Andrisoft wanguard 6.2, User Manual

Page 1: ......

Page 2: ...pyright Acknowledgment 2016 ANDRISOFT S R L All rights reserved All rights reserved This document is copyrighted and ANDRISOFT S R L reserves all rights No part of this document may be reproduced or t...

Page 3: ...pts of Wanguard Console 19 19 Side Region 19 Central Region 19 South Region 19 Upper Menus 19 6 6 Configuration General Settings Graphs Storage Configuration General Settings Graphs Storage 20 20 Sens...

Page 4: ...nfiguration General Settings Outgoing Email Configuration General Settings Outgoing Email 70 70 24 24 Configuration General Settings User Management Configuration General Settings User Management 71 7...

Page 5: ...a CatOS Device 106 Configuring NDE on a Native IOS Device 106 Configuring NDE on a 4000 Series Switch 107 Configuring NDE on IOS XE 107 Configuring NDE on a Juniper Router non MX 107 33 33 Appendix 3...

Page 6: ...line behavior of users and by comparing over 130 live traffic parameters against user defined thresholds ON PREMISE DDOS MITIGATION Protects networks by using BGP blackhole routing or FlowSpec protect...

Page 7: ...ensor provides traffic anomaly detection bandwidth monitoring and traffic accounting The collected information allows you to generate complex traffic reports graphs and tops instantly pin down the cau...

Page 8: ...riodically send them as flow records to a Flow Sensor Because the flow protocol already performs pre aggregation of traffic data the flow data sent to Flow Sensor is much smaller than the monitored tr...

Page 9: ...e It is recommended to use an SNMP Sensor only for devices that are unable to export flows or mirror packets or when comparing flow and SNMP derived statistics to ensure the flow data accuracy The tab...

Page 10: ...be configured to send notification emails to the ISP s originating non spoofed attacks DDoS Mitigation with Wanguard Filter When a Sensor detects that a destination is under attack it executes a Resp...

Page 11: ...un on a powerful server to be able to do packet inspection on high speed interfaces Each configuration option is covered on page 55 Flow Filter analyzes NetFlow jFlow NetStream cflowd sFlow or IPFIX f...

Page 12: ...path It receives flows from a Flow Sensor or a copy of packets from a TAP or mirroring port Direct filtering is not possible but the Filter is still able to generate filtering rules that improve the...

Page 13: ...anguard was designed to be completely scalable It can be installed either on a single server having adequate hardware resources or on multiple servers distributed across the network It is highly recom...

Page 14: ...y need Adobe PDF Reader For the best experience use a 1280x1024 or higher resolution display Packet Sensor Hardware Requirements Packet Sniffing Capacity 1 Gbit s 1 400 000 packets s 10 Gbit s 14 000...

Page 15: ...PU speed Flow Sensor can store flow data on the local disk in a highly compressed binary format SNMP Sensor Hardware Requirements Capacity Minimum Hardware Requirements for 20 Devices Architecture 64...

Page 16: ...routing performance during spoofed attacks and SYN floods However the filtering and packet forwarding capacity may not be line rate during powerful attacks with small packets The hardware filters supp...

Page 17: ...nd centralized system through which you can control and monitor all other components If you have correctly followed the installation instructions from now on you will only need to log in to Console to...

Page 18: ...low Sensors can use a single Flow Filter Wanguard Filter works only in conjunction with Wanguard Sensor Sensor Cluster and Filter Cluster are free and do not require licensing Console is free and it d...

Page 19: ...5 to 10 seconds The Reports section title bar contains a Quick Search button Keyboard shortcut Ctrl S Central Region Each report dashboard or tool you select in the Side Region opens a tab page in th...

Page 20: ...that receive traffic without sending any traffic in return Do not set it to Off when monitoring unidirectional links or asymmetric traffic The size of each IP graph file is listed on the bottom of th...

Page 21: ...es TCP traffic with RST flag set TCP ACK Matches TCP traffic with SYN flag unset and ACK set TCP SYNACK Matches TCP traffic with SYN flag set and ACK flag set HTTP Matches TCP traffic on source or des...

Page 22: ...h subnet are listed in the IP Zone and the current disk usage in Configuration General Settings Data Retention The internal program used for saving IP graph data is opt andrisoft bin genrrds_ip If it...

Page 23: ...nguard Sensor detects traffic anomalies using two different and non exclusive methods Threshold Anomalies Detected for user defined threshold values Thresholds can be defined inside IP Zones for the d...

Page 24: ...e destination port under 1024 enter udp and dst portrange 1 1023 Flow Filtering Expression Enter a filtering expression for flows if you intend to use a Flow Sensor and or Flow Filter Click the light...

Page 25: ...x 2000000 sbin sysctl w net netfilter nf_conntrack_tcp_loose 0 sbin sysctl w net ipv4 tcp_timestamps 1 Invalid TCP Flags When enabled the Filter blocks all invalid TCP flags immediately after its acti...

Page 26: ...r each filtering rule type Enabled Check to allow the Filter to detect the filtering rule automatically Filtering Rule Describes the filtering rule Priority By double clicking the cell you can change...

Page 27: ...to the action name Each action panel contains specific fields The following fields are common Action Name Name or short description of the action Action Priority Select the order of execution relativ...

Page 28: ...IP It is ip if the DNS lookup is not returning a DNS PTR record 3 CIDR Number cidr The IP mask of the IP address or IP block 4 Prefix String prefix The IP CIDR from your network that is originating or...

Page 29: ...anomalies in Reports Tools Anomalies 22 Custom Script Return Value String The conditional parameter passes only when the script entered in the Value field returns 0 The Comparison field must be set t...

Page 30: ...ed anomalies 16 Peak Value Number value The highest value of the abnormal traffic It represents pkts s or bits s depending on the anomaly unit 17 Latest Value Number latest_value The latest value of t...

Page 31: ...y for the TOTAL decoder 6 TOTAL Bits Number sum_total_bits The sum of bits of the IP or subnet recorded during the anomaly for the TOTAL decoder TIME RELATED PARAMETERS 1 From unixtime Number from_uni...

Page 32: ...The number of bits filtered by active Filter s 12 Filters CPU Usage Number filters_max_cpu_usage The maximum CPU used by active Filter s instance s FILTERING RULE PARAMETERS 1 Filtering Rule Number f...

Page 33: ..._rule_log_size The size of the packet trace that captures traffic matched by the filtering rule Needs a Capture Traffic action 18 String attacker_isp If the filtering rule is for an IP this dynamic pa...

Page 34: ...contains at least the 0 0 0 0 0 network Since the CIDR mask is 0 this supernet includes all IP addresses available for IPv4 and IPv6 For an easier configuration every new prefix that you define inheri...

Page 35: ...Response Select a previously defined Response or select None to have no reaction to anomalies other than displaying them in Reports Tools Anomalies Active Anomalies Parent Select Yes if more specific...

Page 36: ...erent threshold values define only the smallest threshold value and then use preconditions inside the Response For example if you want to activate Filter for UDP attacks stronger than 100 Mbps but als...

Page 37: ...talled on the server Hardware Key Read only string used for licensing purposes The hardware key field is updated by the WANsupervisor service on installation or when the hardware IP or hostname change...

Page 38: ...s Device Group Optional description used within Console to group up components e g by location or role It can be used to restrict the access of Guest accounts Sensor Server The server that runs the Pa...

Page 39: ...selected IP Zone Strict Packet Sensor analyzes the traffic that has either the source or the destination IP in the selected IP Zone Exclusive Packet Sensor analyzes the traffic that has the destinati...

Page 40: ...Sensor license On a quad core CPU with multithreading the ixgbe driver allocates 8 RSS queues In this case if you define a Packet Sensor for ethX 0 3 and another one for ethX 4 7 the packet processin...

Page 41: ...ver on the configured interface Verify whether the server is receiving packets through the configured interface tcpdump i interface_usually_eth1_or_p1p2 n c 100 When IP Validation is not disabled make...

Page 42: ...Server The server that runs the Flow Sensor The configuration of servers is described on page 37 Listener IP Port The IP address IPv4 or IPv6 of the network interface that receives flow packets and th...

Page 43: ...flows having the AS number set to 0 your AS are processed This rarely used option is used for establishing traffic direction AS validation has three choices Off Disables AS validation On Only flows th...

Page 44: ...name in Configuration Components Ensure that the Flow Sensor starts correctly by watching the event log details on page 69 If the Flow Sensor starts without errors but you can t see any data collecte...

Page 45: ...n JunOS there is a flow export rate limit with a default of 1k pps which leads to flow aging errors To raise the limit to 40k pps execute set forwarding options sampling instance NETFLOW family inet o...

Page 46: ...Guide Configuration Components Flow Sensor interface To troubleshoot Sensor graph or IP graph issues follow the Graphs Troubleshooting guide from page 22 Make sure you are running the latest version o...

Page 47: ...rs on the Console server The configuration of servers is described on page 37 Polling Interval Polling is the process of sending the SNMP request periodically to the device to retrieve information A l...

Page 48: ...e and the SNMP Community String stored as a MIB object on an SNMP enabled managed device Security Level Name SNMP v3 only SNMP Sensor supports the following set of security levels as defined in the US...

Page 49: ...tarts correctly by watching the event log details on page 69 If the SNMP Sensor starts without errors but you cannot see any data collected by it in Reports Components Overview after more than 5 minut...

Page 50: ...ports and percentage based bits s thresholds Associated Sensors Select which Packet Sensors and Flow Sensor interfaces must be aggregated by the Sensor Cluster IP Zone Sensor Cluster extracts from the...

Page 51: ...Traffic The logs are stored in Reports Tools BGP Operations BGP Announcement Archive If you do not need any of those features you can safely skip this chapter Wanguard supports two different back ends...

Page 52: ...ack Hole Check if you need the local black hole feature provided by the Zebra daemon This rarely used feature may be useful only for in line servers Quagga Zebra Login Enable Passwords The passwords n...

Page 53: ...ection Switches the source IP with the destination IP in each announcement Set to Inverted only when doing symmetric routing Reject External IPs When this option is selected only the announcements for...

Page 54: ...emon is not configured or accessible from the Console server Telnet errors about pattern time outs indicate mismatches between a parameter defined in the BGP Connector password AS number route map AS...

Page 55: ...esides in the main data path configured as a network bridge or as an OSI Layer 3 router To enable routing on the filtering server follow the steps required by your Linux distribution At least the foll...

Page 56: ...work adapter with a Sniffer 10G license Click the button on the right for driver specific settings PF_RING Select to use the PF_RING 6 4 framework to speed up packet processing Click the button on the...

Page 57: ...purposes Click the options button on the right to be able to configure the following Software Firewall parameters Netfilter Chain set to FORWARD if the server forwards traffic or INPUT if it does not...

Page 58: ...le to the whitelist enter the following information Description Add a description for the whitelist rule Prefix Enter a subnet that must include the anomaly IP address for the whitelist rule to be val...

Page 59: ...3 To prevent getting Location out of range errors from the ixgbe driver load it with the right parameters in order to activate all 8k filtering rules To view filtering rules applied by the Chelsio T4...

Page 60: ...erver running the Flow Filter Layer 2 3 Inline filtering Flow Filter runs on a server that resides in the main data path configured as a network bridge or as an OSI Layer 3 router To enable routing on...

Page 61: ...AN interfaces Outbound Interface The cleaned traffic is sent to a downstream router through the outbound interface which should hold the route to the default gateway For GRE IP over IP tunneling confi...

Page 62: ...ault value is 1 Must be equal to the number of filtering servers activated for the same anomaly when the Flow Filter is used in a clustered architecture where each filtering server receives traffic fr...

Page 63: ...neric filtering rule might match the white listed filtering rule When a filtering rule cannot be applied because it conflicts with a whitelist rule a small white flag icon appears next to it in Consol...

Page 64: ...resides in the main data path configured as a network bridge or as an OSI Layer 3 router To enable routing on the filtering server follow the steps required by your Linux distribution At least the fo...

Page 65: ...e that makes the server next hop for the attacked IP address When the attack ends the Filter Cluster automatically withdraws the BGP announcement and the traffic towards the IP address is routed norma...

Page 66: ...IPs Up to 4086 hardware filters possible Intel x520 or x540 10 Gigabit adapter blocks IPv4 destinations Filter Cluster programs the Intel chipset to drop IPv4 addresses from filtering rules that cont...

Page 67: ...rs for strings and numbers equal non equal Operators for numbers less than greater than Rule Value A user defined value that should match FW Policy When FW Policy is Permit and Operator is equal the F...

Page 68: ...Schedulers and click the button from the title bar of the panel You can include more than one email address in the Email To field by separating addresses with a comma The emails are sent periodically...

Page 69: ...tes the maximum severity of the events red means that there are ERRORS blue is for INFO events etc The event s severity indicates its importance MELTDOWN Meltdown events are generated in severe situat...

Page 70: ...a local Mail Transfer Agent Sendmail Send emails using the sendmail command To use it you may have to configure a Mail Transfer Agent Postfix Qmail Sendmail on the Console server SMTP Security Securi...

Page 71: ...selected account There are two Authentication options Local Password The user is authenticated with the password entered in the Password field All passwords are stored encrypted Remote Authentication...

Page 72: ...SL set this parameter as ldaps IP Login Attribute Enter the LDAP attribute that contains the username For Active Directory is may be mailNickname or sAMAccountName for OpenLDAP or IBM Directory Server...

Page 73: ...a user or network host to an authentication entity MSCHAP is the Microsoft version of the Challenge handshake authentication protocol CHAP MSCHAP2 is another version of Microsoft version of the Chall...

Page 74: ...and its reverse DNS In front of the prefix the arrow indicates the direction of traffic inbound when the arrow is pointing towards the prefix or outbound when the arrow is pointing away from the pref...

Page 75: ...adjusted Delete BGP Prefix available if a BGP announcement with the prefix exists Generate Anomaly Report generates a full anomaly report that can be viewed in a separate tab or emailed to interested...

Page 76: ...r from the Filter configuration BGP FlowSpec or S RTBH controlled by the BGP FlowSpec parameter from the Filter configuration and activated by a Response action Third party Firewall activated by a Res...

Page 77: ...omalies button from the top toolbar clears active anomalies by manipulating the database Anomaly Overview Shows trends and summarizations of traffic anomalies detected by the selected Sensors using th...

Page 78: ...there is at least one active BGP announcement the following table is displayed BGP Connector Which BGP Connector was used to sent the routing update When Grouping is set to BGP Connector clicking it...

Page 79: ...e users By clicking the down arrow of any column header you can apply row filters change sorting direction and toggle the visibility of columns All columns are explained in the previous section except...

Page 80: ...Select the Filters that must apply the firewall rule according to their configuration Interfaces Netfilter Chain Netfilter Table IP Protocol s Select one or more IP protocols or Any to match all packe...

Page 81: ...cription A short name that helps you identify the firewall rule This is the only mandatory field Direction Select Inbound to match packets entering your network through interfaces defined as Inbound i...

Page 82: ...ut formats or you can type your own format Click the light bulb icon on the left to open a window that shows you the correct syntax Export If the output is not very large it can be viewed emailed or p...

Page 83: ...utput is not very large it can be emailed or printed If you need to list huge amounts of flow data doing so solely from within the web browser may not be a good idea In this case select the Dump optio...

Page 84: ...ess Stop Capture Time When Max Running Time is set to Unlimited you can set the exact date when the capturing thread will stop Max File Size MB The option is used for splitting packet dumps into multi...

Page 85: ...of dump files generated and the size of the latest dump file Packets The number of packets captured Actions Click the first icon to view the latest dump file in an integrated packet analyzer interfac...

Page 86: ...onents and servers Console The table displays the following data Status A green check mark indicates that Console is functioning properly When a red X appears enable the WANsupervisor service on the C...

Page 87: ...quad core system is 400 CPU IOwait Percentage of CPU resources waiting for I O operations A high number indicates an I O bottleneck CPU Idle Percentage of idle CPU resources Can be 100 on multiple co...

Page 88: ...for errors in the event log see page 69 Sensor Name Displays the name of the Packet Sensor and a colored square with the color defined in its configuration Click to open a new tab with data specific...

Page 89: ...bits second throughput after IP or AS validation and usage percent Outbound Bits s Outbound bits second throughput after IP or AS validation and usage percent IPs Int Ext IP addresses that send or re...

Page 90: ...liverable to a higher layer protocol One possible reason for discarding such a packet could be to free up buffer space Oper Status Current operational state of the interface The Testing state indicate...

Page 91: ...e Prefix IP address mask of your network that is originating or being the target of the traffic anomaly Click to open a tab with data specific to the IP block or address IP Group IP group of the prefi...

Page 92: ...und packets second on Y axis and outbound packets second on Y axis Bits Inbound bits second on Y axis and outbound bits second on Y axis Applications Sensor can collect application specific distributi...

Page 93: ...ed dimension or enter a custom one in a X x Y format where X and Y are the X axis and Y axis pixels Graphs Title Graphs can have an automatically generated title for the Auto option no title for the N...

Page 94: ...ons IPv4 or IPv6 Available when the Top Generator parameter from the Sensor configuration is set to Basic Decoder Select the decoder that analyzes the type of traffic that interests you Direction Dire...

Page 95: ...ct to generate a single graph for all selected Sensors Group ASNs Select to show a single graph for multiple AS numbers Country Graphs Flow Sensors and Packet Sensors can generate traffic and bandwidt...

Page 96: ...Filter Graphs This sub tab allows you to view a variety of Filter related histograms for the selected Filter s Data Units Select one or more data units Most Used Frequently used data units Anomalies...

Page 97: ...regation type If you are interested in average values choose the AVERAGE aggregation type If you are interested in low values choose the MINIMUM aggregation type Group Filters Select to generate a sin...

Page 98: ...e dashboard configuration you can edit the name of the dashboard set permissions layout or choose to override the time frame of widgets with the time frame of the dashboard The dashboard contains widg...

Page 99: ...ub tabs share the following common toolbar fields Sensor Select the Sensors you are interested in or select All to select all Sensors Administrators can restrict the Sensors accessible by guest accoun...

Page 100: ...ecoder can be included in both TCP and HTTP thus generating a decoder conflict Check this option to stop detection of conflicting decoders in order to generate more intuitive but potentially inaccurat...

Page 101: ...nd filter the flow data collected by the selected Flow Sensors for the selected IP block host or group The options are described in the Flow Collectors chapter on page 82 Flow Tops This sub tab is vis...

Page 102: ...s Console Server Graphs Server Graphs allows you to generate various histograms for the selected server s Data Units Select one or more data units Most Used Frequently used data units System Load Load...

Page 103: ...for the graph legend Consolidation If you are interested in spikes choose the MAXIMUM aggregation type If you are interested in average values choose the AVERAGE aggregation type If you are intereste...

Page 104: ...32 C 8192 255 255 224 000 18 64 C 16384 255 255 192 000 17 128 C 32768 255 255 128 000 16 256 C 1 B 65536 255 255 000 000 15 512 C 2 B 131072 255 254 000 000 14 1024 C 4 B 262144 255 252 000 000 13 2...

Page 105: ...te cache flow For example interface FastEthernet0 ip route cache flow interface Serial2 1 ip route cache flow It is necessary to enable NetFlow on all interfaces through which traffic you are interest...

Page 106: ...enable set mls nde version 5 The following command is required to set up flow mask to full flows switch enable set mls flow full The following commands break up flows into shorter segments 1 minute f...

Page 107: ...evice but instead of command ip route cache flow use command ip route cache flow infer fields This series requires a Supervisor IV with a NetFlow Services daughter card to support NDE Configuring NDE...

Page 108: ...ata Export interfaces ge 0 1 0 unit 0 family inet filter input all output all address 192 168 1 1 24 firewall filter all term all then sample accept forwarding options sampling input family inet rate...

Page 109: ...rigger After an attack is detected Sensor signals the IBR Internet Border Router via BGP that all traffic destined to IPv4 Victim has to be dropped In more details Sensor advertises via BGP an IPv4 Vi...

Page 110: ...mat r7500 config ip community list Wanguard Sensor community name permit BH community e g 65000 66 r7500 config route map Wanguard Filter in permit 10 r7500 config route map match community Wanguard S...

Page 111: ...y which sets a higher priority on black hole route e g set Local Preference at 200 for BH route The direction and place where BGP routing policy has to be implemented are strongly dependent on What ro...

Page 112: ...rations is for informational purposes only Please refer to the appropriate router user guides for more detailed and up to date information Understanding the Traffic Diversion Method The method relies...

Page 113: ...that is usually the next hop to the destinations according to the routing table on the Divert from router before traffic diversion is activated Figure 1 Logical Diagram for an Enterprise Network how t...

Page 114: ...efixes with well known community no advertise this would prevent redirect prefixes announcements to be propagated to other peers through BGP The no export community might be used in case redirect pref...

Page 115: ...hown in the following example Please note that you can use the prefix list route map or distribute list method for filtering outgoing routing information about the router To have a uniform approach th...

Page 116: ...nstead of Quagga BGPd if you need FlowSpec ExaBGP is still under heavy development at the time of writing and some essential features are only available on the latest version 4 0 branch On Debian Ubun...

Page 117: ...7200 config route map match community Wanguard Filter community name exact r7200 config route map exit r7200 config route map Wanguard Filter out deny 10 r7200 config route map exit r7200 config route...

Page 118: ...lter in in no synchronization ip bgp community new format ip community list expanded Wanguard Filter permit no advertise ip community list expanded Wanguard Filter permit Wanguard Filter community rou...

Page 119: ...be identified depending on the existing network setup and which device may have the role of Divert from Inject to and Next hop router 1 Layer 2 Forwarding Method 2 Layer 3 Forwarding Method Layer 2 F...

Page 120: ...a the Inject to Next hop routers Warning Any special L2 configuration on Filter interface e g bonding VLAN tagging etc will impact scrubbing forwarding performance of Filter while hardware optimizatio...

Page 121: ...ter cleans the traffic and returns the cleaned traffic to the same router Inject to Divert from The Inject to router has the redirect route 32 in its routing table and will send back the clean traffic...

Page 122: ...rs exist then the following have to be considered too multiple GRE tunnels have to be deployed and static routes at Filter level have to be considered or multiple entries on PBR matching each zone dep...

Page 123: ...map set ip next hop C C C C where C C C C is the IP of Next hop router which is direct connected to Divert from router r7200 config route map exit r7200 config interface GigabitEthernet 0 0 r7200 con...

Page 124: ...e RT e g 65000 100 and also inside RT e g 65000 200 export routes with outside RT excepting the redirect diversion routes on VRF inside import the routes having inside RT and specific routes having ou...

Page 125: ...00 config r7200 config interface to Upstream Provider r7200 config if ip vrf forwarding Outside Warning This will remove IP address from interface IP address has to be reconfigured again r7200 config...

Page 126: ...7200 config router af no synchronization r7200 config router af redistribute connected r7200 config router af redistribute other IGP static if needed r7200 config router af exit address family r7200 c...

Page 127: ...the logical combination of other Conditional Parameters New Response actions Send a visual or audio notification to all logged in Console users Send a custom SNMP Trap Apply the filtering rule on a th...

Page 128: ...ilter Configuration window A new FW Policy field on Whitelist rules that explicitly permits traffic through the Software Firewall Configuration General Settings Anomaly Detection contains a new option...

Page 129: ...rts and Configuration side regions can be set apart by user preference e g one on the right and one on the left New Ctrl R keyboard shortcut toggles side regions Configuration General Settings Data Re...

Page 130: ...iguration Schedulers items can be activated inactivated with a single right click Configuration General Settings License Manager Requirements lists all the required licensing data Various aesthetic im...

Page 131: ...cement Archive displays BGP Connector Role Filter The Filter renamed Packet Filter A new Flow Filter able to detect attackers from flow data analyzed by a Flow Sensor A new Filter Cluster able to clus...