGuard Sensor must learn from it s IP Zone the properties of the IP addresses it analyzes This is why if WANGuard Sensor cannot include a detected IP address in the IP classes you defined it applies the properties of the 0 0 0 0 0 IP class So for unknown IP addresses the 0 0 0 0 0 properties are applied In the last section of this chapter you can see an example on how inheritance works IP Zone Selection To manage IP Zones you must first select IP Zones from Setup menu and then select Configuration You will enter the IP Zones Selection window e WANGuard Console 3
17. Action form found in the top left part of the window and click lt Add gt ADMIN A e Logout WANGuard Console 3 1 J Views e Archive Reports w 7 Setup w LA Help e Traffic Anomaly Actions 17 48 40 New Action Ingress Traffic Anomaly Add After the lt Add gt button is clicked the left section will change to include the new Action In the following example we added two Actions Ingress Traffic Anomaly and Egress Traffic Anomaly A WANGuard Console 3 1 J Views e Archive e Reportsw Setup e t Help e Traffic Anomaly Actions New Action Ei J Egress Traffic Anomaly Beaginning H E Polling QeEnding Ingress Traffic Anomaly Beginning A Polling QEnding Action Renaming amp Deleting To delete or rename an Action you must select the Action name in the left section On the right side you will see what IP Zones and IP classes are currently configured to use the selected Action The left arrow indicates that the Action was defined for Outbound traffic anomalies and the right arrow indicates that the Action was defined for Inbound traffic anomalies ae 1 ye WANGuard Platform 3 1 User Manual F ADMIN Al e Logout WANGuard Console 3 1 J Views e a Archive Reports e Setup e t Help e Traffic Anomaly Actions 17 50 04 New Action _ na Action Description Fy Eg
18. E E 14 C Number d The concurrency value for the IP address extracted from ba SES AA the WANGuard Sensors IP Zone The Unique Dynamic Parameters contain Dynamic 15 Unique Dynamic Parameter String exclusive Parameters that must be unique for the validation of an Action Module e The number of WANGuard Filters activated to detect and 16 WANGuard Filters Number wanguardfilters EE Traffic Related Parameters The threshold packets second value for the IP address and 17 Threshold Pkts s Number threshold_pps protocol extracted from the WANGuard Sensor s IP Zone 96 1 ye WANGuard Platform 3 1 User Manual ANDO SOFT The threshold bits second value for the IP address and 18 Threshold Bits s Number threshold_bps protocol extracted from the WANGuard Sensors IP Zone The latest packets second throughput recorded by 19 WANGuard Sensor Pkts s Number wanguardsensor_pps WANGuard Sensor in the anomalous traffic The latest bits second throughput recorded by WANGuard 20 WANGuard Sensor Bits s Number wanguardsensor_bps Sensor in the anomalous traffic The latest packets second throughput recorded for the IP 21 WANGuard Sensor Total Pkts s Number wanguardsensor_total_pps address for all traffic 22 WANGuard Sensor Total Bits s Number wanguardsensor_total_ bps The latest packets second throughput recorded for the IP address for all traffic 23 WANGuard Sensor Peak Pkts s Number wangu
19. Manual ANDRI SOFT IP Zones Setup This chapter describes how to create manage and understand IP Zones Understanding IP Zones IP Zones are hierarchical tree like structures that contain user provided information about any combination of the following elements a network server client or router a network link subnet or an entire network an individual Internet user or company an Internet Service Provider ISP Each WANGuard Sensor extracts from IP Zones the following information the IP classes that will be monitored the IP classes that will generate traffic graphs and accounting data IP classes descriptions inbound and outbound traffic thresholds used for traffic anomalies detection what Action should be activated when an inbound or outbound traffic anomaly is detected When configuring a WANGuard Sensor Page 46 you have to select the IP Zone that will be used An IP Zone may be used by multiple WANGuard Sensor systems but a WANGuard Sensor system can use only one IP Zone An IP Zone must contain the IP classes that are routed within your Autonomous System or the IP classes owned by your organization If you don t populate the IP Zone with your IP classes then WANGuard Sniff can only validate the traffic it captures by analyzing the MAC address of the upstream or downstream router If you don t populate the IP Zone with your IP classes then WANGuard Flow can only validate the traffic it captures by analyzing the
20. SOFT If your router uses the BGP protocol you can configure AS to be included in exports with command router config ip flow export version 5 peer as origin as The following commands break up flows into shorter segments 1 minute for active traffic and 30 seconds for inactive traffic Please use only this values as it decreases the RAM usage and increases performance of WANGuard Flow router config ip flow cache timeout active 1 router config ip flow cache timeout inactive 30 In enable mode you can see current NetFlow configuration and state router show ip flow export router show ip cache flow router show ip cache verbose flow Configuring NDE on a CatOS Device In privileged mode on the Supervisor Engine enable NDE switch gt enable set mls nde lt ip address gt 2000 Use the IP address of your WANGuard Flow server and the configured listening port UDP port 2000 is used only as an example Switch gt enable set mls nde version 5 The following command is required to set up flow mask to full flows Switch gt enable set mls flow full The following commands break up flows into shorter segments 1 minute for active flows and 30 seconds for inactive flows Please use only this values as it decreases the RAM usage and increases performance of WANGuard Flow Switch gt enable set mls agingtime long 8 Switch gt enable set mls agingtime 4 If you want to account all traffic withi
21. Systems View Mozilla Firefox File Edit View History Bookmarks Tools Help o C x A https console wanguard systemstatus php ig v fe Google E BW D ADMIN A E Logout N V wanGuard Betten 3 0 Jj Viewsw Archive Reportsw Setup e LI Help e Systems View 16 46 54 0 00 0 40 380 MB 2008 10 28 13 55 49 133 seconds WANGuard Filter not active WANGuard Filter not active WANGuard Filter not active Filter ServerFarm 0 17 WANGuard Filter not active WANGuard Sensor Live Graphs Live bits s throughput graph 3 WANGuard Sensor All WANGuard Sensors DI ege engen ee in aa ae kell ii ta ee teg Ze A an D egene A EE E EE E S Data Unit 16 00 16 05 e 16 13 16 20 16 25 16 30 16 35 16 40 16 45 16 50 m Bits E LAN Switch VLAN 900 inbound WE LAN Switch VLAN 900 outbound D R12000 SPAN inbound E R12000 SPAN outbound Refresh Internal D Peering SPAN inbound D Peering SPAN outbound O NetFlow Router LAN Interface inbound G NetFlow Router LAN Interface outbound W NetFlow Router WAN Interface inbound W NetFlow Router WAN Interface outbound s seconds x 64 1 ye WANGuard Platform 3 1 User Manual The refreshing of tables can be stopped by clicking the lt Pause gt button When the lt Pause gt button is clicked it will change into a lt Resume gt button that will resume the refreshing of tables when clicked The Systems View page includes Active Systems tables and two tabs WANGuard Sensor Live G
22. The text of the event Details Some modules provide additional information in this field Date The date and time when the notification was generated Filter Logs 88 WANGuard Platform 3 1 User Manual The Filter Logs sub menu contains Attacks Pattern Logs and WANGuard Filter Logs Attacks Patterns The Attacks Patterns table contains details about every attacks pattern detected by WANGuard Filter systems Each record has the following format Anomaly The index of the traffic anomaly for which the WANGuard Filter was activated Victim The IP address from your network involved in the traffic anomaly Protocol The traffic type that exceeded the threshold SYN TCP UDP ICMP OTHER Direction The direction of anomalous traffic inbound outbound Filter Type The attack pattern type Source IP Source Port Destination Port Packet Length TimeToLive IP Protocol If the filtering policy permits it WANGuard Filter dynamically applies filters that match the attack pattern Filter Value The attack pattern value Start Time The date and time when the attack pattern was first detected Stop Time The date and time when the attack pattern was last detected Peak Pkts s The maximum packets second throughput of the traffic matching the attack pattern Peak Bits s The maximum bits second throughput of the traffic matching the attack pattern Packets The number of IP packet
23. There are no host addresses within the Class D address space since all the hosts within a group share the group s IP address for receiver purposes Class E addresses are defined as experimental and are reserved for future testing purposes They have never been documented or utilized in a standard way The WANGuard Platform uses extensively throughout its components IP Addresses and IP Classes with the CIDR notation D e Subnet CIDR Notation WANGuard Platform 3 1 User Manual CIDR Class Hosts Mask peg 1 256 C 1 E femme 128 C 2 255 255 255 754 fo 1 64 C 4 Pw Oe Oe oe fee 1 32 C 8 299a doD sL AL os 28 11 16 C 16 EE DE 1 7 C 32 LIF DJs oO ae 7 26 1 4 C 64 25522555255 lt 197 EE 1 2 C 128 Vigo Pe ESO PEP AO er PA WE 1 C 256 hee peo o PAS ore 0610 WE C 512 255 255 254 000 7 Eile 1024 290 ee D0 4a2 07 00 C 2048 Z00 200 6245 000 720 16 C 4096 AeA 004250 KE lo 77 C 8192 Zoe O0ee 24 000 fee A C 16384 29e oDe LIL 00 EI 1 727 C 32768 SE EEN DEE 256 C 1B 03930 EE EEN DEI 512 C 2 B 131072 299s 494 000 000 fame 1024 C 4B 262144 e 2020004000 DEI 2048 C 8 B 524288 2Z500 246 000 000 12 4096 C 16 B 1048576 LID 2 24000 000 DI 192 C 32 B 209 132 2006224000 000 J10 16384 C 64 B 4194304 25541924000 000 DEN 327608 C 128B 8388608 25031204000 000 8 65536 C 256B 1A 16777216 Aoo s 000000
24. U00 T L31072 C E 2 A 33554432 254 000 000 000 WS 22144 C 1024 B 4 A 67108864 2024000 000 000 LS 524288 C 2048 B 8 A T34217728 248 000 000 000 J4 1048576 C 4096 B 16 A 268435456 240 000 000 000 DS 2097152 C 8192 B 32 A 9368709172 224 000 000 000 eZ 4194304 C 16384 B 64 A 1073741824 1 92 000 000 000 al 0388608 C 32708 B 128 A 2147483648 12563000 2 000 000 0 E IZI6G Cy 5536 B 200 A 4294967296 000 000 000 000 es y Am WANGuard Platform 3 1 User Manual ANDRI SOFT Getting Started with WANGuard Platform Please read the following Basic Concepts section in order to get a clear overview of the basic premises required for the proper operation of the software Basic Concepts To understand the concepts of WANGuard Platform please be aware of following phrases Menu Bar Every browser window has on top a fixed drop down menu bar used for navigation throughout the WANGuard Console The Menu Bar contains drop down menus similar with the ones used in common desktop applications Views WANGuard Console offers various ways to look at live collected data We call these Views You can switch between them by selecting the Views menu from the Menu Bar There are four different types of Views e Security View Displays the latest traffic anomalies detected by WANGuard Sensor systems and live information about DoS DDoS and DrDoS attacks mitigated by WANGuard Filter systems On the bottom section it d
25. WANGuard Filter IP address gt config router neighbor lt Router IP address gt remote as lt Router AS number gt config router neighbor lt Router IP address gt description lt description gt config router neighbor lt Router IP address gt soft reconfiguration inbound config router neighbor lt Router IP address gt distribute list nothing in in config router neighbor lt Router IP address gt route map WANGuard Filter out out exit e e e m E e E M contig router 101 2 y WANGuard Platform 3 1 User Manual ANAL SOF T localhost config access list nothing in deny any localhost config route map WANGuard Filter out permit 10 localhost config route map set community x x no export no advertise localhost config route map exit localhost config write localhost config exit WANGuard Filter System BGP Configuration Example To display the router configuration enter the show running config command from the enable command level In the following example the router s AS number is 1000 and the bgpd AS number is 64000 The following partial sample output is displayed localhost show running config router bgp 64000 bgp router id 192 168 1 100 neighbor 192 168 1 1 remote as 1000 neighbor 192 168 1 1 description divert from router neighbor 192 168 1 1 soft reconfiguration inbound neighbor 192 168 1 1 distribute list nothing in in neighbor 192 168 1 1 route map WANGuard Filter out
26. as configured on the flow exporter e Flow Exporter IP The IP address of the flow exporter usually the LoopbackO interface IP on the network device Each server running WANGuard Flow must have it s system time synchronized with the flow exporter e SNMP Community The read only SNMP community of the network device The community is used by WANGuard Console when it connects to the flow exporter to get SNMP indexes e Interfaces D lt y Am WANGuard Platform 3 1 User Manual AMOR SOFT Here you must define the network interfaces that will be monitored Each interface must contain the following information O SNMP Index The SNMP index of the interface You can click the lt gt button to allow WANGuard Console to connect to the network device using the Flow Exporter IP and SNMP Community defined earlier and to display the available interfaces and indexes Description A short generic description used for interface identification Type Specifies the type of the interface m Ingress Traffic entering an Ingress interface also enters your network Traffic that leaves an Ingress interface leaves your network Upstream provider interfaces are always Ingress m Egress Traffic entering an Egress interface leaves your network Traffic that leaves an Egress interface enters your network On border routers interfaces towards your network are always Egress m Null Traffic entering the Null interface is discarded by
27. black holing e To divert DoS DDoS and DrDoS traffic through a WANGuard Filter system that will filter the malicious traffic If you do not need any of those features you can safely skip this chapter Keep in mind that our support team can help you with any configuration issues WANGuard Sensor and WANGuard Filter can make use of BGP only if you have previously installed and configured the bgpd daemon included in zebra http www zebra org or quagga http www quagga net packages Bgpd configuration steps are found on Appendix 3 Configuring Traffic Diversion Page 99 After you have configured bgpd you must define the BGP router s in WANGuard Console BGP announcements are sent automatically by WANGuard Sensor when a BGP Announcement Action Module Page 28 is executed BGP announcements are sent automatically by WANGuard Filter when a BGP router is selected in the WANGuard Filter s configuration Page 55 BGP Router Selection To enter the BGP Router Selection window select BGP Routers from the Setup menu Al WANGuard Console 3 1 J Views w Archivew Reports e IP Graphs Parameters L Actions BGP Routers M IP Graphs HN IP Zones gt AL Users 7 WANGuard Filter gt WANGuard Sensor gt If no BGP router was previously configured the BGP Router Selection window will be displayed empty with the only option available being to add a new BGP router 6i Ki Ae WANGuard Platform 3
28. explained in the previous sections Currently supported protocols are SNMP FTP SSH TELNET SMTP HTTP POP3 IMAP SQL NETBIOS IRC DIRECTCONNECT TORRENT DNS ICMP Protocol detection is less reliable for applications that use non standard randomized source or destination ports WANGuard Sensor Tops WANGuard Sensor systems configured with the Top option collect data that can be used to generate top statistics for any selected time frame Available statistics are top hosts talkers top TCP ports top UDP ports top IP protocols and top AS Numbers only when NetFlow is used Top generation for large time frames may take minutes In this case edit the max_execution_time parameter from php ini accordingly l f ADMIN E Logout WANGuard Console 3 1 J Viewsw Archive Reportsw Setup e LI Help e Reports View WANGuard Sensor Tops 12 49 41 4 WANGuard Sensor Tops 2008 ES DI 27 DI o0 00 DI LAN Switch VLAN 900 Peering SPAN R12000 SPAN WANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface E Sum Multiple Sensors Top Talkers DI Protocol IP Direction Inbound Generate Traffic Tops 83 gt WANGuard Platform 3 1 User Manual ANDI SOFT WANGuard Sensor Graphs WANGuard Console can generate on demand MRTG style graphs for WANGuard Sensor traffic parameters for the selected time frame To generate WAN
29. have network devices that can do port mirroring you can deploy a Linux server on the main data path and WANGuard Sniff will be able to analyze the traffic flows that are routed through the server Note that the server will become a single point of failure system if you don t configure VRRP Reasons to choose Port Mirroring Network TAP In line Deployment Packet sniffing comes into consideration if you want the quickest reaction to traffic anomalies under 5 seconds and you can provide the higher CPU power needed by WANGuard Sniff Packet sniffing provides extremely fast and accurate traffic accounting and analysis results NetFlow Monitoring NetFlow Monitoring is the domain of networks that usually use Cisco or Huawei L3 switch or router flows These can be configured to send data streams with the network s usage data to a Linux server running WANGuard Flow How NetFlow Monitoring Works One option to measure bandwidth usage by IP Address is to use the NetFlow protocol which is especially suited for high traffic remote networks Many routers and Layer 3 switches from Cisco support this protocol as well as vendors like Huawei NetStream Juniper Extreme Networks 3COM and others Network devices with NetFlow support track the bandwidth usage of the network internally and can be configured to send pre aggregated data to a Linux server running WANGuard Flow for traffic analysis and accounting purposes FO A y Am WANGua
30. iP 81 95 129 0 26 88 94 122 0 26 2k IPs s graph for NetFlow Router WAN Interface AAA http console wanguard edit_reports_sensor php v 3 2 2 69 4 WANGuard Platform 3 1 User Manual The Traffic Tops area provides live statistics about top hosts talkers top TCP ports top UDP ports top IP protocols and top AS Numbers only when NetFlow is used This tab is not available if the selected WANGuard Sensor does not have the Top option activated in its configuration IP Descriptions Section This section contains IP Description fields extracted from all existing IP Zones When you click an IP Description the right side of the Reports View will contain two tabbed areas as you can see in the screenshot below The Traffic Graphs area contains graphs with traffic parameters generated for all hosts or networks that have the selected IP Description The Traffic Accounting area contains a traffic accounting report generated for the hosts or networks that have the selected IP Description WANGuard Console 3 0 Reports View Mozilla Firefox File Edit View History Bookmarks Tools Help MM X 2 http console wanguard reports php e Google P f ADMIN gt C Logout WANGuard Platform 3 0 J Views e Archives Reportsw Setup e LA Help e Reports View 16 42 28 A WANGuard Sensors v Traffic Graphs DEEEEEHEEEEEEST g Ka Peering SPAN Big R12000 SPAN Data Unit Bits z
31. list of activated WANGuard Filter systems for the traffic anomaly WANGuard Sensor The description of the WANGuard Sensor that detected the traffic anomaly IP Address The IP address from your network involved in the traffic anomaly If the IP address is clicked then a new window opens with detailed information about reverse DNS ISP Country AS number etc Description The description of the IP address extracted from the WANGuard Sensor s IP Zone Details This field contains information provided by third party applications Protocol The traffic type that exceeded the threshold value SYN TCP UDP ICMP OTHER Direction The direction of the anomalous traffic inbound outbound Latest Pkts s The latest packets second throughput reached by the anomalous traffic Latest Bits s The latest bits second throughput reached by the anomalous traffic 86 T Km WANGuard Platform 3 1 User Manual AAD SOFT Peak Pkts s The maximum packets second throughput reached by the anomalous traffic Peak Bits s The latest bits second throughput reached by the anomalous traffic Threshold Pkts s The threshold packets second value for the IP address and protocol Threshold Bits s The threshold bits second value for the IP address and protocol Concurrency The concurrency value for the IP address extracted from the WANGuard Sensor s IP Zone Latest Total Pkts s The latest packets second throu
32. new BGP announcement you must enter the 75 1 ye WANGuard Platform 3 1 User Manual IP Subnet select the BGP router and provide comments to the form in the upper section of the window If the announcement was successful the BGP announcements table below will contain the new BGP announcement Users with Normal User privileges can only view the BGP announcements list The BGP announcements table contains the following fields BGP Router The BGP Router description as defined in the BGP router configuration Page 61 IP Address Subnet The IP address and the subnet in CIDR notation Start Time The time and date when the BGP announcement was sent Details This field contains comments or details about the announcement If the announcement was sent manually using the form in the upper section the Details field contains the details entered in the form If the announcement was sent automatically by WANGuard Sensor or by WANGuard Filter then the Details field contains the index of the traffic anomaly that generated the BGP announcement By clicking the traffic anomaly index a new window will open that provides details from the Archive regarding the traffic anomaly Action The Action field is visible only if the logged on user has Administrator privileges The Action field contains a button for the manual removal of the BGP announcement You can view details about old BGP announcements by accessing the B
33. new values for TCP SYN Packets second and UDP Packets second and we defined new Inbound and Outbound Actions 9 SA WANGuard Console 3 1 J Views Archive Reports w Setup LI Help e gt IP Zone Selection IP Zone Configuration Inbound traffic thresholds for 0 0 0 0 0 ie aa es ee Traffic Protocol Threshold Value Inheritance Peckets s IP Sone Private Network Bits s Packets s Bita s Packets s Bitsa s Packets s Bits s Packets s Bits s Unlimited Outbound traffic thresholds for 0 0 0 0 0 Traffic Protocol Threshold Value Bitsa Inheritance Packets s Bits s Packetse s Bitsa s Packets s Bits s Paecketass Bits s Parameters for 0 0 0 0 0 Parameter m e Diere Unknown Delete Record i m T Im m Oo d t D H p E H ct ig H ANE H mi i A S Km WANGuard Platform 3 1 User Manual In the image above you can see that all the values are inherited from 0 0 0 0 0 except the following values ICMP Packets second 1000 Other Packets second 10000 Accounting YES Graphing YES and Description Internal Network e FI ADMIN gt p Logout AOA WANGuard Console 3 1 Views Archive Reports w Setup LI Help gt IP Zone Selection IP Zone Configuration 13 46 02 Inbound traffic thresholds for 197 168 0 0 16 ee Add Traffic Protocol Threshold Value Unlimited Inheritance Peckets s IP Zone Private Net
34. out access list nothing in deny any route map WANGuard Filter out permit 10 set community 1000 604000 no export no advertise line vty Cisco Router BGP Configuration This section describes the router s BGP configuration used when you configure traffic diversion The syntax in the commands is taken from the BGP configuration on a Cisco router The following configuration steps shows the commands to use to configure BGP on a Cisco router r7500 config router bgp lt Router AS number gt 7500 config router bgp log neighbor changes 7500 config router neighbor lt WANGuard Filter IP address gt remote as lt WANGuard Filter AS number gt r7500 config router neighbor lt WANGuard Filter IP address gt description lt description gt 7500 config router neighbor lt WANGuard Filter IP address gt soft reconfiguration inbound r7500 config router neighbor lt WANGuard Filter IP address gt distribute list routesToWANGuardFilter out 7500 config router neighbor lt WANGuard Filter IP address gt route map WANGuard Filter in in 7500 config router no synchronization 7500 config router exit 7500 config ip bgp community new format 7500 config ip community list expanded lt WANGuard Filter community name gt permit no export no advertise 7500 config route map WANGuard Filter in permit 10 102 S Am WANGuard Platform 3 1 User Manual AMD SOFT r7500 config ro
35. packets second bits second or bytes second H some data units are missing see the IP Traffic Graphs configuration Page 77 e Graph Size Select the graph size e Aggregation Select the aggregation procedure for the graph MINIMUM MAXIMUM or AVERAGE If some aggregation types are missing see the IP Traffic Graphs configuration Page 77 By IP Description By selecting this option you can generate traffic graphs for IPs or IP classes that share the selected IP Description To generate traffic graphs using IP Descriptions fill the form displayed below A WANGuard Console 3 1 J Views v Archives Reportsw Setup w LI Help e Traffic Graphing by IP Description Ji IP Traffic Graphs IP Zone Public IPs D IP Description Corporate Network From Until Peering SPAN R12000 SPAN LAN Switch VLAN 900 WANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface Sum Multiple Sensors Unit sits sl Graph Size 500x140 sl Aggregation maximum sl Generate Traffic Graphs Most fields are explained in the beginning of this section To generate IP traffic graphs using this option first select an IP Zone and then select an IP Description included in the selected IP Zone WANGuard Console 2 e 7a WANGuard Platform 3 1 User Manual ANDI k Ww will search for IP addresses and IP classes that match the selected IP Descrip
36. records graphing data for every IP address included in the selected IP class Graphing data contains accurate information about inbound and outbound packets second and bits second rates If the Graphing parameter is set to Inherit then the value is inherited from the parent IP class If the Graphing parameter is set to No then no graphs will be generated for the current IP class 40 gt WANGuard Platform 3 1 User Manual ANDI SOFT Concurrency This parameter is used by WANGuard Filter when doing source IP filtering If the traffic thresholds are reached and the concurrency value is set to 1 then every single source IP that reaches that threshold will be filtered by WANGuard Filter If the concurrency value is set to 3 then every single source IP that reaches a third of the destination s traffic threshold will be filtered by WANGuard Filter If the parameter is empty then the parameter will be inherited from the parent IP class The default value for concurrency is 1 Description This parameter should contain a short description for the selected IP class or IP address Thresholds Templates To ease the addition of traffic thresholds with the same values define a Thresholds Template first and then apply it on multiple IP classes To manage Thresholds Templates you must first select IP Zones from Setup menu and then select Thresholds Most fields are explained in the Inbound and Outbound Traffic Thre
37. router based and it takes much less overhead to keep track of a few networks than millions of them IP Classes Class A addresses always have the first bit of their IP addresses set to O Since Class A networks have an 8 bit network mask the use of a leading zero leaves only 7 bits for the network portion of the address allowing for a maximum of 128 possible network numbers ranging from 0 0 0 0 127 0 0 0 Number 127 x x x is reserved for loopback used for internal testing on the local machine Class B addresses always have the first bit set to 1 and their second bit set to O Since Class B addresses have a 16 bit network mask the use of a leading 10 bit pattern leaves 14 bits for the network portion of the address allowing for a maximum of 16 384 networks ranging from 128 0 0 0 181 255 0 0 Class C addresses have their first two bits set to 1 and their third bit set to O Since Class C addresses have a 24 bit network mask this leaves 21 bits for the network portion of the address allowing for a maximum of 2 097 152 network addresses ranging from 192 0 0 0 223 255 255 0 Class D addresses are used for multicasting applications Class D addresses have their first three bits set to 1 and their fourth bit set to 0 Class D addresses are 32 bit network addresses meaning that all the values within the range of 224 0 0 0 239 255 255 255 are used to uniquely identify multicast groups
38. seconds Number filter_difftime The duration of the attack pattern 55 Number filter first unixtime The time in unix format when the attack pattern was detected re The latest time in unix format when the attack pattern was 56 Number filter_last_unixtime ee DE WW S e still active 57 String filter first time The time in iso8601 format when the attack pattern was detected The latest time in iso8601 format when the attack pattern 58 String filter_last_time e P was still active e NET de If the attack pattern is whitelisted the value is 1 Otherwi 59 Filter Whitelisted Number filter_whitelisted de e NEE i See l Contains a tcpdump like log with a sample of traffic 60 String filter_tcpdump matching the attack pattern 61 Filter Traffic Sample Size bytes Number filter_tcpdump_size Attack pattern traffic sample size attacker_whois extracts from the whois database RIPE 62 String attacker_whois ARIN APNIC AfriNIC LacNIC the ISP contact email of the attacker s ip address 98 ye WANGuard Platform 3 1 User Manual Appendix 3 Configuring Traffic Diversion This appendix describes how to configure traffic diversion for WANGuard Filter Information provided here regarding router configurations is for informational purposes only Please refer to the appropriate router user guides for detailed information Understanding the BGP Diversion Method Follo
39. switched networks the use of switches or routers with so called monitoring port is required For configuring Cisco switches please consult Catalyst Switched Port Analyzer SPAN Configuration Example on http www cisco com warp public 473 41 html To configure TAP s or other devices that support port mirroring please consult the producer s documentation WANGuard Filter System Requirements for 1 Gigabit Network Interface Architecture x86 32 or 64 bit CPU 1 x Xeon 2 5 GHz or 1 x Opteron 1 8 GHz Memory 500 MBytes Network Cards 2 x Gigabit Ethernet NAPI support strongly recommended Operating System Linux kernel 2 6 x perl 5 x quagga or zebra Net Telnet iptables mysql 5 x perl DBD MySQL tcpdump WANGuard Filter 3 1 WANGuard BGPSupport 3 1 WANGuard Controller 3 1 Disk Space 5GB including OS Installed Packages WANGuard Filter can be deployed in line or it must have access to an BGP router that can be used to divert the malicious traffic towards the server running it For sending BGP announcements WANGuard Filter uses the free open source quagga or zebra routing software For more information about configuring quagga or zebra and your network devices for traffic diversion please consult Appendix 3 Configuring Traffic Diversion page 99 Having a dedicated filtering server for each monitored link is not always required You can deploy a single filtering server that
40. the router and by the WANGuard Flow Graph Color Inbound Here you can select the color you will see on graphs as inbound ingress traffic for the current interface By default a random color will be chosen To change the color you can enter the color as a HTML Color Code or you can manually select the color by pressing the lt gt button Graph Color Outbound Here you can select the color you will see on graphs as outbound egress traffic for the current interface By default a random color will be chosen To change the color you can enter the color as a HTML Color Code or you can manually select the color by pressing the lt gt button e Sampling This parameter must contain the same sampling rate configured on the router If no flows packet sampling is used then sampling is 1 1 default ge Accuracy RAM usage using the highest accuracy 5 seconds can be very high Decreasing the accuracy will decrease RAM usage and won t have any negative effects in most scenarios A very low accuracy increases the traffic anomaly detection time e IP Validation O O Off Will disable IP Validation On WANGuard Flow will only analyze the traffic that has the source and or the destination IP addresses in the selected IP Zone excluding 0 0 0 0 0 Strict WANGuard Flow will only analyze the traffic that has either the source or the destination IP addresses in the selected IP Zone excluding 0 0 0 0 0 e AS Va
41. use of a subnet mask This is another 32 bit binary number which acts like a filter when it is applied to the 32 bit IP address By comparing a subnet mask with an IP address systems can determine which portion of the IP address relates to the network and which portion relates to the host Anywhere the subnet mask has a bit set to 1 the underlying bit in the IP address is part of the network address Anywhere the subnet mask is set to 0 the related bit in the IP address is part of the host address The size of a network is a function of the number of bits used to identify the host portion of the address If a subnet mask shows that 8 bits are used for me v y S WANGuard Platform 3 1 User Manual AND SOFT the host portion of the address block a maximum of 256 host addresses are available for that specific network If a subnet mask shows that 16 bits are used for the host portion of the address block a maximum of 65 536 possible host addresses are available for use on that network An Internet Service Provider ISP will generally assign either a static IP address always the same or a dynamic address changes every time one logs on ISPs and organizations usually apply to the InterNIC for a range of IP addresses so that all clients have similar addresses There are about 4 3 billion IP addresses The class based legacy addressing scheme places heavy restrictions on the distribution of these addresses TCP IP networks are inherently
42. will protect multiple links as long as you can re route the traffic towards it and re inject the cleaned traffic to a downstream router For very large networks a dedicated filtering server for each upstream link is highly recommended 13 1 ye WANGuard Platform 3 1 User Manual WANGuard Console System Requirements for lt 5 WANGuard Sensors and WANGuard Filters Architecture x86 32 or 64 bit CPU 1 x Pentium IV 2 4 GHz Memory 500 MBytes Network Cards 1 x Fast Ethernet or Gigabit Ethernet Operating System Linux kernel 2 6 x apache 2 x php 5 mysql 5 x rrdtool 1 2 x perl 5 x Installed Packages perl rrdtool perl MailTools perl DBD MySQL ping whois traceroute telnet WANGuard Console 3 1 WANGuard Controller 3 1 Disk Space 5GB including OS additional storage when storing IP graphs data To access the web interface provided by WANGuard Console one of the following web browsers is required other should also work but have not been tested Firefox 2 0 or later Internet Explorer 6 0 or later Apple Safari 3 0 or later Konqueror 3 5 or later Opera 8 0 or later The web browser must javascript and cookies support activated Java support is not required To access the Contextual Help please install Adobe PDF Reader For the best WANGuard Console experience we highly recommend the Firefox 3 browser and a 1280x1024 pixels or higher resolution monitor Download All WANGua
43. 0 12 0 24 it will not filter destination IP 89 90 12 1 and destination port 53 UDP WANGuard Console 3 1 J Views Archivew Reportsw Setup e LI Help e WANGuard Filter Selection WANGuard Filter Whitelists New IP Address Subnet Exceptions for 89 90 12 0 24 Add Description Protocol Parameter Operator Value Action BGP ROUTER ANY IP Address equal 89 90 1221 DDoS Filtering DNS WHITELIST DP Destination Port equal 53 IP Address Zi equal bd When an attack pattern cannot be filtered because it conflicts with the WANGuard Filter s Whitelist then the attack pattern is reported in the Security View with a red exclamation point and is recorded in the Archive with the Whitelist field set to 1 60 1 Kees WANGuard Platform 3 1 User Manual BGP Router Setup Users can view send and withdraw BGP announcements from WANGuard Console through the BGP Operations window Page 75 All records about BGP announcements are stored in the Archive Page 87 WANGuard Sensor and WANGuard Filter can be configured to send and withdraw BGP announcements automatically in the following cases To protect networks by announcing upstream providers using a special BGP community that your side does not route the attacked addresses anymore or that they should null route the announced addresses This network protection technique is called
44. 000 SPAN LAN Switch VLAN 900 WANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface z Generate Accounting Report The From Until and WANGuard Sensor s fields are explained in the beginning of this section For the IP Address Subnet fields use the CIDR notation To generate traffic accounting reports for hosts not networks select the 32 CIDR For more information about CIDR consult the Network Basics You Should Be Aware Of chapter Page 16 If the traffic accounting report is empty check if the entered IP Address Subnet is included in the selected WANGuard Sensor s IP Zone and that the Accounting parameter for that IP class is set to Yes Protocols Distribution Graphs WANGuard Sensor systems configured with the Top option collect protocols distribution data You can view this data by selecting Protocols Distribution from the Reports menu To generate Protocols Distribution graphs fill the following form 82 EEN WANGuard Platform 3 1 User Manual F ADMIN C Logout WANGuard Console 3 1 _jViewsw Archive Reportsw Setup w LI Help e Protocols Distribution Graphs 18 03 53 amp Protocols Distribution Graph Peering SPAN R12000 SPAN LAN Switch VLAN 900 WANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface P Graph Size 500x240 e Generate Protocols Distribution Graphs All fields are
45. 1 0 24 Customer Service Bits s a E Bits s O 0 0 0 0 Outbound traffic thresholds for 1937 168 3 1 32 Traffic Protocol Threshold Value Unlimited TCE S N M Bits s vw 02 0 0 070 M Bita a vw Parameters for 192 168 2 1 32 Packets s Parameter Inheritance ae O een zen 45 1 Kees WANGuard Platform 3 1 User Manual ANDI SOGI WANGuard Sensor Setup This chapter describes how to add configure and delete WANGuard Sensor systems through WANGuard Console To manage WANGuard Sensor systems you must first select the WANGuard Sensor type from the Setup menu Keep in mind that our support team can help you with any configuration issues f ADMIN A C Logout WANGuard Console 3 1 JViews Archive Reportsw Setup e LA Help e Systems View Actions 19 00 45 BGP Routers IP Graphs IP Zones A Users j WANGuard Filter S WANGuard Sensor B Ww ANGuard Flow WANGuard Sniff To learn more about the differences between the two types of WANGuard Sensor please consult Chapter 2 How To Choose A Method Of Traffic Capturing Page 9 WANGuard Sniff Configuration When using WANGuard Sniff you must know that by default only data packets passing the local machine s network card can be analyzed Either you deploy the WANGuard Sniff server in line or for network wide monitoring in switched networks the use of switches or routers with so called monitoring port is required
46. 1 User Manual AND SOT N A A WANGuard Console 3 1 J Viewsw Archivew Reportsw 7 Setup e LA Help e BGP Router Selection BGP Router Selection d New BEP Router BGP Router Configuration O _ WANGuard Console 3 1 _jViewsw Archivew Reportsw Setup e LI Help e BGP Router Selection BGP Router Configuration l BGP Router Configuration Active Description IP Address Password Enable Password Autonomous System AS View Hostname Blackhole Password The BGP Router Configuration window contains the following fields e Active The BGP router will be used only if this checkbox is checked e Description A short generic description of the BGP router e IP Address The IP address of the bgpd host The WANGuardController daemon must be running on the host e Password Z G 1 ye WANGuard Platform 3 1 User Manual The password required when connecting to the bgpd daemon e Enable Password Configuration mode password of the bgpd daemon e Autonomous System Autonomous System number used in the bgpd configuration e AS View If multiple AS views are defined in the bgpd configuration then you must enter which view do you want to use for this configuration It can be left empty if no AS views are used e Hostname The hostname of the bgpd host The hostname field must be identical with the hostname def
47. DrDoS attacks WANGuard Sensor Features and Benefits Any number of instances can be deployed across the network and all collected data will be centralized and available through a single web interface that you can quickly access from any location The supported traffic monitoring methods are Port Mirroring Switched Port Analyzer SPAN Roving Analysis Port Network TAP In line Deployment Cisco NetFlow and Huawei NetStream You can access various real time parameters top talkers number of IP addresses top protocols protocols distribution etc about the data flowing through router interfaces and switch ports Provides on demand MRTG style traffic graphs for any IP address or IP class in your network for any time frame Traffic graphs accuracy can be defined between 5 seconds and 10 minutes WANGuard Sensor is completely scalable and can monitor and generate graphs for hundreds of thousands of IP addresses Detects traffic anomalies and provides per endpoint flexible threat management tools and an easy to use API for configuring the reaction to traffic anomalies o activate WANGuard Filter for DoS DDoS DrDoS mitigation or additional threat information o alert the NOC Staff by email using user defined email templates o send custom syslog messages to remote log servers o send BGP announcements for blackholing targeted endpoints o execute custom scripts that extend the built in capabilities such as y Am WANGuard P
48. Eed WANGuard Flow Selection d NetFlow Router C New WANGuard Flow 54 WANGuard Platform 3 1 User Manual ANDI SOFT WANGuard Filter Setup WANGuard Filter can be deployed in line or it must have access to an iBGP router that can be used to divert the malicious traffic towards the server running it For sending iBGP announcements WANGuard Filter uses the free open source quagga or zebra routing software For more information about configuring quagga or zebra and your network devices for traffic diversion please consult Appendix 3 Configuring Traffic Diversion page 99 Keep in mind that our support team can help you with any configuration issues This chapter describes how to add configure and delete WANGuard Filter systems through WANGuard Console If you don t plan to use WANGuard Filter you can skip this chapter e WANGuard Console 3 1 J Views e Archive Reports w IP Zone Template Selection L Actions A BGP Routers M IP Graphs IP Zones Users H WANGuard Filter 7 Configuration CQ wanGuard Sensor gt Z wnitcists WANGuard Filter Configuration The WANGuard Filter Selection window lets you select which WANGuard Filter system you wish to edit or delete To add a new WANGuard Filter system select New WANGuard Filter and then click lt Next gt If no WANGuard Filter system was previously configured then the WANGuard Filter Selection form will have only the option to add a new WANGuard F
49. For configuring Cisco switches please consult Catalyst Switched Port Analyzer SPAN Configuration Example on http www cisco com warp public 473 41 html To configure TAPs or other devices that support port mirroring please consult the producer s documentation The WANGuard Sniff Selection window lets you select which WANGuard Sniff system you wish to edit or delete To add a new WANGuard Sniff system select New WANGuard Sniff and then click lt Next gt If no WANGuard Sniff system was previously configured then the WANGuard Sniff Selection form will have only the option to add a new WANGuard Sniff system f ADMIN A g Logout WANGuard Console 3 1 J Views e Archive Reports Setup w t Help e WANGuard Sniff Selection 18 03 19 WANGuard Sniff Selection d New WANGuerd Sniff Next 46 7a WANGuard Platform 3 1 User Manual ANDI SOFT F ADMIN A E Logout WANGuard Console 3 1 J Views v Archive e Reportsw Setup e t Help e WANGuard Sniff Selection WANGuard Sniff Configuration 13 28 49 WANGuard Sniff Configuration Active E Description IP Address Network Interface a VLAN Support MAC Filter Source d Destination IP Validation Direction Top Graph Data Path jo pt wa n guard rrd Graph Color Inbound 0033CC Ez Graph Color Outbound m cco000 ES IP Zo
50. GP Logs Page 87 76 WANGuard Platform 3 1 User Manual ANDI SOFT Traffic Accounting and Graphing This chapter describes how to generate advanced traffic graphs and traffic accounting reports from data collected by WANGuard Sensor systems For an easier but more limited access to traffic graphs and accounting reports you can use the Reports View Page 69 IP Traffic Graphs Setup To configure IP traffic graphs parameters select IP Graphs from the Setup menu A WANGuard Console 3 1 J Views e Archive e Reportsw Setup e LA Help e IP Graphs Parameters M IP Graphs Parameters Graphing Interval 5 minutes DI Averages 3 ll Averages Interval 5 inute s el day s D Intervals r e 15 minute s DI 1 month ei D hour s 1 year 3 D IW x Inbound Bits x Outbound Bits Data Units x Inbound Packets xI Outbound Packets Minimum a 7 Aggregation Maximum x verage Change Parameters By default every WANGuard Sensor stores IP graphing data with 5 minutes averages for 7 days 15 minutes averages for 1 month and 2 hours averages for 1 year The default graphing interval is 5 minutes If you do not change the default parameters every IP for which you enabled graphing will require 603 kbytes of storage on the WANGuard Console s file system The Graphing Interval specifies the granularity of t
51. Guard Sensor graphs you must fill the form below after selecting WANGuard Sensor Graphs from the Reports menu F ADMIN A C Logout WANGuard Console 3 1 J Views e Archive Reportsw Setup e LI Help e WANGuard Sensor Graphs 18 04 20 WANGuard Sensor Graphs DOS July D 27 D o0 o0 DI 200e gl auss log 23 E ss Peering SPAN R12000 SPAN LAN Switch VLAN 900 WANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface P Sum Multiple Sensors T Unit fackets sl Graph Size 500x140 E Aggregation maxim E The WANGuard Sensor Graphs form fields e From Until Enter the desired time frame e WANGuard Sensor s Contains all configured WANGuard Sensor systems Select the WANGuard Sensor that captured the traffic you re interested in Multiple selections can be made by holding the Control key e Sum Multiple Sensors If unchecked each WANGuard Sensor generates a different traffic graph If checked all selected WANGuard Sensors generate a single traffic graph that contains all traffic data e Data Unit Select the traffic parameter the graph will represent O Bits The bits second throughput recorded by WANGuard Sensor o Bytes The bytes second throughput recorded by WANGuard Sensor 84 y Am WANGuard Platform 3 1 User Manual AMOR SOFT o Packets The packets second throughput recorded by WANGuard Sensor o Ps The number of unique IP a
52. Reports Setup t Help v WANGuard Flow Selection 18 22 24 wow WANGuard Flow Selection New WANGuard Flow Next 50 Za ge WANGuard Platform 3 1 User Manual ANDI SOFT WANGuard Console 3 1 J Views e Archive Reports 7 Setup e t Help e Reports View WANGuard Flow Selection WANGuard Flow Configuration WG WANGuard Flow Configuration Active E Description IP Address Port Flow Exporter IP SNMP Community SNMP Index Description Graph Color Inbound Graph Color Outbound Action GE inaress E el esocoso ecosorr Ada Sampling 1 n Accuracy 10 seconds zl IP Validation ozz gt AS Validation fore sl Top Iw Graph Data Path optwanguard rrd IP Zone Public IPs Details Add WANGuard Flow The WANGuard Flow Configuration window contains the following fields e Active WANGuard Flow is automatically activated by the WANGuardController daemon if the Active checkbox is checked If the Active checkbox is unchecked and the WANGuard Flow system is running then the WANGuardController daemon stops it e Description A short generic description that helps you identify the WANGuard Flow system e IP Address Port The IP address of the network interface that receives the flows and the port
53. S R L The information contained in this document is subject to change without notice If you find any problems in the documentation please report them to us in writing ANDRISOFT S R L will not be responsible for any loss costs or damages incurred due to the use of this documentation WANGuard Platform is a SOFTWARE PRODUCT of ANDRISOFT S R L ANDRISOFT and WANGuard Platform are trademarks of ANDRISOFT S R L Other company product or service names may be trademarks or service marks of others ANDRISOFT S R L Str Lunei L30 Ap 11 300109 Timisoara Timis Romania phone 40721250246 fax 40256209738 Sales Sales andrisoft com Technical Support Support andrisoft com Website http www andrisoft com Copyright ANDRISOFT S R L 2008 All rights reserved A y Am WANGuard Platform 3 1 User Manual AMOR SOFT Table of Contents 1 Traffic Monitoring amp Accounting DoS DDoS Detection amp Protection with WANGuard Elei 5 Why WANGuard Platform Is IMP OMAN E 5 What WANGuard Platform Can Do For You scscsssssssssesesessessessessecsesseseeseeseeseesesseseeaesaeeessaesessensessessetaesaetaneaseas 5 WANGuard Platform eg ul 6 WAN GUNG SCMSON E 6 AE E re EE 7 WAVING COS ONC E 8 2 How To Choose A Method Of Traffic Capturing ccsccceecceeeeeeeeeeeeeeneeeceneeeeeeeeeeeeeeeeeeeneeeeees 9 Supported Traffic Capturing Methods cccscsssscssssssseessesesseesessecsesseceseesaeseesessessesseca
54. all IP classes extracted from existing IP Zones When you click an IP class the right side of the Reports View will contain two tabbed areas as you can see in the screenshot below The Traffic Graphs area contains graphs with traffic parameters generated for the selected host or network The Traffic Accounting area contains a traffic accounting report generated for the selected host or network WANGuard Console 3 0 Reports View Mozilla Firefox File Edit View History Bookmarks Tools Help E 8 tr xX A i http console wanguard reports php 9 Logout A WANGuard Platform 3 0 J Viewsw Archive Reports Setup e tt Help e Reports View 1787221 A Traffic Graphs Traffic Accounting z BH Peering SPAN g R12000 SPAN Timeframe Tast 3 Days DI Refresh Wa LAN Switch VLAN 900 H NetFlow Router Inbound Traffic Outbound Traffic a bound Traffic Outbeund Traffic oO 2 Branch Office Avg Packets s Avg Bits s Total Packets Total Bits Avg Packets s Avg Bits s Total Packets Total Bits 0 Corporate Network 2008 10 25 0 1k 696 2k 6 0M 54 56 0 0k 47 9k 1 4M 3 96 TOTAL Ave 0 1k_ AVG 696 2k sun enn SUM 54 5G AVG 0 0k AVG 47 9k SUM 1 4M__ SUM 3 9G 80 95 128 1 32 on R12000 SPAN WANGuard Sensors v 0 Customer 1 0 Customer 1 WAN 0 Customer 2 0 Customer Service Inbound Traffic Outbound Traffic Avg Packets s Avg Bits s Total Packets Total Bit
55. amic Parameters Page 96 The To field can contain any number of email addresses separated by comma where notification emails will be sent The To field can also contain the attacker_whois Dynamic Parameter The attacker_whois parameter will be replaced with the ISP contact email addresses of the attacker extracted from the whois database RIPE ARIN APNIC AfriNic LacNIC To use the attacker_whois parameter correctly you must first ensure that the attack pattern has the ip type by using Conditional Parameters to check if Filter type equals ip In case of spoofed attacks the Filter type parameter will be different and the Module will not be executed WANGuard Filter generates a traffic sample log for every attack pattern it detects Sometimes attack patterns are not active enough for the traffic sample log to be generated To prevent sending emails that don t include a full traffic sample log you must do the following ge Send the notification emails in the Polling branch instead of the Beginning branch e Use Preconditions to verify that the traffic sample log has been generated by checking if Filter Traffic Sample Size is bigger than zero a By a 5 y WANGuard Platform 3 1 User Manual Select the RunOnce checkbox to only allow the module to be executed one time per attack pattern If you do not check this checkbox emails will be sent every 5 seconds A configuration example of th
56. and a colored box with the Graph Color Inbound configured for the interface IPs The number of unique IP addresses detected making traffic through the interface Only your network s IP addresses are counted Pkts s Inbound Outbound The packets second throughput after validation and filtering Only the traffic passing the interface is analyzed Bits s Inbound Outbound The bits second throughput after validation and filtering Only the traffic passing the interface is analyzed Flows s The rate of flows that contain traffic passing the interface Flows Delay Because traffic data must be aggregated NetFlow devices export flows with a certain configured delay Some devices export flows much later than the configured delays and this field contains the maximum flows delay detected by WANGuard Flow WANGuard Flow cannot run with delays over 5 minutes To minimize the RAM usage and the performance of the WANGuard Flow process the flows must be exported as soon as possible 66 WANGuard Platform 3 1 User Manual Active WANGuard Filter Systems Table The Active WANGuard Filter Systems table displays the latest system information collected from the active WANGuard Filter systems If there are no WANGuard Filter systems configured then this table is not displayed If there are no WANGuard Filter systems activated then the table has no records For active WANGuard Filter systems the table has the following f
57. ardsensor_max_pps The maximum packets second throughput recorded by WANGuard Sensor in the anomalous traffic 24 WANGuard Sensor Peak Bits s Number wanguardsensor_max_bps The maximum bits second throughput recorded by WANGuard Sensor in the anomalous traffic 25 WANGuard Sensor Total Packets Number wanguardsensor_total_ packets The number of packets recorded by WANGuard Sensor in the anomalous traffic 26 WANGuard Sensor Total Bits Number wanguardsensor_total_ bits The number of bits recorded by WANGuard Sensor in the anomalous traffic 27 WANGuard Filters Pkts s Number wanguardfilters_pps The latest packets second throughput recorded by active WANGuard Filter s in the anomalous traffic 28 WANGuard Filters Bits s Number wanguardfilters_bps The latest bits second throughput recorded by active WANGuard Filter s in the anomalous traffic 29 WANGuard Filters Max Pkts s Number wanguardfilters_max_pps The maximum packets second throughput recorded by active WANGuard Filter s in the anomalous traffic 30 WANGuard Filters Max Bits s Number wanguardfilters_max_bps The maximum bits second throughput recorded by active WANGuard Filter s in the anomalous traffic The number of packets filtered by active WANGuard 31 Filtered Packets Number wanguardfilters filtered_packets Filter s 32 Filtered Bi
58. at IP class is set to Yes IP Traffic Accounting WANGuard Console can generate on demand IP traffic accounting reports for every host IP class or IP 80 WANGuard Platform 3 1 User Manual classes that share the same IP Description for any time frame To generate an IP traffic accounting report select IP Traffic Accounting from the Reports menu and then select one of the two available options f ADMIN Ai C Logout WANGuard Console 3 1 X Setup e LA Help e Reports View Traffic Accounting by IP Description H IP Traffic Accounting Ah d By IP Description 12 41 30 IP Traffic Graphs Protocols Distribution 4 WANGuard Sensor Tops WANGuard Sensor Graphs 3 WANGuard Flow ASN Graphs By IP Subnet The first option generates IP traffic accounting reports for IP addresses or IP classes that have the IP Description you select The second option generates IP traffic accounting reports for the entered IP address or IP class The following fields are common for both options e From Until Enter the desired time frame e WANGuard Sensor s Contains all configured WANGuard Sensor systems Select the WANGuard Sensor that captured the traffic you re interested in Multiple selections can be made by holding the Control key By IP Description By selecting this option you can generate traffic accounting reports for IP addresses or IP classes that have the selected IP Description f ADMIN A g Logout WANGuard C
59. camnet aceawsaarinaeee oun R A E a E A E 19 By PPG SS FS DS E 80 IP MaMe FO Uu GIN EE 80 A y Am WANGuard Platform 3 1 User Manual AMOR SOFT BVIF DO CTO ION EE 81 Sale elei EE 82 Protocols Distribution Graphs cscssscscscsessecssssseeseeseesessessecsecsecseseesaesessessessessesaeeesaecaesaesessessessessessesaesaesaetassaeeasas 82 WANGuard Sensor TOpS E 83 WANGU ard Sensor Graphs E 84 WANGuard Flow ASN Graphs ee 85 Me EG 86 Anoma LOOS aose E E E A A 86 BOP LOOS arasen r A EE E E E 87 EVENS E CN 88 PIO OS acer alte cis aera ened a cae E E eRe etaneAiaelNN 88 Eege EE 89 EK TOF re BEE 90 Bi SO Scere sce E cc ce cece A A A tees cence ec cee A A EEA T eae 90 TARRIO TT TEEN 91 Rei CUA o EAE TEE E A E A T A A E E A A 91 AS ner EI EE 91 IP MEMEO LMAO BEE 91 POLO ONS aiarra E a Er a A E A 91 Tel E ANC OAL E 91 TOPRUDP POTTS EE 91 Eeer 91 15 Appendix 1 Configuring NetFlow Data Export cccccccccseceeeeeeeeeneeeeeeeeeeneeeeeeeneeeeeeneesenenes 92 Configuring NDE 28 TER e E 92 Configuring NDE ON a CatOS RE 93 Configuring NDE on a EICH et EN 94 Configuring NDE on a 4000 Series VE 94 Configuring NDE on a Juniper ROUTCM asi vec ccescccesesecceaseceezeccoccesensenncresseszesszecestvaseexes cece Vecenecsesteioneescaesindecelecseercecieeseseers 94 16 Appendix 2 Conditional amp Dynamic Parameters ccccccceseeeeeeeeeeneeeeeeeeeeeeeeeeeeneceeceneneeees 96 17 Appendix 3 Configuring Traffic Diversion
60. ccess to ping whois traceroute and telnet commands IP information is contained in an internal database that contains IP ranges Country codes and Autonomous System information IP Protocols The IP Protocols window provides access to a table that contains descriptions for all available IPv4 protocols Subnet Calculator The Subnet Calculator lets you see and calculate network masks CIDR broadcast addresses number of hosts and IP ranges for subnets TCP amp UDP Ports The TCP amp UDP Ports window provides access to a table that contains name description service common servers and common clients for well known TCP and UDP port numbers About The About window provides information about the WANGuard version and license The license key can be changed from this window Gis A 3 Ae WANGuard Platform 3 1 User Manual ANDRE SOFT Appendix 1 Configuring NetFlow Data Export This appendix is a brief guide to setting up the NetFlow data export NDE on Cisco and Juniper routers or intelligent Cisco Layer 2 Layer 3 Layer 4 switches If you have problems with the configuration contact your network administrator or Cisco consultant For devices that run hybrid mode on a Supervisor Engine Catalyst 65xx series it is recommended to configure IOS NDE on the MSFC card and CatOS NDE on the Supervisor Engine For more information about setting up NetFlow please visit http www cisco com go netflow Configuring NDE on an IOS Dev
61. ch during Polling branch or at the end Ending branch of a traffic anomaly f ADMIN e Logout WANGuard Console 3 1 J Views e Archive w Reports Setup w LA Help e Traffic Anomaly Actions 18 19 10 a Edit Action New Action atime m Ada Priority 5 D Order of execution Parameter Operand a Egress Traffic Anomaly Preconditions RE RE Beginning Polling Description Inform NOC by email QeEnding l Ingress Traffic Anomaly To noc isp com Beginning 2 actions Add inform NOC by email BCC J Protect Gigabit Link Polling 1 actions Add Hello Blackhole attacked IP OeEnding WANGuard Sensor wanguardsensor description has detected a traffic anomaly towards ip idescription having max pps packets second and max bps bits second starting at first_time Action taken action Ui OR cc security isp com Subject New traffic anomaly towards ip description detected Traffic sample log Change WANGuard Sensor Email Delete WANGuard Sensor Email The Subject and Body fields can contain any number of WANGuard Sensor Dynamic Parameters Dynamic Parameters are explained at the beginning of the chapter A complete list of Dynamic Parameters available can be found on Appendix 2 Conditional amp D
62. contains the number of seconds of inactivity required for the deletion of an attack pattern If set to O then every attack pattern detected is not being deleted until the attack stops and WANGuard Filter becomes inactive Usually an attack pattern is associated with a filter see Filtering Policy below e BGP Router The BGP Router field provides a selection of currently defined BGP Routers that may be used for traffic diversion When activated WANGuard Filter sends a BGP announcement through the selected BGP router The WANGuard Filter system will then become next hop for the attacked IP address When the attack ends WANGuard Filter automatically deletes the BGP announcement and the traffic towards the IP address will be routed normally For more information about defining BGP Routers please consult the BGP Router Setup chapter Page 61 If the WANGuard Filter system is deployed in line or you don t plan to use traffic diversion you can leave the Router field set to None e Filtering Policy The Filtering Policy lets you select what actions WANGuard Filter will take when it detects an attack pattern An attack pattern is formed by malicious packets that share some common Layer 3 Layer 4 or Layer 5 fields When an attack comes from a non spoofed IP address the attack pattern is the source IP address of the attacker In case of a spoofed attack the attack pattern could be the source TCP or UDP port the destination TCP or UDP port IP pr
63. cted endpoints and networks increases All WANGuard Platform components can be installed on a single server if enough resources are provided RAM CPU Disk Space Network Cards You can also install the components on multiple servers distributed across your network WANGuard Sensor System Requirements for 1 Gigabit Network Interface WANGuard Sensor WANGuard Sniff 3 1 WANGuard Flow 3 1 Architecture x86 32 or 64 bit x86 32 or 64 bit CPU 1 x Pentium IV 2 0 GHz 1 x Pentium IV 1 6 GHz Memory 500 MBytes 2 GBytes 1 x Gigabit Ethernet with NAPI support Network Cards Eeer 1 x Fast Ethernet Operating System Linux 2 6 x kernel Linux 2 6 x kernel tcpdump WAN S 3 1 Installed Packages WANGuard Sensor 3 1 Wiere 31 WANGuard Controller 3 1 Disk Space 5 GB including OS 5 GB including OS et y Am WANGuard Platform 3 1 User Manual AMOR SOFT When using WANGuard Flow network devices must be configured to send NetFlow version 5 data packets to the the server For detailed instructions on how to enable NetFlow on your network devices please consult the vendor s website Some examples are included in Appendix 1 Configuring NetFlow Data Export page 92 When using WANGuard Sniff you must know that by default only data packets passing the local machine s network card can be analyzed Either you deploy the WANGuard Sniff server in line or for network wide monitoring in
64. d new users To manage WANGuard Console users you must select Users from the Setup menu A list of existing users will be displayed To view additional information about a user you must click the first icon in the first column To change user passwords or to edit user details you must click the second icon in the first column To delete a user you must click the third icon in the first column F ADMIN A g Logout WANGuard Console 3 1 J Views e Archives Reports Setup e t Help e WANGuard Console Users 17 22 37 Search Username Full Name Company Default View lt lt lt Add gt gt gt Go to 1 sl Page 1 of 1 Records 1 To add a new user click the lt Add gt button Fill the following fields and click the lt Save gt button to add the new user 22 1 ye WANGuard Platform 3 1 User Manual f ADMIN C Logout WANGuard Console 3 1 J Views Archivew Reportsw Setup e LA Help e WANGuard Console Users 17 24 00 ID Username Password Role Administrator sl Full Name Email Title Phone Departament Company Events Verbosity DEBUG sl Reports View zl Save More Cancel The Username and Password fields are mandatory Enter unique names for users Currently there are two available access levels Roles for users e Normal U
65. ddresses detected making traffic Usually a spike in the graph means that an IP class scan was performed Only your network s IP addresses are counted o Received packets or flows For WANGuard Sniff it represents the rate of received packets before validation or filtering occurs For WANGuard Flow it represents the rate of received flows before validation or filtering occurs o Dropped packets or flows For WANGuard Sniff it represents the rate of packets dropped in the capturing process When the number is high it indicates a performance problem located in the network card in the network card s driver or in the CPU It may also mean a bad WANGuard Sniff installation For WANGuard Flow it represents the rate of flows dropped in the flow receiving process When the number is high it indicates a network problem between the flow exporter and the WANGuard Flow system or a bad WANGuard Flow installation o Unknown packets or flows For WANGuard Sniff it represents the rate of discarded packets caused by validation or filtering For WANGuard Flow it represents the rate of discarded flows caused by validation or filtering e Graph Size Select the size of the graph e Aggregation Select the aggregation procedure for the graph MINIMUM MAXIMUM or AVERAGE If you are interested in traffic spikes select the MAXIMUM aggregation type If you are interested in average values select the AVERAGE aggregation type If you are interested in low traffic va
66. e WANGuard Filter L 58 gt WANGuard Platform 3 1 User Manual AND SOFT After a new WANGuard Filter system is added the WANGuard Filter Selection window is updated If there is a green OK sign on the right of the WANGuard Filter then the WANGuard Filter system can be used If there is a X red sign instead then the WANGuard Filter is inactive A WANGuard Console 3 1 J Views v Archive Reportsw Setup e LI Help e WANGuard Filter Selection J WANGuard Filter Selection DDoS Filtering New WANGuard Filter WANGuard Filter Whitelists A WANGuard Filter Whitelist is a collection of user created rules that prevents the filtering of critical traffic types If the filtering policy permits WANGuard Filter may filter attack patterns that should not be filtered WANGuard Filter filters destination ports and destination IP addresses only in worst case scenarios when no other attack pattern is detected In some cases it s best to let the malicious traffic enter the network than to filter some critical destination IPs and destination ports For example if your DNS server is being attacked by spoofed addresses on port 53 UDP then WANGuard Filter might filter port 53 UDP traffic towards your DNS server making your DNS partially unreachable In this case it s best to configure a Whitelist that will prevent this behavior To configure WANGuard Filter Whitelists yo
67. e traffic towards your network The network interface name must use the network interface naming conventions of the Linux operating system ethO for the first interface eth1 for the second eth0 900 for the first interface with VLAN 900 and so on If VLANs are used then you should configure them first using the vconfig command e Outbound Interface The cleaned traffic is sent to a downstream router through this network interface The default gateway must be reachable through this interface 56 v y S WANGuard Platform 3 1 User Manual AND SOFT If GRE or IP over IP tunneling is required then you must first configure a virtual network interface with the ip command part of the iproute2 package e Monitor Interface This switch configures the interface monitored by WANGuard Filter o Inbound WANGuard Filter analyzes the traffic passing the inbound interface The advantage is that the generated statistics are accurate because WANGuard Filter analyzes all traffic The disadvantage is that CPU usage is higher because WANGuard Filter continuously inspects malicious packets even if they are being filtered o Outbound WANGuard Filter analyzes the traffic passing the outbound interface The advantage is that the CPU usage is lower because malicious packets are not forwarded though the outbound interface and are not being analyzed The disadvantage is that the attack Statistics are not entirely accurate e Filters Timeout This field
68. ed by the activated WANGuard Filter Filter Peak Bits s The maximum bits second throughput recorded by the activated WANGuard Filter Latest Filter Pkts s Most recent packets second throughput recorded by the activated WANGuard Filter Latest Filter Bits s Most recent bits second throughput recorded by the activated WANGuard Filter Start Time The date and time when the WANGuard Filter system was activated Stop Time The date and time when the WANGuard Filter system was stopped Peak CPU The maximum CPU percent used by the WANGuard Filter process Stats Logs Statistics Logs contain traffic statistics recorded by WANGuard Platform components New rows are inserted every 5 seconds so expect lots of records These logs are used only for debugging purposes and are not documented in this manual 90 y Am WANGuard Platform 3 1 User Manual ANDRI SOFT Help Menu Contextual Help The Contextual Help provides direct access to the WANGuard Platform User Guide Depending on the context the User Guide will open at the chapter describing the active window If the Contextual Help does not work please install Adobe PDF Reader on your computer AS Information The AS Information windows provide access to an on line ASN database RIPE ARIN APNIC and to a local ASN database IP Information The IP Information windows provides details about IP addresses and domains as well as web based a
69. eeesaesaesaesessessesseesessneeeaeeaseass 9 Port Mirroring Switched Port Analyzer SPAN Roving Analysis Port Network TAP In line deployment 9 How Port Mirroring Network TAP In line Deployment works snnnnnnnnnnnnnnnnnnnnnnnnnnsnnnrnnnnsrrerrnernernernernnnne 10 Reasons to choose Port Mirroring Network TAP In line Deplovment cc ccccccecceecceeeeeeeseeseeeseeeaees 10 NEIFIOWO 6 011 0 el BE 10 How NetFlow Monitoring Works AAA 10 Reasons to choose NetFlow Monitoring n0nnneannoennoenennnnoernnarerrnrnsrerrnrrsnrrrnrrsnrrrerrrnrennnrrsrerenersnersnrrne 11 Comparison between Packet Sniffing and NetFlow Monitoring s sssssssssssnsnsnsnsnsnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnna 11 TE UE TEE 12 System REQuireMents ccsssscsssseseessssssesecseseesecseceseesessesessecsesessecaeeessesaesaesecsesseseeseeaeseesesaesaesesaesassaesecansessesaesessatass 12 WANGuard Sensor System Requirements for 1 Gigabit Network Interface 12 WANGuard Filter System Requirements for 1 Gigabit Network Interface 13 WANGuard Console System Requirements for lt 5 WANGuard Sensors and WANGuard Filters 14 Malle BE 14 SOO IE VV AN WINS GA RAL TEE 15 4 Network Basics You Should Be Aware Off c cccccceceeeeceeeeeeeeeeeeeeeeeeneeeeeeneeeeneaeeeeeneeeeeeneeeeneees 16 Who Should Read RU Ee DE 16 A Short Introduction To IP Addresses A ClaSses cccssssssssssssssessssesessessesecsssessesses
70. ensure the immediate identification and termination of this malicious activity It may be that the computer involved has been compromised Please confirm that this matter has been addressed and the appropriate action taken Attack loc Change WANGuard Filter Email Delete WANGuard Filter Email The emails are sent through the local SMTP server sendmail postfix qmail etc of the WANGuard Console system using the perl Mail Send module By default the sender will be lt WANGuard localhost localdomain gt For sender customizations From field please consult your SMTP server documentation Emails sent by this module are recorded in the Attack Patterns Log Page 89 WANGuard Filter Script Action Module This module is used by WANGuard Filter to execute custom scripts written in any Linux compatible i e a 1 ye WANGuard Platform 3 1 User Manual scripting languages such as bash perl ruby python etc C and C programs or Linux commands can also be executed The scripts can be executed at the beginning Beginning branch during Polling branch or at the end Ending branch of an attack pattern Scripts can access WANGuard Sensor and WANGuard Filter Dynamic Parameters through command line parameters options Dynamic Parameters are explained at the beginning of the chapter A complete list of Dynamic Parameters available can be found in Appendix 2 Conditional amp Dynamic Parameters Page 96
71. es To prevent clutter you can click each section s header to minimize or maximize the section WANGuard Sensors Section When you click a WANGuard Sensor description or interface the right side of the Reports View will contain two tabbed areas as you can see in the screenshot below The Traffic Graphs area displays graphs containing traffic parameters generated by the selected WANGuard Sensor WANGuard Console 3 0 Reports View Mozilla Firefox WANGuard Platform 3 0 J Views e Archive e Reportsw Setup e LI Help e Reports View WANGuard Sensors v Traffic Graphs DESEEETSSS BN Peering SPAN R12000 SPAN Timeframe Last Week DI Graphs Size 700x140 il Aggregation AVERAGE DI Refresh LAN Switch VLAN 900 NetFlow Router S WAN Interface Packets LAN Interface E Packets s graph for NetFlow Router WAN Interface IP Descriptions v 0 Branch Office 8 k Tei Corporate Network 0 Customer 1 6k 0 Customer 1 WAN 0 Customer 1 WEB 4k o Customer 2 o Customer Service f o Customers 0 DMZ S SC e Thu Fri Sat Sun 0 DMZ SMTP Cluster E NetFlow Router WAN Interface inbound W NetFlow Router WAN Interface outbound 0 DNS 0 Email Enterprise Services Internal Network Local Clients o Network Equip Office Building o Remote Clients IP Addresses e fei 10 0 0 0 8 192 168 0 0 16 Gill 192 31 0 0 16 iP 80 95 128 0 18 81 94 128 0 20 iP 81 95 124 0 24
72. essessesessesesaesessesassensesassensanaess 16 laa e 16 Jet 17 Leiwe ES IN e re DEER 18 5 Getting Started with WANGuard Platform ccccccceeeeeeeeeeeeeeeeeneeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeneeees 19 Bae GOING GS cee cee cscs vn es tence T shits cee ns ower uaae area AAE O 19 lef EEN 19 AE 19 Ee EE 20 Jr ein 20 A TON EE 20 Opening WANGuard Console for the first time cccsssssssscsssssssesessesessesessesesseseesessesaeseesesaesessesaesassesaesansesaesassanaasas 20 A First Look at the Systems Eeer 21 Managing WANGuard Console US6 PS ccssscscsssssssessssesecseseseesecseseesessesessesaesessessecessessesaesessesaesassesesassenesansateasaass 22 6 Celi te eo TT EEN 25 Understanding Ed 25 Addmg New CON D 25 Action Renaming 92 C211 DEE 26 Adamo NEW CHOON Modules cisien E E 27 Action Modules Common Fields Conditional amp Dynamic Parameters nnnnennenennnnenennnrrnnnnrnrnnrnnnnnnne 27 WANGuard Filter Enabler Action Module 28 BGP Announcement Action MOdUle cccscccsccsseceseeeeeeeeceeeteeeteeeeeeeeeensesegeceeeseeessecsuetseetseeseeeneeenseeaas 28 A y Am WANGuard Platform 3 1 User Manual AMOR SOFT WANGuard Sensor Email Action Module 29 WANGuard Sensor Script Action Module 30 WANGuard Sensor Syslog Action Module 30 WANGuard Filter Email Action Module 31 WANGuard Filter Script Action Module 32 WANGuard Filter Syslog Action Module 33 7 IP Zones TT EEN 35 Unders
73. f will monitor both inbound and outbound traffic Using this option generates a minor performance penalty under very high loads o Inbound WANGuard Sniff will only monitor inbound traffic Top This checkbox lets you choose if you want WANGuard Sniff to sort the traffic statistics for top like visualizations It is recommended to leave it on because the performance penalty is extremely low e Graph Data Path This field contains the path on the WANGuard Console server where the traffic graphs data collected from the WANGuard Sniff system is stored It s safe to save multiple WANGuard Sensors graph data in the same path If you set the data path on a larger partition on RAM with tmpfs etc make sure that the wanguard user has writing privileges there e Graph Color Inbound Here you can select the color you will see on graphs as inbound traffic for the current WANGuard 48 1 ye WANGuard Platform 3 1 User Manual ANDRI SOFT Sniff By default a random color will be chosen To change the color you can enter the color as a HTML Color Code or you can manually select the color by pressing the lt gt button e Graph Color Outbound Here you can select the color you will see on graphs as outbound traffic for the current WANGuard Sniff By default a random color will be chosen To change the color you can enter the color as a HTML Color Code or you can manually select the color by pressing the lt gt button e IP Zone
74. facturer devices supporting WANGuard Flow are Cisco Systems 1400 1600 1700 2500 2600 3600 4500 4700 AS5300 5800 7200 7500 Catalyst 4500 Catalyst 5000 6500 7600 ESR 10000 GSR 12000 Juniper Extreme Networks Huawei 3COM and others ei A y gt WANGuard Platform 3 1 User Manual ANDRI SOFT Installation WANGuard Platform can be installed on common server hardware provided that the system requirements listed later in this chapter are met If you have some basic Linux operation skills then no training is required for the software installation Feel free to contact our support team for any issues Installing WANGuard Platform does not generate any negative side effects on your network s performance Installation and configuration may take less than an hour after that your network will be monitored and protected immediately No baseline data gathering is required System Requirements WANGuard Platform 3 1 has been tested with the following Linux distributions Red Hat Enterprise Linux 5 0 commercial Linux distribution CentOS 4 0 5 0 5 1 5 2 free Red Hat Enterprise Linux based distribution OpenSuSE 10 3 free Novel Enterprise Linux based distribution Debian Linux 4 0 free community supported distribution Other distributions should work but haven t been tested yet The WANGuard Platform architecture is completely scalable By installing the software on better hardware the number of monitored and prote
75. ffic thresholds for 192 168 1 0 24 Add Traffic Protocol Threshold Value Unlimited Inheritance Packets s E IP Zone Private Network as i e ie oan r Pac far 02 0 0 070 4GP 192 168 0 0 16 Internal Network GE UA E d ac E Bitsa s vw Peackets s TT F Packets s 10000 O as2 168 0 0 16 Ingress Tratfic Anomaly Fe Outbound traffic thresholds for 192 168 1 0 24 Packets s a Egress Traffic Anomaly CS Parameters for 192 168 1 0 24 Parameter Matus rr Y Inheritance Accounting es ME he 168 0 0716 Concurrency hn O 0 0 0 0 44 o S Km WANGuard Platform 3 1 User Manual AND SOGT In the image below you can see that a new IP address called Sarah s Computer is added and only the TCP Packets second Outbound Action Accounting Graphing and Description values were changed The rest of the values from Internal Network propagated to Sarah s Computer because they were not modified Sarah s Computer IP address is placed in the tree together with the Customer Service IP class because both are contained in the Internal Network IP class Logout SOA WANGuard Console 3 1 C Views e hl Archive Reports Setup L Help gt IP Zone Selection IP Zone Configuration 13 54 55 Inbound traffic thresholds for 192 168 2 1 32 Aa Traffic Protocol Packets s IP Zone Private Network Bite s ie 192 168 0 0 16 Internal Network Sees iP 192 168
76. fic Protocol Threshold Value Pecketass Inheritance Bitsa s Packets s Bits s Packetse s Bitsa Packets s Bitara Packets s Bits a Accounting Graphing Change Record Delete Record d e a 7 F ke o 5 E ke S Inheritance none ii IA The right section will be populated with properties that apply to all IP addresses included in the selected IP class if the properties are not subsequently overwritten The Inheritance column shows from which parent IP class was the value inherited from Every IP class has the following properties Inbound and Outbound Traffic Thresholds Contains traffic thresholds for any IP address included in the selected IP class When a traffic threshold 39 y Am WANGuard Platform 3 1 User Manual AMOR SOFT is reached then WANGuard Sensor generates a traffic anomaly alarm that is displayed in the Security View Page 72 recorded in the Archive Page 86 and the selected inbound or outbound Action is executed Inbound traffic describes the traffic coming towards your network and outbound traffic describes traffic sent by your network WANGuard Sensor checks packets second and bits second threshold values for 5 types of traffic e TCP describes all traffic that uses the TCP protocol HTTP HTTPS IMAP POP3 FTP SSH etc e TCP SYN describes TCP packets with the SYN flag set and the ACK flag not set useful for SYN flood detection
77. first interface with VLAN 900 and so on e MAC Filter For WANGuard Sniff to distinguish between inbound and outbound traffic it must use at least one of the two techniques available MAC filtering or IP Validation next parameter The MAC Filter together with the Source Destination switch allows WANGuard Sniff to validate the inbound traffic and the outbound traffic The MAC Filter should contain the MAC address of the upstream router with the Source switch on or the MAC address of the downstream router with the Destination switch on The MAC address must be written using the Linux convention six groups of two hexadecimal values separated by colons e IP Validation For WANGuard Sniff to distinguish between inbound and outbound traffic it must must use at least one of the two techniques available MAC filtering previous parameter or IP Validation IP Validation parameter has three options o Off Will disable IP Validation Make sure MAC Filter is configured instead o On WANGuard Sniff will only analyze the traffic that has the source and or the destination IP addresses in the selected IP Zone excluding 0 0 0 0 0 o Strict WANGuard Sniff will only analyze the traffic that has either the source or the destination IP addresses in the selected IP Zone excluding 0 0 0 0 0 e Direction You can configure the direction of the traffic that should be analyzed by WANGuard Sniff O Inbound Outbound WANGuard Snif
78. ghput recorded for the IP address by WANGuard Sensor Latest Total Bits s The latest bits second throughput recorded for the IP address by WANGuard Sensor Action The description of the Action executed for this traffic anomaly From Time The time and date when WANGuard Sensor started the detection of the traffic anomaly Until Time The time and date when WANGuard Sensor stopped detecting the traffic anomaly Packets The number of packets recorded by WANGuard Sensor in the anomalous traffic Bits The number of bits recorded by WANGuard Sensor in the anomalous traffic WANGuard Filters The number of WANGuard Filter systems activated to mitigate or analyze the traffic anomaly BGP Log Bgpd and zebra commands executed by the BGP Announcement Action Module or by the activated WANGuard Filter systems Traffic Sample If you are using WANGuard Sniff this field contains a tcodump like log with a sample of 100 packets from the anomalous traffic If you are using WANGuard Flow this field is empty Emails This field contains the contents of the emails sent by the WANGuard Sensor Email Action Module or by the WANGuard Filter Action Module BGP Logs BGP Logs contain details about the BGP announcements sent by WANGuard Platform components Every BGP announcement record contains the following fields Anomaly The traffic anomaly that generated the BGP announcement This field is empty if the BGP
79. he graphs The highest available granularity value is 5 seconds and the lowest is 5 minutes When using WANGuard Flow do not set the Graphing Interval to a lower value than the Accuracy parameter 77 1 ye WANGuard Platform 3 1 User Manual When granularity is very high WANGuard Sensor uses more CPU the WANGuard Console system becomes more loaded and the network traffic between WANGuard Sensor and WANGuard Console is increased if the components are not installed on the same server The Averages and Intervals values specify the granularity for old data and for how long do you want the data to be stored The Data Units options lets you select the traffic parameters that will be stored The Aggregation options lets you select how do you want the average values to be consolidated If you are interested in traffic spikes select the MAXIMUM aggregation type If you are interested in average values select the AVERAGE aggregation type If you are interested in low traffic values select the MINIMUM aggregation type All the above options have a direct impact on the storage space required on the WANGuard Console file system The storage space required per IP will be updated when you click the lt Change Parameters gt button If you change the graphs parameters make sure you delete old data from the paths defined in WANGuard Sensor configurations IP Traffic Graphs WANGuard Console can generate on demand MRTG style graphs for every hos
80. ice In the configuration mode on the router or MSFC issue the following to start NetFlow Export First enable Cisco Express Forwarding router config ip cef router config ip cef distributed And turn on flow accounting for each input interface with the interface command interface ip route cache flow For example interface FastEthernet0O ip route cache flow interface Serial2 1 ip route cache flow It is necessary to enable NetFlow on all interfaces through which traffic you are interested in will flow Now verify that the router or switch is generating flow stats try command show ip cache flow Note that for routers with distributed switching GSR s 75XX s the RP cli will only show flows that made it up to the RP To see flows on the individual linecards use the attach or if con command and issue the sh ip ca fl on each LC Enable the exports of these flows with the global commands router config ip flow export version 5 router config ip flow export destination lt ip address gt 2000 router config ip flow export source FastEthernet0 Use the IP address of your WANGuard Flow server and the configured listening port UDP port 2000 is used as an example WANGuard Flow is using NetFlow version 5 The ip flow export source command is used to set up the source IP address of the exports sent by the equipment DE e A o WANGuard Platform 3 1 User Manual ANDRE
81. ich you will control and monitor all other components If you followed correctly the installation instructions from now on you will only need to log into WANGuard Console to manage the components To log into WANGuard Console use a compatible web browser listed at page 14 and access http lt hostname gt wanguard where lt hostname gt is the name of the server where WANGuard Console is installed If the page cannot be displayed make sure the Apache web server is running and the firewall does not block incoming traffic on port 80 If you haven t licensed WANGuard Platform yet you will be asked to do so 20 Km WANGuard Platform 3 1 User Manual Andrisoft WANGuard Platform 3 0 Licensing Mozilla Firefox File Edit View History Bookmarks Tools Help Use the opt wanguard etc wanguard key file found C Enter the license key D Licensing will be sucessful only if you have previously installed configured and started the WANGuardController daemon You can add a license key by two methods You can either copy the wanguard key file we sent you by email in opt wanguard etc or you can paste directly the file s content in the input field The license key contains encrypted information about the licensed capabilities of the software You can upgrade to the Full version incl traffic anomalies detection amp protection or downgrade to the Lite version without traffic anomalies detection a
82. ies are also represented by a gray background while outbound anomalies are represented by a white background If the IP address is clicked then a new window opens with detailed information about reverse DNS ISP Country AS number etc Description The description of the IP address extracted from the WANGuard Sensor s IP Zone Protocol The traffic type that exceeded the threshold SYN TCP UDP ICMP OTHER WANGuard Sensor The description of the WANGuard Sensor that detected the traffic anomaly Started The time and date when WANGuard Sensor began the detection of the traffic anomaly Latest Alarm How much time passed since the last detection of the traffic anomaly Pkts s The latest packets second throughput for the anomalous traffic Bits s The latest bits second throughput for the anomalous traffic Max Pkts s The maximum packets second throughput reached by the anomalous traffic Max Bits s The maximum bits second throughput reached by the anomalous traffic Action The description of the Action executed for this traffic anomaly Dropped The percent of the anomalous traffic filtered by one or more WANGuard Filter systems Severity The severity field represents graphically the ratio between the anomalous traffic and threshold values Every red bar means 100 of the threshold value The exact ratio is displayed as a tool tip ec ae 1 ye WANGuard Platform 3 1 User Manual If one o
83. ilter system ADMIN A C Logout WANGuard Console 3 1 J Views v Archive e Reportsw Setup e LI Helpw WANGuard Filter Selection 19 23 01 J WANGuard Filter Selection New WANGuard Filter Next 55 1 ye WANGuard Platform 3 1 User Manual A WANGuard Console 3 1 J Views v Archives Reportsw Setup e t Help e WANGuard Filter Selection WANGuard Filter Configuration J WANGuard Filter Configuration Active E Description IP Address Inbound Interface Outbound Interface Monitor Interface S Outbound Filters Timeout seconds BGP Router Filtering Policy Deteils Add WANGuard Filter The WANGuard Filter Configuration window contains the following fields e Active If the Active checkbox is checked WANGuard Filter can be activated by the WANGuard Filter Enabler Action Module e Description A short generic description that will help you to identify the WANGuard Filter system e IP Address An IP address configured on the machine that must run the selected WANGuard Filter This field is used only by the WANGuardController daemon for system identification e Inbound Interface The network interface that receives the malicious traffic If the WANGuard Filter system is deployed in line then this is the interface that receives th
84. iltering Received Pkts s The rate of received packets before validation and filtering Dropped Pkts s It represents the rate of packets dropped in the capturing process When the number is high it indicates a performance problem located in the network card in the network card s driver or in the CPU It may also mean a bad WANGuard Sniff installation 65 1 ye WANGuard Platform 3 1 User Manual Active WANGuard Flow Systems Table The Active WANGuard Flow Systems table displays the latest system information collected from the active WANGuard Flow systems If there are no WANGuard Flow systems configured then this table is not displayed The table has the following format Status If the active WANGuard Flow system is functioning properly then a green checked arrow is displayed If WANGuard Console cannot manage or reach the WANGuard Flow system then a red X icon is displayed In this case make sure that WANGuard Flow is configured correctly read the Events Log and make sure that the WANGuardController daemon is running on all systems WANGuard Flow Displays the description of the WANGuard Flow system Load The load of the operating system for the last 5 minutes CPU The CPU percent used by the WANGuard Flow process Mem The amount of memory used by the WANGuard Flow process Started The time and date when the WANGuard Flow process started Interface The interface description
85. ined in the bgpd conf file e Blackhole Check if you need the black hole feature in quagga or zebra e Blackhole password The password for the zebra or quagga daemons e Details You can use this field to store comments regarding the current BGP router configuration After adding a new BGP router the BGP Router Selection window is updated If there is a green OK sign on the right of the BGP Router then the BGP Router is active If there is a X red sign instead then the BGP Router is inactive gt WANGuard Console 3 1 J Views e Archive Reports w Setup w t Help e BGP Router Selection BGP Router Selection d Route Reflector v C New BEP Router Next To edit or delete an existing BGP router you must select it first and then click the lt Next gt button 63 ZS y WANGuard Platform 3 1 User Manual Anes Views Views are WANGuard Console windows that display the latest information collected from WANGuard Platform components Every View displays text and graphical elements using the Ajax technology Web 2 0 that offers flicker free web page updates every 5 seconds To browse through available Views click the Views menu and then select Systems View Reports View Security View or BGP Operations Systems View The Systems View displays tables with the latest system parameters collected from active WANGuard Platform components WANGuard Console 3 0
86. ious traffic towards the server running it The cleaned traffic can be re injected back to the network using Static Routing or GRE IPIP tunneling e Provides per endpoint flexible threat management tools and an easy to use API for configuring the reaction to attack patterns o alert the NOC Staff by email using user defined email templates o alert the ISPs of the attackers via email using user defined email templates o send custom syslog messages to remote log servers o execute custom scripts that extend the built in capabilities such as m configure ACLs or execute PIX shun commands to filter attack patterns m filter attacking IP addresses by executing route blackhole commands m send SNMP TRAP messages to SNMP monitoring stations v y S WANGuard Platform 3 1 User Manual AND SOFT Does not require network baseline training and operator intervention after the initial setup Easy and non disruptive installation on common server hardware The most cost effective DoS DDoS DrDoS protection and traffic policy enforcement solution on the market WANGuard Console WANGuard Console provides a tightly integrated and highly graphical interactive Ajax based Web 2 0 interface for all aspects of network traffic monitoring and network protection Included in the WANGuard Console is the advanced graphing engine that provides quick and easy ad hoc graphing functionality WANGuard Console offers single point management and reporting by cons
87. is module is shown in the image below Emails are automatically sent towards attackers ISPs if the attack is not spoofed first Precondition and if a traffic sample has been generated second Precondition f ADMIN d C Logout _ WANGuard Console 3 1 Jj Viewsw a Archive Reportsw Setup w LI Helpw Traffic Anomaly Actions 18 25 42 Edit Action Active Iv Priority 5 DI Order of execution Parameter Operand_ Vale _ Action Filter Type ip source dest proto len ttl equal ip Delete Egress Traffic Anomaly Beginning Polling Preconditions QeEnding Ingress Traffic Anomaly DI DI Add Beginning 2 actions i L Add RunOnce v J Protect Gigabit Link Description Email attacker s ISP MInform NOC by email 1Polling 3 actions To attack_whois Add Gs Syslog on Logserver Blackhole attacked IP BCC CRETE SR amp QEnding 1 actions i Add Hello Send SNMP Trap Traffic Sample Size bytes greater than 0 Delete noc isp com Case fier dl protocol flood from filter_value against ip This is to inform you that we have detected a DoS attack originating from your network targeted against ip attack belongs to you The flood was detected at filter first_time GMT using filter_max pps protocol packets second At this time we request that you take action to
88. isplays tabbed live traffic graphs events WANGuard Sensor and WANGuard Filter information e Systems View Displays a table with live information about all running WANGuard Sensor and WANGuard Filter systems On the bottom section it displays tabbed live traffic graphs and events e Reports View Displays graphs and reports that contain traffic parameters collected from monitored network links IP classes and IP Zones Includes a live top like network traffic visualizer supporting multiple protocols such as IPv4 TCP syn UDP ICMP as well as TCP and UDP ports and AS Numbers e BGP Operations BGP Operations lets you manage iBGP and eBGP announcements Manual removal of BGP announcements is only available to Administrator accounts More information about Views is available on the Views chapter page 64 49 y Am WANGuard Platform 3 1 User Manual AMOR SOFT Tables All WANGuard Platform modules store traffic and operational details in a MySQL database The contents of the database is presented in WANGuard Console in form of tables with an unified look and feel Records can be queried using the top left lt Search gt button Sorting can be done by clicking the column name By default the records are sorted by the insertion time with the latest records being displayed first To prevent clutter and high loading times the records are listed on multiple pages You can navigate through the pages with the bottom navigation bu
89. l Timeframe Last 2 Days zl Graphs Size 500x100 sl Aggregation Joen Wa LAN Switch VLAN 900 we NetFlow Router LAN Switch VLAN 900 IP Descriptions w 0 Branch Office Customer 1 WEB bits s graphs for LAN Switch VLAN 900 Corporate Network son o Customer 1 o Customer 1 WAN O Customer 1 WEB H 4 0m o Customer 2 o Customer Service 0 Customers 0 0 0 DMZ Mon 00 00 Mon 12 00 Tue 00 00 0 DMZ SMTP Cluster E Inbound Maximum 7 4 Mbits s Medium 741 0 kbits s Last 0 DNS W Outbound Maximum 261 3 kbits s Medium 46 3 kbits s Last 0 EMail Enterprise Services 2 Internal Network Customer 1 WEB bits s graphs for R12000 SPAN Local Clients Network Equip o Office Building 0 Remote Clients IP Addresses v iP 10 0 0 0 8 H lip 192 168 0 0 16 Mon 00 00 Mon 12 00 Tue 00 00 SR menune pakde kenai E Inbound Maximum 42 4 Mbits s Medium 9 2 Mbits s Last ll 80 95 128 0 18 W Outbound Maximum 9 0 Mbits s Medium 224 2 kbits s Last iP 81 94 128 0 20 81 95 124 0 24 NetFlow Router LAN Interface i 1 95 129 0 26 iP 88 94 122 0 26 Customer 1 WEB bits s graphs for NetFlow Router LAN Interface 8 0 nt 6 0M 2 0M R12000 SPAN 6 0M 40M 20n 0 0 Mon 00 00 Mon 12 00 Tue 00 00 Tue 12 00 Done A 70 WANGuard Platform 3 1 User Manual IP Addresses Section This section provides an IP tree that contains
90. latform 3 1 User Manual AMOR SOFT m configure ACLs or execute PIX shun commands to drop traffic towards targeted endpoints m send SNMP TRAP messages to SNMP monitoring stations m display the routers that are being transited by the anomalous traffic e Includes a very flexible billing system for bandwidth based billing e Easy and non disruptive installation on common server hardware e The most cost effective traffic monitoring and analysis solution on the market WANGuard Filter WANGuard Filter is an advanced Linux based software designed to protect organizations from internal and external threats availability attacks on DNS VoIP Mail and similar services unauthorized traffic resulting in network congestion botnet based attacks zero day worm and virus outbreaks WANGuard Filter includes sophisticated traffic analysis algorithms that are able to detect and filter the attack patterns contained in the malicious traffic while re injecting the cleaned traffic back into the network WANGuard Filter Features and Benefits e Quickly see detailed live and historical information about traffic anomalies in your network from any location by accessing WANGuard Console with your web browser e Defends against known unknown and evolving attack patterns Recognizes and filters malicious traffic in under 5 seconds e Does not block blacklist valid customer traffic e WANGuard Filter can be deployed in line or out of line by diverting the malic
91. lidation DJa 1 ye WANGuard Platform 3 1 User Manual AND SOFT Flows might contain the source and destination ASN Autonomous System Number In most configurations if the ASN is set to 0 then the IP address belongs to your Autonomous System AS Validation has three options o Off Will disable AS Validation o On Only flows that have the source ASN and or the destination ASN set to 0 are analyzed O Strict Only flows that have either the source ASN or the destination ASN set to 0 are analyzed e Top This checkbox lets you choose if you want WANGuard Flow to sort the traffic statistics for top like visualizations It is recommended to leave it on because the performance penalty is extremely low e Graph Data Path This field contains the path on the WANGuard Console server where the traffic graphs data collected from the WANGuard Flow system is stored It s safe to save multiple WANGuard Sensors graph data in the same path If you set the data path on a larger partition on RAM with tmpfs etc make sure that the wanguard system user has writing privileges there e IP Zone The IP Zone field provides a selection of currently defined IP Zones that can be used by WANGuard Flow If the field has no options then you must first define an IP Zone For more information about IP Zones please read the previous chapter e Details You can use this field to store comments about the current WANGuard Flow configuration In the fol
92. ll being used but all the rules have the RETURN target This is mostly used for debugging Netfilter rules e Details You can use this field to store comments about the current WANGuard Filter configuration In the following configuration example when the WANGuard Filter is activated by the WANGuard Filter Enabler Action Module a BGP announcement will be sent through the Route Reflector BGP Router The WANGuard Filter system will then receive the traffic towards the attacked IP it will analyze the traffic coming through the ethO interface and will update the Security View Views chapter Page 72 with the latest information about the detected attack patterns The malicious traffic will be dropped while the cleaned traffic will be forwarded through the eth1 interface and injected back into the network A WANGuard Console 3 1 J Views wv a Archive Reportsw Setup e LI Help e WANGuard Filter Selection WANGuard Filter Configuration J WANGuard Filter Configuration Active m Description DDoS Filtering IP Address 192 168 1 100 Inbound Interface eth0 Outbound Interface eth1 Monitor Interface G Inbound Outbound Filters Timeout 60 seconds BEP Router Route Reflector Filtering Policy Filter the attack patterns and limit unknown traffic WANGuard Filter configuration Details i Change WANGuard Filter Delet
93. lowing configuration example WANGuard Flow monitors traffic passing the WAN and LAN interfaces it generates Top statistics and uses IP class information found in the Public IPs IP Zone 53 y Km WANGuard Platform 3 1 User Manual 4 WANGuard Console 3 1 J Views Archive Reportsw 7 Setup e LI Help e Reports View WANGuard Flow Selection WANGuard Flow Configuration wo WANGuard Flow Configuration NetFlow Router po comenson puble gune Index __ Description Description Type _ Graph Color Inbound Graph Color Outbound Action Ingress See Interfaces Egress Blackhole Null KE AA Ingress DI cl e004 004 WW 008080 soososo sei D EEN ER nen JS 2 e E v opt wanguard rrd e zone Jee 1Ps E After a new WANGuard Flow system is added the WANGuard Flow Selection window is updated If there is a green OK sign on the right of the WANGuard Flow then the WANGuard Flow is running If there is a X red sign instead then the WANGuard Flow is inactive or not running If you checked the Active switch but the WANGuard Flow is still not running you can find a description of the error in the WANGuard Flow Events Logs see Archive chapter Page 88 or in the Events Tab see Views chapter Page 68 a 3 A WANGuard Console 3 1 C Miews e al Archivew Reports Setup e LI Help e WANGuard Flow Selection
94. lter s 42 E String first time The time in iso8601 format when the traffic anomaly started The latest time in iso8601 format when the traffic anomaly 43 String last_time was still active on WANGuard Sensor or on WANGuard Filter s Filter Related Parameters 44 Filter Number _ filter_id The unique ID of the attack pattern The attack pattern type ip Attacker s IP Address Filter Tvpe ip source dest proto l source Source Port of the Attacker 45 ype ip lite String filter_type dest Destination Port of the Victim len ttl proto The IP Protocol Field len The Size of the Packets ttl The TimeToLive Field 46 Filter Value String filter_value The attack pattern s value 47 Filter Pkts s Number filter_pps The attack pattern s latest packets second throughput 48 Filter Bits s Number filter_bps The attack pattern s latest bits second throughput 49 Filter Peak Pkts s Number filter_max_pps The maximum packets rate matched by the attack pattern 50 Filter Peak Bits s Number filter_max_bps The maximum bits rate matched by the attack pattern The severity field represents the ratio between attack 51 Filter Severity Number filter_severity pattern traffic and threshold values 52 Filter Packets Number filter_packets The number of packets matched by the attack pattern 53 Filter Bits Number filter_bits The number of bits matched by the attack pattern 54 Filter Time Interval
95. lues select the MINIMUM aggregation type WANGuard Flow ASN Graphs The WANGuard Flow ASN Graphs page will not be accessible through the Menu if there is no previously configured WANGuard Flow system WANGuard Flow systems configured with the Top option collect data that can be used to generate very accurate Autonomous System graphs for every detected Autonomous System Number To use this option your flow exporter must be configured to include AS information in the exported flows You can generate graphs by ASN by entering one or more Autonomous System Numbers If more then one ASN is entered delimited by space and if you check the Sum Multiple ASNs option then a single graph will be generated containing data from all ASNs 85 1 ye WANGuard Platform 3 1 User Manual Archive All WANGuard Platform components store traffic and operational details in a MySQL database located on the WANGuard Console server You can view the contents of the database by selecting the tables from the Archive menu A WANGuard Console 3 1 Reportsw Setup e LA Help e IP Zone Selection BGP Logs Events Logs f Filter Logs Ch Stats Logs Anomaly Logs The Anomaly Logs contain details about every traffic anomaly detected by WANGuard Sensor systems Every traffic anomaly record contains the following fields Anomaly The unique index number of the traffic anomaly If this number is clicked then a new window opens with a
96. m 3 1 User Manual K W The message field can contain any number of WANGuard Sensor Dynamic Parameters A configuration example of this module is shown in the image below ADMIN A Logout WANGuard Console 3 1 J Views e Archive Reportsw Setup e LI Helpw Traffic Anomaly Actions New Action F Add e Priority Egress Traffic Anomaly Preconditions Ingress Traffic Anomaly Beginning 2 actions RunOnce Add Inform NOC by email Description Syslog on Logserver 7 Protect Gigabit Link Remote host 192 168 1 101 Polling 2 actions gt Add Facility DAEMON sl A lzackhole attacked IP TE aas amp QEnding 1 actions Message Traffic anomaly anomaly_id towards ip still active Add EE z d SNMP Trap Change WANGuard Sensor Syslog Delete WANGuard Sensor Syslog WANGuard Filter Email Action Module This module is used by WANGuard Filter to send notification emails at the beginning Beginning branch during Polling branch or at the end Ending branch of an attack pattern The Subject and Body fields can contain any number of WANGuard Sensor and WANGuard Filter Dynamic Parameters Dynamic Parameters are explained at the beginning of the chapter A complete list of Dynamic Parameters available can be found in Appendix 2 Conditional amp Dyn
97. mp protection solely by changing the license key Log into WANGuard Console using the default username password combination of admin wanguard Andrisoft WANGuard Console 3 1 Login Mozilla Firefox File Edit View History Bookmarks Tools Help We gt gt gt v 5 http console wanquard login php ANOEL SOG T WANGuard Platform 3 1 Evaluation copy for TRIAL User Authenticate re version 3 1 Copyright 2007 Andrisoft SRL All rights reserved PS A First Look at the Systems View Immediately after logging into WANGuard Console the layout of the Systems View will be displayed ma W I y Km WANGuard Platform 3 1 User Manual You can change the default View by editing your User preferences Because no WANGuard Sensor or WANGuard Filter system was previously configured and enabled and no data was gathered the Systems View will be mostly empty More information about Views can be found in the Views chapter Page 64 You can navigate throughout WANGuard Console using the drop down menu located in the upper side of every page Managing WANGuard Console Users f ADMIN A g Logout WANGuard Console 3 1 J Views e Archive Reports e i IP Graphs Parameters 3 Actions 13 58 15 BGP Routers IP Graphs IP IP Zones WANGuard Sensor If you install WANGuard Console on a publicly available server you should immediately change the default password for the admin user and eventually ad
98. n the specified VLANs rather then inter VLAN traffic use CatOS 7 2 or higher and issue the following command Switch gt enable set mls bridged flow statistics enable And enable NDE 93 A o WANGuard Platform 3 1 User Manual ANDRE SOFT Switch gt enable set mls nde enable To see current NetFlow configuration and state issue the following commands Switch gt enable show mls nde Switch gt enable show mls debug Configuring NDE on a Native IOS Device To configure NDE use the same commands as for the IOS device In the enable mode on the Supervisor Engine issue the following to set up the NetFlow export version 5 switch config mls nde sender version 5 The following commands break up flows into shorter segments 1 minute for active flows and 30 seconds for inactive flows Please use only this values as it decreases the RAM usage and increases performance of WANGuard Flow switch config mls aging long 8 switch config mls aging normal 4 On the Supervisor Engine 1 issue the following to put full flows into the NetFlow exports switch config mls flow ip full If you have a Supervisor Engine 2 or 720 running IOS version 12 1 13 E or higher issue the following commands instead switch config mls flow ip interface full switch config mls nde interface Configuring NDE on a 4000 Series Switch Configure the switch the same as an IOS device but instead of command ip r
99. nalyzer SPAN Roving Analysis Port Network TAP In line deployment In order to do traffic monitoring and analysis WANGuard Sniff inspects all network data packets passing the host server s network card including the network data packets sent by a monitoring port of a switch or router y Am WANGuard Platform 3 1 User Manual AMOR SOFT How Port Mirroring Network TAP In line Deployment works It is very important to understand that WANGuard Sniff can only inspect data packets that actually flow through the network interface s of the host server In switched networks only the traffic for a specific device is sent to the device s network card If the server running WANGuard Sniff is not deployed in line it can t capture the traffic of other network components For WANGuard Sniff to analyze the traffic of other hosts in your network you must use a network TAP or a switch or router that offers a monitoring port or port mirroring configuration Switched Port Analyzer SPAN for Cisco devices Roving Analysis Port for 3Com devices In this case the network device sends a copy of data packets traveling through a port or VLAN to the monitoring port After you configure the network device install WANGuard Sensor on a Linux server and connect it to the monitoring port WANGuard Sniff will be able to analyze the whole traffic that passes through the selected port or VLAN with or without VLAN tag Stripping If you don t
100. ne vian 900 D Details Add WANGuard Sniff The WANGuard Sniff Configuration window contains the following fields e Active WANGuard Sniff is automatically activated by the WANGuardController daemon if the Active checkbox is checked If the Active checkbox is unchecked and the WANGuard Sniff system is running then the WANGuardController daemon stops it e Description A short generic description that helps you identify the WANGuard Sniff system e IP Address A unique IP address configured on the server that must run the selected WANGuard Sniff This field is used by the WANGuardController daemon for system identification e Network Interface This field must contain the network interface that receives the port mirrored traffic If the WANGuard Sniff server is deployed in line then it must contain the network interface that receives the traffic towards your network If the traffic is tagged with a VLAN header and you check VLAN Support then the VLAN header will be ignored If you want to split the traffic by VLANs then you must create a virtual network interface for each VLAN using the vconfig command and then add a WANGuard Sniff for each new virtual interface 47 y Am WANGuard Platform 3 1 User Manual AMOR SOFT The network interface name must use the network interface naming conventions of the Linux operating system ethO for the first interface eth1 for the second eth0 900 for the
101. nsor and WANGuard Filter systems This View is split horizontally in two sides The upper side contains a a table with Current Traffic Anomalies and a table with Past Traffic Anomalies The bottom side contains a tabbed interface that provides access to WANGuard Sensor Live Graphs Events and system information about active WANGuard Platform components All the information contained on the bottom side is explained in the Systems View chapter Page 64 Below you can see a screenshot taken during two DDoS attacks WANGuard Console 3 0 Security View Mozilla Firefox Ww bd Cl Google P2 f ADMIN Logout J Viewsw Archivew Reports Setup w Help e Security View 15 05 59 A peering 5PAN_ 2008 10 31 15 03 53 er 280 3k n se0 3k 117 1M Filter Peering 37 88888 WANGuard Filter Filter Started Latest Alarm Prts s Bits s Max Pzrts s Max Bits s Packets Bits Log 413270 220 17 190 17 DMZ Subnet Source IP 124 211 27 3 Filter CoreNetwork 2008 10 31 15 04 02 now 149 1x 4e 2m ise cx oam sz ba ael Fiiser Caretleowork Souroe IP SES Faas a ke loa kag Filter CoreNetwork Source IP 87 230 9 143 z008 10 31 15 04 02 now 25 7x e om sz sau baam 7 76 fel r12000 SPAN 2008 10 31 15 03 52 ke 174 7 lena 214 7 a aw Filter Riz000 Je WANGuard Filter Filter Started Latest Alarm Max Pkts s Max Bits s Packets Bits Log 41326 220 17 190 17 DMZ Subnet WANGuard Sensor Live Graphs
102. ntry AS number etc Description The description of the IP address extracted from the WANGuard Sensor s IP Zone Protocol The traffic type that exceeded the threshold SYN TCP UDP ICMP OTHER WANGuard Sensor The description of the WANGuard Sensor that detected the traffic anomaly Started The time and date when WANGuard Sensor began the detection of the traffic anomaly Stopped The time and date when WANGuard Sensor ended the detection of the traffic anomaly Duration The duration of the traffic anomaly Max Pkts s The maximum packets second throughput reached by the anomalous traffic Max Bits s The maximum bits second throughput reached by the anomalous traffic Action The description of the Action executed for this traffic anomaly Dropped The percent of the anomalous traffic filtered by one or more WANGuard Filter systems Severity The severity field represents graphically the ratio between the anomalous traffic and threshold values Every red bar means 100 of the threshold value The exact ratio is displayed as a tool tip BGP Operations The BGP Operations window provides live insight on BGP announcements made either by WANGuard Sensor through the BGP Announcement Action Module or by WANGuard Filter for traffic diversion The content is refreshed flicker free every 5 seconds If you have Administrator User privileges then can add your own BGP announcements and you can manually remove existing BGP announcements To add a
103. o filter BGP announcements on the router and enforce this policy 3 Enter the soft reconfiguration inbound command during the setup procedures This command is useful for troubleshooting and allows you to restore a routing table without reconnecting to neighboring device WANGuard Filter System BGP Configuration You must configure the BGP using the Zebra software http www zebra org or the Quagga software http www quagga net Quagga is a fork of Zebra and the differences are minimal Quagga keeps it s configuration files in etc quagga while Zebra keeps it s configuration files in etc zebra 100 S Am WANGuard Platform 3 1 User Manual AMD SOFT After installing Quagga or Zebra you will have to create some basic configuration files so both zebra and bgp daemons could start Setting the passwords for the two daemons is enough to get them started You should change zebrapass and bgppass with your own passwords root localhost echo password zebrapass gt etc quagga zebra conf root localhost echo password bgppass gt etc quagga bgpd conf root localhost etc init d zebra start root localhost etc init d bgpd start It is a good idea to tighten the security in the zebra daemon You must connect to the zebra daemon with telnet on localhost port 2601 default zebra port with the previously defined password zebrapass and issue the following commands root localhost
104. olidating the data from all WANGuard Sensor and WANGuard Filter systems deployed within the network WANGuard Console Features and Benefits Consolidated real time WANGuard Sensor and WANGuard Filter management and monitoring using a rich Ajax based Web 2 0 web interface IP Zones support for segmenting your network by departments clients server clusters etc Intuitive desktop applications like menu system Easy to use navigation allows to drill into the live monitoring results Graphs are always generated on the fly for live reporting Live traffic graphs are animated Integrated contextual help system Integrated web based tools that provide Oo AS Autonomous System information o IP information reverse DNS domain URL IP range AS ISP Country ping traceroute whois o IP Protocols information o TCP and UDP ports information O Subnet calculator The recorded data is stored in an internal SQL database that can be easily queried and referenced Authenticated access username password necessary for an unlimited number of users with different security profiles y Am WANGuard Platform 3 1 User Manual ANDRI SOFT How To Choose A Method Of Traffic Capturing This section explains the available methods you can use for traffic capturing Reading this chapter is strongly recommended as it will help you understand how to deploy WANGuard Sensor Supported Traffic Capturing Methods WANGuard Sensor was designed to monitor
105. onsole 3 1 J Views e Archive Reportsw Setup e t Help v Traffic Accounting by IP Description 15 18 11 IP Traffic Accounting IP Zone Public IPs D IP Description Branch Office iv From 2008 October E Until 2008 m October ER il Peering SPAN R12000 SPAN LAN Switch VLAN 900 WANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface g Generate Accounting Report 81 1 ye WANGuard Platform 3 1 User Manual The From Until and WANGuard Sensor s fields are explained in the beginning of this section To generate traffic accounting reports using this option first select an IP Zone and then select an IP Description included in the selected IP Zone WANGuard Console will search for IP addresses and IP classes that match the selected IP Description and will generate a traffic accounting report for them By using this option you can easily generate IP traffic accounting reports for clients departments etc with multiple allocated IP classes By IP Address Subnet To generate a traffic accounting report for an IP address or IP class fill the form displayed below f ADMIN Al g Logout WANGuard Console 3 1 J Views e Archive w Reports w Setup e t Help e Traffic Accounting by IP Subnet 18 00 29 D IP Traffic Accounting IP Address Subnet j i 32 From 008 July ll 27 D Until DOS August D D D Peering SPAN R12
106. ormat Status If the active WANGuard Filter system is functioning properly then a green checked arrow is displayed If WANGuard Console cannot manage or reach the WANGuard Filter system then a red X icon is displayed In this case make sure that WANGuard Filter is configured correctly read the Events Log and make sure that the WANGuardController daemon is running on all systems WANGuard Filter Displays the description of the WANGuard Filter system Load The load of the operating system for the last 5 minutes Anomaly The index of the traffic anomaly mitigated by the WANGuard Filter system If this number is clicked then a new window opens with additional details about the traffic anomaly IP Address The IP address from your network involved in the traffic anomaly If the IP address is clicked then a new window opens with detailed information about reverse DNS ISP Country AS number etc Description The description of the IP address extracted from the WANGuard Sensor s IP Zone Protocol The traffic type that exceeded the threshold SYN TCP UDP ICMP OTHER Peak CPU The maximum CPU percent used by the WANGuard Filter process Started The date and time when the WANGuard Filter system was activated IPs The number of unique IP addresses detected making traffic with the attacked IP address Pkts s The packets second throughput towards the attacked IP address Bits s The bits second thr
107. otocol number packets size TTL etc WANGuard Filter does inbound traffic filtering and packet rate limiting using the Linux 2 6 x Netfilter framework Available Filtering Policies are o None WANGuard Filter only detects and reports attack patterns The Linux firewall API is not used 57 1 ye WANGuard Platform 3 1 User Manual O Filter the attack patterns WANGuard Filter detects reports and filters the attack patterns If an attack pattern is not whitelisted then all the traffic matched by the attack pattern is dropped o Filter the attack patterns and limit unknown traffic WANGuard Filter detects reports and filters the attack patterns and limits the unknown traffic If an attack pattern is not whitelisted then all the traffic matched by the attack pattern is dropped Also the WANGuard Filter system will not forward traffic that exceeds the anomaly s traffic type packets second threshold value for the attacked IP address recorded in the WANGuard Sensor s IP Zone o Limit the attack patterns WANGuard Filter detects reports and limits the attack patterns The WANGuard Filter only forwards attack patterns traffic that does not exceed the anomaly s traffic type packets second threshold value for the attacked IP address recorded in the WANGuard Sensor s IP Zone Oo Apply default forwarding policy WANGuard Filter detects and reports the attack patterns and the default Netfilter forwarding policy is applied Netfilter is sti
108. oughput towards the attacked IP address Dropped Pkts s It represents the rate of packets dropped in the capturing process When the number is high it indicates a performance problem located in the network card in the network card s driver or in the CPU It may also mean a bad WANGuard Filter installation 367 y Am WANGuard Platform 3 1 User Manual AMOR SOFT WANGuard Sensor Live Graphs Tab The WANGuard Sensor Graphs Tab provides an animated dynamic graph that illustrates trends over time of various traffic parameters collected from WANGuard Sensor systems The right side of the tab contains three selections lists that configure the graph e WANGuard Sensor Select the WANGuard Sensor system you re interested in e Data Unit Select the traffic parameter the graph will represent O O O Bits The bits second throughput recorded by WANGuard Sensor Bytes The bytes second throughput recorded by WANGuard Sensor Packets The packets second throughput recorded by WANGuard Sensor IPs The number of unique IP addresses detected making traffic Usually a spike in the graph means that an IP class scan was performed Only your network s IP addresses are counted Received packets or flows For WANGuard Sniff it represents the rate of received packets before validation or filtering occurs For WANGuard Flow it represents the rate of received flows before validation or filtering occurs Dropped packets or flows
109. oute cache flow use command ip route cache flow infer fields This series requires a Supervisor IV with a NetFlow Services daughter card to support NDE Configuring NDE on a Juniper Router Juniper supports flow exports by the routing engine sampling packet headers and aggregating them into flows Packet sampling is done by defining a firewall filter to accept and sample all traffic applying that rule to the interface and then configuring the sampling forwarding option 94 2 Am WANGuard Platform 3 1 User Manual AMAL SOF T interfaces ge 0 1 0 unit 0 family inet filter input all output all address 192 168 1 1 24 firewall filter all 4 term all then sample accept forwarding options sampling input family inet rate 100 output cflowd 192 168 1 100 4 port 2000 version 5 95 WANGuard Platform 3 1 User Manual Appendix 2 Conditional amp Dynamic Parameters Conditional Parameter Dynamic Parameter General Parameters Description 1 Anomaly Number anomaly_id The unique identification number of the traffic anomaly It represents the IP address from your network involved in 2 IP Address String ip the traffic anomaly The description of the IP address extracted from the 3 IP Description String description WANGuard Sensor s IP Zone Protocol syn ud
110. p tcp icmp The traffic type that exceeded the threshold value 4 String protocol other 5 Direction inbound outbound String direction The direction of the traffic anomaly inbound or outbound The severity field represents the ratio between the 6 Severity Number severity anomalous traffic rate and threshold value 2 bce The description of the Action executed for this traffic 7 Action Description String action anomaly as extracted from WANGuard Sensor s IP Zone The WANGuard Sensor s IP address as defined in the 8 WANGuard Sensor s IP address String wanguardsensor_ip WANGuard Flow Sniff Configuration i ae ee The WANGuard Sensor s description as defined in the 9 WANGuard Sensor s Description String wanguardsensor_description WANGuard Flow Sniff Configuration e The number of times the WANGuard Sensor detected 10 Tick Number itick anomalous traffic during the traffic anomaly s lifetime The size in bytes of the BGP logs Useful as a precondition S f in Action Modules when you want them executed after a 11 BGP Log Size bytes Number bgplog_size BGP announcement is performed and subsequently a BGP log is generated The size of the Traffic Sample logs Useful when you want 12 Traffic Sample Size bytes Number tcpdump_size an action performed only if a traffic sample was already generated e The maximum CPU percent used by WANGuard Filter 13 WANGuard Filters CPU Usage Number wanguardfilters_max_cpu_usage
111. p traffic towards attacked IPs send SNMP TRAP messages to SNMP monitoring stations e display the routers that are being transited by the anomalous traffic using third party software The image below shows a simple module configuration used to send SNMP TRAP messages to a SNMP monitoring station Ai WANGuard Console 3 1 J Views e Archive Reportsw Setup w LI Helpw Traffic Anomaly Actions n z New Action a Edit Action SS Ada Priority 5 D Order of execution H Egress Traffic Anomaly Ingress Traffic Anomaly Beginning 2 actions Polling 1 actions Pesexiptien Send SNMP Trap JEnding 1 actions Add wl end SNMP Trap Change WANGuard Sensor Script Delete WANGuard Sensor Script it Preconditions EE snmptrap v 1 c public manager enterprises andrisoftwanguard test hub 3 WANGuard Sensor Syslog Action Module This module is used by WANGuard Sensor to send syslog messages locally or to remote syslog monitoring stations To send syslog messages you must enter the IP address of the syslog server 127 0 0 1 for localhost select the desired facility severity level and message content Syslog messages can be sent at the beginning Beginning branch during Polling branch or at the end Ending branch of a traffic anomaly 30 7a WANGuard Platfor
112. r Manual ANDRI SCHT there is a green OK sign on the right of the WANGuard Sniff then the WANGuard Sniff is running If there is a X red sign instead then the WANGuard Sniff is inactive or not running If you checked the Active switch but the WANGuard Sniff is still not running you can find a description of the error in the WANGuard Sniff Events Logs see Archive chapter Page 88 or in the Events Tab see Views chapter Page 68 e D WANGuard Console 3 1 J Views w a Archive w Reportsw Setup e LI Help e WANGuard Sniff Selection WANGuard Sniff Selection LAN switch vian 300 E New WANGuard Sniff Next WANGuard Flow Configuration When using WANGuard Flow network devices must be configured to send NetFlow version 5 data packets to the the server For detailed instructions on how to enable NetFlow on your network devices please consult the vendor s website Some examples are included in Appendix 1 Configuring NetFlow Data Export page 92 The WANGuard Flow Selection window lets you select which WANGuard Flow system you wish to edit or delete To add a new WANGuard Flow system select New WANGuard Flow and then click lt Next gt If no WANGuard Flow system was previously configured then the WANGuard Flow Selection form will have only the option to add a new WANGuard Flow system f ADMIN A g Logout WANGuard Console 3 1 J Views e Archives
113. r more WANGuard Filter systems are activated to detect the attack patterns in a traffic anomaly then a new yellow table will show up in the same traffic anomaly row This yellow table contains information about the attack patterns in the following format WANGuard Filter The description of the WANGuard Filter that detected the attack pattern Filter The filter applied by WANGuard Filter to remove the attack pattern s traffic WANGuard Filter dynamically applies the following filter types Source IP Source Port Destination Port Packet Length TimeToLive IP Protocol The filters are applied only when the filtering policy allows traffic filtering If the filter conflicts with the WANGuard Filter s Whitelist then a red exclamation point shows up and the filter is not applied Started The date and time when the attack pattern was first detected Latest Alarm How much time passed since the last detection of the attack pattern Pkts s The latest packets second throughput for the traffic matching the attack pattern Bits s The latest bits second throughput for the traffic matching the attack pattern Max Pkts s The maximum packets second throughput for the traffic matching the attack pattern Max Bits s The maximum bits second throughput for the traffic matching the attack pattern Packets The number of packets counted in the traffic matching the attack pattern Bits The number of bits counted in the traffic matching
114. raphs Tab and Events Tab Each of those elements is explained in the following sections Active WANGuard Sniff Systems Table The Active WANGuard Sniff Systems table displays the latest system information collected from active WANGuard Sniff systems If there are no WANGuard Sniff systems configured then this table is not displayed The table has the following format Status If the active WANGuard Sniff system is functioning properly then a green checked arrow is displayed If WANGuard Console cannot manage or reach the WANGuard Sniff system then a red X icon is displayed In this case make sure that WANGuard Sniff is configured correctly read the Events Log and make sure that the WANGuardController daemon is running on all systems WANGuard Sniff Displays the description of the WANGuard Sniff system and a colored box with the Graph Color Inbound as defined in the configuration Load The load of the operating system for the last 5 minutes CPU The CPU percent used by the WANGuard Sniff process Mem The amount of memory used by the WANGuard Sniff process Started The time and date when the WANGuard Sniff process started IPs The number of unique IP addresses detected making traffic Only your network s IP addresses are counted Pkts s Inbound Outbound The packets second throughput after validation and filtering Bits s Inbound Outbound The bits second throughput after validation and f
115. rd Platform 3 1 User Manual AMOR SOFT Reasons to choose NetFlow Monitoring Because the NetFlow protocol already performs a pre aggregation of traffic data the flows of data sent to the monitoring server running WANGuard Flow is much smaller than the monitored traffic This makes NetFlow the ideal option for monitoring remote high traffic networks The downside of the NetFlow monitoring is that computing the pre aggregation of traffic data requires large amounts of RAM it has significant delays and the accuracy of traffic parameters is lower than when directly inspecting network packets especially when flow packet sampling is used Comparison between Packet Sniffing and NetFlow Monitoring The table below provides a quick comparison between the three available traffic capturing technologies The hardware requirements for each method are different The requirements are listed in the next chapter WANGuard Sensor WANGuard Sniff WANGuard Flow Port Mirroring Network TAP In line NetFlow or NetStream v 5 enabled Traffic Capturing Technology ae Deployment network devices 10 GigE 10 GigE M Traffic C t e gt 150 000 endpoints lt 100 000 endpoints Traffic Parameters Accuracy Highest 5 seconds averages High Traffic Anomalies Detection lt 5 seconds lt flow export time 5 seconds Time Traffic Validation Options IP classes MAC addresses VLANs IP classes interfaces AS Number Manu
116. rd Filter system and the next hop router to forward clean traffic The inject to router does not perform routing decisions according to the zone address and forwards the packets to the next hop router Configuring Static Routing Layer 2 Forwarding Method The Layer 2 Forwarding L2F method is used in a Layer 2 topology when all three devices the WANGuard Filter system the divert from router and the next hop router are located in one shared IP network In a Layer 2 topology a divert from router and an inject to router are two separate devices The next hop router and the inject to router are the same device The WANGuard Filter system issues an ARP query to resolve the MAC address of the inject to next hop router and then forwards the traffic For this reason no configuration on the routers is required when using the L2F method The only thing you have to configure when using this method is the default gateway on the WANGuard Filter system so that it points to the inject to next hop router Configuring GRE IP over IP Tunneling Layer 3 Forwarding Method In the tunnel diversion method you configure a tunnel between the WANGuard Filter system and each of the next hop routers The WANGuard Filter system sends the traffic over the tunnel that ends in the next hop router of the destined zone Because the returned traffic goes over a tunnel the inject to router performs a routing decision on the end point of the tunnel interface only no
117. rd Platform components can be downloaded directly from the Andrisoft website http www andrisoft com download rpm for RedHat based Linux distributions packages http www andrisoft com download suse for SuSE based Linux distributions packages http www andrisoft com download deb for Debian based Linux distributions packages You may a try a fully functional version of WANGuard Platform for 30 days You can switch to a full time registered version by applying a purchased license key Binary WANGuard Platform components are packaged differently for i686 architectures 32 bit Pentium a Ae Ke EE WANGuard Platform 3 1 User Manual and beyond and for x86_ 64 architectures 64 bit Intel AMD processors Software Installation Software installation instructions are listed and updated on the Andrisoft website under the download links http www andrisoft com download rpmi installation for RedHat based Linux distributions http www andrisoft com download suse installation for SUSE based Linux distributions http www andrisoft com download deb installation for Debian based Linux distributions he y Am WANGuard Platform 3 1 User Manual ANDRI SOFT Network Basics You Should Be Aware Of Who Should Read This Section If you are new to network administration and network monitoring read about the technical basics in this section It will help you understand how WANGuard Platform works If you are already used to IP addresse
118. ream router The following terminology is used in this section e Divert from router Router from which the bgpd diverts the attacked destinations traffic e Inject to router Router where bgpd forwards the cleaned traffic towards attacked destinations e Next hop router Router that is the next hop to the destinations according to the routing table on the divert from router before traffic diversion is activated 103 y Am WANGuard Platform 3 1 User Manual AMOR SOFT Static Routing Layer 2 Forwarding Method In a Layer 2 topology the WANGuard Filter system divert from router and next hop router are on the Same network or VLAN In a Layer 2 topology a divert from router and an inject to router are two different devices The next hop router and the inject to router are the same device GRE IP over IP Tunneling Layer 3 Forwarding Method In a Layer 3 topology the divert from and inject to routers are the same router referred to as the router in this chapter WANGuard Filter sends a BGP announcement that modifies the router s routing table to divert the zone traffic to the WANGuard Filter system WANGuard Filter cleans the traffic and returns the cleaned traffic to the same router The divert from router then sends the traffic to the router that appears as the best path to the zone This process may result in a malicious routing loop In this case you may have to use a tunnel that is configured between the WANGua
119. ress Traffic Anomaly Description Ingress Traffic Anomaly H Beginning Action enabled for Polling j H JEnding Change Description Delete Action Ingress Traffic Anomaly H Beginning Polling QJEnding Adding New Action Modules To add a new Action Module you must first decide whether you want the Action Module to be executed at the beginning during or at the end of a traffic anomaly or attack pattern Then expand the corresponding branch and click Add If WANGuard Filter is not installed or the existing licensing option does not include it the WANGuard Filter Action Modules will not be available Action Modules Common Fields Conditional amp Dynamic Parameters All Action Modules have the following common fields Active selects if the Action Module is enabled or disabled e Priority selects the order of execution relative to the other Action Modules that are defined within the same branch Lower numerical values correspond to increased priority e Description a generic description of the Action Module e Preconditions let s the user define the rules that must be validated before the Action Module is executed Preconditions provide a way for Conditional Parameters to be validated against user defined values If the validation is unsuccessful then the Action Module is not executed Conditional Parameters are dynamic internal parameters that are updated every 5 seconds b
120. s Avg Packets s Avg Bits s Total Packets Total Bits Io DNS 2008 10 25 0 1k 155 8k 674 1k p Email 30 4k 188 0k Enterprise Services S z 5 5 KR Internal Network 317 0k 618 7k 0 Local Clients 0 Network Equip TOTAL age 0 1k AVG 167 7k SUM 25 4M SUM 38 2G AVG 0 1k AVG 560 3k SUM 23 0M_ SUM 137 1G IP Addresses w lgl 10 0 0 0 8 ll 192 168 0 0 16 le 192 31 0 0 16 iP 0 95 128 0 18 amp ie 80 95 128 0 20 iP 0 95 129 0 24 80 95 130 0 24 f iP 81 94 128 0 20 iP 81 95 124 0 24 iP 81 95 129 0 26 iP 88 94 122 0 26 80 95 128 1 32 on NetFlow Router LAN Interface Inbound Traffic Outbound Traffic Avg Packets s Avg Bits s Total Packets Total Bits Avg Packets s Avg Bits s Total Packets Total Bits 2008 10 27 0 0k 22 4k k 62 AN 0 0k 1 5k 5 3k 4 1M TOTAL AVG 0 0k__ AVG 22 4k 80 95 128 1 32 on NetFlow Router WAN Interface Inbound Traffic Outbound Traffic Avg Packets s Avg Bits s Total Packets Total Bits Avg Packets s Avg Bits s Total Packets Total Bits 888 1k 1 9M TOTAL AVG 0 0k_ AVG 80 4k SUM 5 0M__ SUM 10 3G AVG g k AVG 75 5k SUM 5 8M__ SUM 14 9G S http console wanguard edit_reports_ip php p subnet amp v 80 95 128 1 32 Ai J1 A T Ka WANGuard Platform 3 1 User Manual Security View The Security View displays the latest traffic and security related information collected from WANGuard Se
121. s and IP classes you can skip this section A Short Introduction To IP Addresses amp Classes IP Addresses In order for systems to locate each other in a distributed environment nodes are given explicit addresses that uniquely identify the particular network the system is on and uniquely identify the system to that particular network When these two identifiers are combined the result is a globally unique address This address known as IP address as IP number or merely as IP is a code made up of numbers separated by three dots that identifies a particular computer on the Internet These addresses are actually 32 bit binary numbers consisting of the two sub addresses identifiers mentioned above which respectively identify the network and the host to the network with an imaginary boundary separating the two An IP address is as such generally shown as 4 octets of numbers from 0 255 represented in decimal form instead of binary form For example the address 168 212 226 204 represents the 32 bit binary number 10101000 11010100 11100010 11001100 The binary number is important because that will determine which class of network the IP address belongs to The Class of the address determines which part belongs to the network address and which part belongs to the node address see IP address Classes further on The location of the boundary between the network and host portions of an IP address is determined through the
122. s matching the attack pattern Bits The number of bits matching the attack pattern Latest Pkts s Most recent packets second throughput of the traffic matching the attack pattern Latest Bits s Most recent bits second throughput of the traffic matching the attack pattern Traffic Sample This field contains a tcpdump like log with a sample of 100 packets from the traffic matching the attack pattern Emails This field contains the content of the emails sent by the WANGuard Filter Email Action Module Whitelisted If the filter could not be applied because it conflicted with the WANGuard Filter s Whitelist this value is 1 Otherwise the value is O 89 WANGuard Platform 3 1 User Manual WANGuard Filters The WANGuard Filters table contains details about all activated WANGuard Filter systems All fields recorded in the table are explained below Filter The index number of the activated WANGuard Filter system If this number is clicked then a new window opens with the list of attack patterns detected by the WANGuard Filter system Anomaly The index of the traffic anomaly for which the WANGuard Filter is activated WANGuard Filter The description of the activated WANGuard Filter Filtered Pkts The number of packets filtered by the activated WANGuard Filter Filtered Bits The number of bits filtered by the activated WANGuard Filter Filter Peak Pkts s The maximum packets second throughput record
123. ser The user can access all Views generate traffic accounting and traffic graphs reports read event logs and archives but cannot view or manage WANGuard Sensor and WANGuard Filter configurations nor can it add or delete BGP announcements and users e Administrator The user has all privileges to view and manage WANGuard Platform components including adding new users and changing users passwords existing users passwords are always shown encrypted The Full Name Email Title Phone Department and Company fields are optional The Events Verbosity field lets you select the minimum severity level of the events that will be displayed in the Security View and Systems View e MELTDOWN Meltdown events are generated when a very serious error is detected in the system such as a hardware error CRITICAL Critical events are generated when a significant software error is detected such as a memory exhaustion e ERROR Error events are caused by misconfiguration or communication errors between WANGuard Platform components WARNING Warning events are generated when authentication errors occur when there are errors e e A y Am WANGuard Platform 3 1 User Manual AMOR SOFT updating graph data files and when there are synchronization issues e INFO informational events are generated when configurations are changed and when users log into WANGuard Console e DEBUG Debug events are used only for troubleshooting purposes
124. sholds section above The subnets row displays the IP classes and IP Zones that are using the selected template When you update a template every record using it will be updated too An example of a Thresholds Template configuration is shown below f ADMIN gll C Logout WANGuard Console 3 1 J Views v Archive Reportsw Setup e t Helpw Thresholds Template Selection Thresholds Template Configuration 16 20 26 TP Thresholds Template Configuration Description Mobile Customers Traffic Protocol Threshold Unlimited Peckets s Iw Bits s 7200000 Peckets s 1000 TCP TCP SYN lt 1 1 Bits s x Packets s Bits s 7200000 lt 1 1 Peckets s 1000 Bits s xI Peckets gt Bits s 7200000 Subnets jnone OTHER WI Thresholds Template configuration Details Change Thresholds Template Delete Thresholds Template DEE a 7 WANGuard Platform 3 1 User Manual IP Zone Configuration Example In the following images you can see how IP Zone inheritance works and how you can configure WANGuard Platform s features for various IP classes and IP addresses By default the 0 0 0 0 0 IP class has all threshold values set to Unlimited Actions set to None and Accounting and Graphing set to No By unchecking the Unlimited checkbox we defined
125. t be assured The significant degradation of the services can seriously damage the businesses including loss of customers and subsequent loss of revenue For the network administrator this means that he has to ensure the network s uptime reliability speed as well as the efficient use of the existing resources Andrisoft WANGuard Platform is an enterprise grade Linux based software solution that delivers the functionality NOC IT amp Security teams need to effectively monitor and protect their network through a single integrated package The components have been built from the ground up to be high performing reliable and secure WANGuard Platform is feature rich simple to deploy and configure causing no disruption within the network What WANGuard Platform Can Do For You Andrisoft WANGuard Platform is an easy to use software platform that provides network traffic monitoring network traffic accounting and network protection against DoS DDoS and DrDoS attacks It allows you to quickly and easily set up and run monitoring and filtering server s for networks Using the integrated web interface with just a few mouse clicks you can view Historic and real time network traffic parameters about the data flowing through router interfaces and switch ports packets s bits s bytes s IPs s flows s etc e MkRTG style traffic graphs and traffic accounting reports for IP addresses and IP classes in your network for any time frame e His
126. t on the zone s address To use this method you have to run the standard Linux tool ip to create and route GRE IP over IP tunnels that will be used to inject the cleaned traffic back into the network You must then configure WANGuard Filter Page 55 with the Outbound Interface set to the virtual network interface created by the tunnel 104
127. the attack pattern Log If this icon is clicked then a new window opens with additional details about the attack pattern Past Traffic Anomalies The Past Traffic Anomalies table shows inactive traffic anomalies sorted by time in descending order that match the Filter from the header of the table By default the Filter is set to show only the latest 50 inactive traffic anomalies By clicking the Filter area you can change the Filter type and values Every row in the table represents an inactive traffic anomaly The inactive traffic anomalies are presented in the following format H The unique index number of the traffic anomaly If this number is clicked then a new window D ZO Y Kees WANGuard Platform 3 1 User Manual AAD SOT opens with a list of activated WANGuard Filter systems for this traffic anomaly IP Address The IP address from your network involved in the traffic anomaly In the front of the IP address the graphic arrow indicates the direction of the traffic anomaly When the arrow is pointing to the right the thresholds were exceeded for inbound traffic When the arrow is pointing to the left the thresholds were exceeded for outbound traffic Inbound anomalies are also represented by a gray background while outbound anomalies are represented by a white background If the IP address is clicked then a new window opens with detailed information about reverse DNS ISP Cou
128. the largest enterprises with hundreds of thousands of endpoints to the smallest branch office with tens of endpoints The supported traffic capturing methods work with most switches routers firewalls and other network devices The methods are e Port Mirroring Switched Port Analyzer SPAN Roving Analysis Port Network TAP The analysis of network packets sent by a monitoring port of a switch router or network TAP The WANGuard Sensor that handles network packets is called WANGuard Sniff e NetFlow Monitoring The analysis of pre aggregated data flows sent by NetFlow or NetStream enabled routers and Layer 3 switches The WANGuard Sensor that handles NetFlow and NetStream data is called WANGuard Flow e In line Deployment The analysis of incoming and outgoing network packets that pass through a network card of an in line deployed Linux server From a software perspective this method is virtually identical with the Port Mirroring method so WANGuard Sniff is used in this scenario too Depending on your network configuration your needs and your hardware you must choose between the three methods of traffic capturing For high availability scenarios it s recommended to use in parallel more than one method of traffic capturing Please read on to further understand the differences between the supported methods of traffic capturing and the differences between WANGuard Sniff and WANGuard Flow Port Mirroring Switched Port A
129. tion and will generate IP traffic graphs accordingly By using this option you can easily generate traffic graphs for clients departments etc with multiple allocated IP classes By IP Address Subnet To generate traffic graphs for an IP address or IP class fill the form displayed below gll WANGuard Console 3 1 J Views v Archive Reports Setup e LA Help e Traffic Graphing by IP Subnet y IP Traffic Graphs IP Address Subnet Peering SPAN R12000 SPAN LAN Switch VLAN 900 WANGuard Sensor s NetFlow Router WAN Interface NetFlow Router LAN Interface Sum Multiple Sensors Single IPs Unie Graph Size Aggregation Ise sl Most fields are explained on the beginning of this section For the IP Address Subnet fields use the CIDR notation To generate traffic graphs for hosts not networks select the 32 CIDR For more information about CIDR consult the Network Basics You Should Be Aware Of chapter Page 16 Check the Single IPs option if you want a different traffic graph displayed for every IP address contained in the selected subnet For example when this option is used with a 24 CIDR then 256 traffic graphs are displayed one for each IP address in the C class If the traffic graphs are not displayed check if the entered IP Address Subnet is included in the selected WANGuard Sensor s IP Zone and that the Graphing parameter for th
130. tondin Ir ZONES aee tonnes tanestvaesdeaas 35 Ile ui er 36 IP ZONE e EE 36 Adding a New IP Tu 37 Changing Description Copying amp Deleting IP Zones 37 IP Zone ee ue UI ME 38 Inbound and Outbound Traffic Tbresholde AA 39 PAC COU le e EE 40 GOIN e BEN 40 OOPS Uy EE 41 VS SCO EE 41 le E ue 41 IP Zone Configuration ue EE 42 8 WANGuard Sensor ee 46 WANGuard Spiff CONTIG UCI BEE 46 WANGuard Flow e UE LTE 50 9 WANGuard Filter SUN a sa ce ois eae cae ces se tee cn ceed ee cee cn encn kc Cceateceecece ace kauceuceccdeecuusbecsess 55 WANGuard gd deg Ti UTC e EE 55 WANGuard Filter WhiteliS tS satsasctacnsnsesenstustsennscuanseatstaatsttenitaansafatstaatssantesiatstapnstantstaaissaatscasisctutbaahitaasanesutnestanevstnveniestt 59 10 BGP Router TT EEN 61 BOP Rouler SElEC E 61 BGP Gelee te UE sesoses asiain aaa ANAE DnE E ETA a Erao aT EE rR aan 62 RICH 64 EU 64 Active WANGuard Sniff Systems Joable 65 Active WANGuard Flow Systems Table 66 Active WANGuard Filter Systems Table E 67 WANGuard Sensor Live Graphs Tal EE 68 BSN LEE 68 BR OS EE 69 KE e Be ee EE 69 PID SSID HONS SCC OM eters a a a a benqcriat btas spose a a aE 70 Hage ele d E 71 SEHR 72 CURE IIE Trame PATON ET 73 Past Aah AOU WE 74 BOP ODOORN S aerate teu aes O T EO AEE a AS EEEE OE 75 12 Traffic Accounting and Graphing ccsccceeeeeeeeeeeeeeeeeeeeeneeeeeneeeeeeeeeeeeeaeeeeeeeeeeaneeeeseeeeeeeeneenees 77 IP Traffic e MEN 77 VS Ee 78 Oy Wl I SSCA Ol asc
131. toric and real time network traffic statistics top talkers per protocol number of IPs top protocols protocols distribution ASN distribution TCP and UDP ports distribution etc Historic and real time recordings about the sources and destinations that use bandwidth above the acceptable limits Per endpoint insightful report analytics and audit trail analysis for detected traffic anomalies e Historic and real time information about DoS DDoS and DrDoS attacks in your network The recorded data is stored in an internal SQL database that can be easily queried and referenced The y Am WANGuard Platform 3 1 User Manual AMOR SOFT recorded monitoring statistics can be viewed through a rich Ajax based Web 2 0 web interface WANGuard Platform Components The WANGuard Platform has three main components WANGuard Sensor WANGuard Sensor is an advanced Linux based software created to do both incoming and outgoing traffic monitoring and analysis At it s core WANGuard Sensor has a highly scalable traffic correlation engine capable of continuously monitoring hundreds of thousands of IP addresses Complex statistical algorithms integrate traffic data to build accurate and detailed picture of real time and historical traffic flows across the network WANGuard Sensor also has traffic anomalies detection and reaction capabilities and when used together with WANGuard Filter it can provide complete network protection against DoS DDoS and
132. ts IP class or IP classes sharing the same IP Description The time frame must be included in the biggest interval value configured in IP Traffic Graphs Setup To generate IP traffic graphs select IP Traffic Graphs from the Reports menu and then select one of the two available options f ADMIN C Logout WANGuard Console 3 1 J Views e a Archive e iE Reports Setup e t Help e Reports View Traffic Graphing by IP Description IP Traffic Accounting gt IP Traffic Graphs d G By IP Description By IP Subnet 12 41 55 Protocols Distribution d WANGuard Sensor Tops WANGuard Sensor Graphs 3 WANGuard Flow ASN Graphs The first option generates traffic graphs for IPs or IP classes that have the IP Description you select The second option generates traffic graphs for the entered IP address or IP class The following fields are common for both options e From Until Enter the desired time frame e WANGuard Sensor s Contains all configured WANGuard Sensor systems Select the WANGuard Sensor that captured the traffic you re interested in Multiple selections can be made by holding the Control Ctrl key D a 1 ye WANGuard Platform 3 1 User Manual Sum Multiple Sensors If unchecked each WANGuard Sensor generates a different traffic graph If checked all selected WANGuard Sensors generate a single traffic graph that contains the summed traffic data e Data Unit Enter the data unit for the traffic graph
133. ts Number wanguardfilters_filtered_bits The number of bits filtered by active WANGuard Filter s 33 Peak Pkt N b f The maximum value between wanguardsensor_max_pps ea S S SEET VOS and wanguardfilters_max_pps e The maximum value between wanguardsensor_max_bps 34 Peak Bits s Number imax_bps and wanguardfilters_max_bps Time Related Parameters WANGuard Sensor Time Interval SE The duration of the traffi ted by WANGuard 35 Number wanguardsensor_difftime BEE Pi seconds Sensor 36 WANGuard Filter Time Interval seconds Number wanguardfilters_difftime The maximum duration of the traffic anomaly reported by active WANGuard Filter s The maximum value between wanguardsensor_difftime 37 Time Interval seconds Number difftime SE 38 Number wanguardsensor_first_unixtime The time in unix format when the traffic anomaly started SE The latest time in unix format when the traffic anomaly 39 Number wanguardsensor_last_unixtime ase acs The latest time in iso8601 format when the traffic anomal 40 String wanguardsensor_last_time was still active on WANGuard Sensor 07a A Fi WANGuard Platform 3 1 User Manual ANDI SOFT f f The latest time in iso8601 format when the traffic anomaly 41 string wanguardfilters_last_time was still active on WANGuard Fi
134. ts to the WANGuard Filter server as the best route to the attacked addresses and the router forwards all traffic destined to those addresses to the WANGuard Filter server BGP Configuration Guidelines This section provides general guidelines for BGP configuration on the WANGuard Filter server and ona divert from router The guidelines provided in this section apply to the BGP configuration on any router from which WANGuard Filter system diverts the traffic The following examples are provided using common External Border Gateway Protocol v4 eBGP You should consider the network configuration and determine whether eBGP or iBGP should be implemented in your network Follow these guidelines when the WANGuard Filter system and adjacent routers operate using common eBGP 1 Configure bgpd with an easy recognizable AS Autonomous System number The bgpd sends routing information only when it diverts traffic This route appear in the router s routing tables Using a recognizable value allows you to easy identify the WANGuard Filter system in the router s routing tables 2 To ensure that the bgpd routing information is not redistributed to other internal and external BGP neighboring devices perform the following e Configure the bgpd not to send routing information and to drop incoming BGP routing information e Set the bgpd BGP community attribute values to no export and no advertise A match in the community attributes enables bgpd t
135. ttons The first column on every record is populated with icons that engage actions such as viewing details about the record changing the record and deleting the record Users with Normal User privileges can only view details about records Users with Administrator privileges can view change and delete records IP Zones IP Zones are hierarchical tree like structures that contain user provided details about your network elements and segments Each WANGuard Sensor uses an IP Zone from which it extracts information such as what IP classes must be monitored what IP classes should generate traffic graphs and accounting data IP classes descriptions inbound and outbound traffic thresholds and what Action should be activated when an inbound or outbound traffic anomaly is detected The same IP Zone may be used by different WANGuard Sensor systems Actions Actions provide an unique and powerful way to automate reaction to traffic anomalies and attack patterns An Action contains a collection of Action Modules that WANGuard Sensor and WANGuard Filter execute during the reaction phase of a traffic anomaly or DoS DDoS DrDoS attack Every IP class monitored and defined in the current IP Zone may have it s own Action configured If a traffic threshold for an IP address is reached then the defined Action for that IP s IP class is triggered Opening WANGuard Console for the first time WANGuard Console is essentially the web interface through wh
136. u must first select the WANGuard Filter from the WANGuard Filter Selection window and then add IP classes using the New IP Address Subnet form The mode of operation is very similar with the one used in IP Zones configuration A WANGuard Console 3 1 J Views wv Archive Reportsw Setup e LI Help e WANGuard Filter Selection WANGuard Filter Whitelists New IP Address Subnet f Add Exceptions for 89 90 12 0 24 Description Protocol Parameter Operator Value any D IP Address equal DI DDoS Filtering 59 gt aa WANGuard Platform 3 1 User Manual ANDRI SOFT To add a new rule to the Whitelist you must enter the following fields Description Add a description explanation or comment for the exception Protocol You can choose what type of traffic the rule will match ANY TCP UDP ICMP Parameter Which traffic parameter should be compared IP Address Source Port Destination Port Packet Length IP Packet TimeToLive IP Protocol Type Operator Operators for strings and numbers equal non equal Operators for numbers less than greater than Value The user defined value that should be compared Action Oo Add To add the new rule to the Whitelist o Delete To delete an existing rule In the following configuration example when the DDoS Filtering WANGuard Filter is activated to protect an IP from 89 9
137. ute map match community lt WANGuard Filter community name gt exact match r7500 config route map exit 7500 config ip access list standard routesToWANGuardFilter r7500 config std nacl deny any The no synchronization command prevents the distribution of the bgpd routing updates into Interior Gateway Protocol IGP Cisco Router BGP Configuration Example To display the router configuration enter the show running config command from the router global command level In the following example the router s AS number is 1000 and the bgpd AS number is 64000 The following partial output is displayed r7500 show running config router bgp 1000 bgp log neighbor changes neighbor 192 168 1 100 remote as 64000 neighbor 192 168 1 100 description WANGuard Filter appliance neighbor 192 168 1 100 soft reconfiguration inbound neighbor 192 168 1 100 distribute list routesToWANGuardFilter out neighbor 192 168 1 100 route map WANGuard Filter in no synchronization 1 1 1 1 ip bgp community new format ip community list expanded WANGuard Filter permit 1000 64000 no export no advertise route map WANGuard Filter in permit 10 match community WANGuard Filter exact match access list standard routesToWANGuardFilter Understanding Traffic Forwarding Methods This section provides details on traffic forwarding methods Traffic forwarding methods are used to forward the cleaned traffic from the WANGuard Filter system to a downst
138. wing standard Border Gateway Protocol BGP routing definitions routers select the routing path with the longest matching prefix also known as the most specific After establishing a BGP session with the router WANGuard Filter sends a routing update where the WANGuard Filter system is listed as the best path for the attacked destinations The network prefix that WANGuard Filter announces is longer than the one already listed in the router s routing table overriding the router s routing table definition To configure traffic diversion in Layer 2 or Layer 3 network topologies perform the following 1 Configure traffic diversion using BGP 2 Configure the appropriate traffic forwarding method NSP 1 NSP 2 NSP 3 NSP 4 NSP 5 NSP 6 NSP 7 Linux server with l WANGuard Sensor flow peap 8 eg en d Rerouted Traffic Bh mm PS Router 1 Ingress Router 2 Ing re Router 3 joun Vo pm Linux server with i e DN WANGuard Filter Aggregation Aggregation Aggregation Aggregation Aggregation powticn 1 switch Ch Switch d E Switch d Switch 5 STTSSTSTVSSSe Server Farm Clients Distribution Switch EE Distribution Switch 2 of 99 y Am WANGuard Platform 3 1 User Manual AMOR SOFT The figure above provides an example of traffic diversion from Ingress Router 1 2 3 towards a Linux server running the WANGuard Filter software After BGP diversion is established the router s routing tables poin
139. work Bits s iP 192 168 0 0 16 Internal Network Fackets s Bitsa Packets s 9 0 0 070 Bitsa Peckets s Bitara Packets s Bitsa Traffic Protocol Threshold Value Facketa a OOo O O Bits s LC Packets s rd Bits s LC Packets s LC Bits s LC Packets s Bits s Packets s Lcd Bits s ss e SE Parameters for 192 168 0 0 16 Parameter After adding the 192 168 0 0 16 IP class using the top left form the tree is immediately updated to contain the new IP class The Inheritance column shows what are the inherited values and from which parent IP class 43 ki i WANGuard Platform 3 1 User Manual Kee In the image below you can see that a new IP class called Customer Service was added and only the Description and the Graphing values were changed The other values are inherited from the direct parent 192 168 0 0 16 or from the parent s parent 0 0 0 0 0 if the direct parent didn t change those values Because the parent IP class has the Graphing parameter set to Yes and this IP class has the Graphing parameter set to No WANGuard Sensor generates traffic graphs for all IP addresses contained in the Internal Network IP class that are not contained in the Customer Service IP class 208 Zi ADMIN A G NOA WANGuard Console 3 4 C Views e Ll Archivew Reports w Setup LI Help e gt IP Zone Selection IP Zone Configuration 13 47 09 Inbound tra
140. y WANGuard Sensor and WANGuard Filter systems A complete list of Conditional Parameters is available in Appendix 2 Conditional amp Dynamic Parameters Page 96 Dynamic Parameters are parameters defined within curly brackets and that can be included in the body of most Action Modules Every Conditional Parameter has a correspondence with a Dynamic Parameter 27 4 WANGuard Platform 3 1 User Manual One very special type of Conditional Parameter is called Unique Dynamic Parameter Basically what Unique Dynamic Parameters do is to check if no other WANGuard Sensor exports the same Unique Dynamic Parameters Using this property it becomes possible to resolve conflicts between WANGuard Sensor systems when two or more WANGuard Sensors systems analyze some common traffic especially in redundant configurations WANGuard Filter Enabler Action Module The WANGuard Filter Enabler Action Module is used by WANGuard Sensor to activate a WANGuard Filter for mitigation purposes This module should be activated at the beginning of a traffic anomaly or while polling the traffic anomaly if you check the RunOnce checkbox and use Preconditions to check if the traffic anomaly s severity is big enough for example WANGuard Console 3 1 Jj Viewsw Archivew Reports Setup w LI Help e Traffic Anomaly Actions Le New Action J Edit Action Active v Add Priority s sl Order of execution
141. y the WANGuard Filter system activated to mitigate the traffic anomaly while attack patterns are detected The Action Modules are executed in three situations each having it s own branch in the Action tree e Beginning Action Modules added to this branch are executed once immediately after the traffic anomaly or attack pattern has been detected e Polling Action Modules added to this branch are executed periodically every 5 seconds while the traffic anomaly or attack pattern is active A Polling Action Module can be configured to run only once by checking the RunOnce checkbox usually when used together with Preconditions e Ending Action Modules added to this branch are executed once after 5 minutes of traffic anomaly inactivity or after the attack pattern timeout occurs Adding New Action Al WANGuard Console 3 1 J Views wv Archive Reportsw Setup w t Help e IP Graphs Parameters BGP Routers IW IP Graphs IP Zones gt AL Users j WANGuard Filter b WANGuard Sensor gt SE gt WANGuard Platform 3 1 User Manual ANDI SOFT When you select Actions from the Setup menu the Actions configuration window will be displayed Existing Actions are listed in the left section of the window in a hierarchical structure where every Action has it s own Beginning Polling and Ending branches explained in the previous paragraph To add a new Action you must first enter a generic description in the New
142. ynamic Parameters Page 96 The emails are sent through the local SMTP server sendmail postfix qmail etc of the WANGuard Console system using the perl Mail Send module By default the sender will be lt WANGuard localhost localdomain gt For sender customizations From field please consult your SMTP server documentation Every email sent by this module is recorded in the Anomaly Logs Page 86 e e E 1 ye WANGuard Platform 3 1 User Manual WANGuard Sensor Script Action Module This module is used by WANGuard Sensor to execute custom scripts written in any Linux compatible scripting languages such as bash perl ruby python etc C and C programs or Linux commands can also be executed The scripts can be executed at the beginning Beginning branch during Polling branch or at the end Ending branch of a traffic anomaly Scripts can access WANGuard Sensor Dynamic Parameters through command line parameters options The scripts are executed locally on each WANGuard Sensor system that uses Actions that include this ay module Multiple commands can be executed using the separator Scripts executed through the WANGuard Sensor Action Module have the user privileges of the wanguard system account To elevate privileges for your scripts you should use the sudo prefix after editing the etc sudoers file Some possible uses of this module e configure ACLs or execute PIX shun commands to dro
Download Pdf Manuals
Related Search