Previous Page Next Page

Configuring and Managing the Cisco Traffic Anomaly Detector

The following sections briefly outline the configuration parameters for the Cisco Traffic Anomaly Detector device.

Similar to the IPS sensor appliance, the Anomaly Detector can be configured by using the command-line interface (CLI) and the built-in GUI WBM user interface.

The Detector needs to be initialized using CLI for basic parameters such as the IP address, gateway, routes, and access control list (ACL). After the Detector is initialized and routable in the network, it can be accessed using the web-based GUI to configure the remaining tasks.

Several command modes on the Detector CLI are available for user access, and the access is mapped according to various CLI privilege levels, similar to the IPS Sensor software. By default, the user admin account is available with full administrative access rights to the Detector CLI.

Table 22-1 provides details of the various command and configuration modes used in the Detector CLI.

Table 22-1. Detector Command Configuration Modes
ModeDescription
GlobalAllows connection to remote devices and listing system information.

The Global prompt is the default prompt when logged into the Detector. The command prompt is as follows:

user@DETECTOR#
ConfigurationAllows configuration of features that affect the Detector operations and have restricted user access.

To enter configuration mode, use the configure command in global mode. The command prompt is as follows:

user@DETECTOR-conf#
Interface configurationAllows configuration of the Detector networking interfaces.

To enter interface configuration mode, use the interface command in configuration mode. The command prompt is as follows:

user@DETECTOR-conf-if-<interface-name>#
Router configurationAllows configuration of the Detector routing configuration.

To enter router configuration mode, use the router command in configuration mode. The command prompt is as follows:

router>
Zone configurationAllows configuration of the zone attributes.

To enter zone configuration mode, use the zone command in configuration mode or use the configure command in global mode. The command prompt is as follows:

user@DETECTOR-conf-zone-<zone-name>#
Policy template configurationAllows configuration of the zone policy templates.

To enter policy template configuration mode, use the policy-template command in zone configuration mode. The command prompt is as follows:

user@DETECTOR-conf-zone-<zone-name>-policy_template-<policy-template-name>#
Policy configurationAllows configuration of the zone policies.

To enter policy configuration mode, use the policy command in zone configuration mode. The command prompt is as follows:

user@DETECTOR-conf-zone-<zone-name>-policy-<policy-path>#
Guard configurationAllows configuration of the zone definitions that are unique to the Guard, such as user filters.

To enter guard configuration mode, use the guard-conf command in zone configuration mode. The command prompt is as follows:

user@DETECTOR-conf-zone-<zone-name>(guard)#


Managing the Detector

As mentioned earlier, the Detector needs to be initialized using the CLI Console access.

However, the Detector can be accessed and managed using one of the following methods:

Initializing the Detector Through CLI Console Access

By default, the Detector does not have a configuration and requires basic initial parameters enabled for management via the GUI application. When the Detector boot process finishes, use the CLI console to log in to the CLI Console through the default username admin and password rhadmin.

Note

The Detector has four physical interfaces: eth0, eth1, giga0, and giga1. The out-of-band interfaces are eth0 and eth1 (10/100/1000 Ethernet sockets for out-of-band management). The eth0 or eth1 must be configured with an IP address and subnet mask. The in-band interfaces (copper or fiber socket) are giga0 and giga1.


Example 22-1 shows basic initial configuration parameters in the configuration mode that are used to activate the out-of-band management interface, assign the default gateway, and enable the built-in web-based GUI service for management (WBM).

By default, the Detector has restricted access and protects access for connections to the Detector, and any user trying to access the Detector must be explicitly permitted within the ACL. Example 22-1 shows a host located at IP address 10.1.1.150, which is being permitted in the ACL, so that it can manage the Detector by using the built-in WBM application and shows how to enable the MDM.

Example 22-1. Basic Detector Initialization Parameters Using CLI Console

user@DETECTOR-conf# interface eth1
user@DETECTOR-conf-if-eth1# ip address 192.168.1.1 255.255.255.0
user@DETECTOR-conf-if-eth1# no shutdown
user@DETECTOR-conf# default-gateway 192.168.1.254
user@DETECTOR-conf# service wbm
user@DETECTOR-conf# permit wbm 10.1.1.150
user@DETECTOR-conf# service mdm
user@DETECTOR-conf# mdm server 10.1.1.150

In addition to the previous sample configuration, other basic parameters can be configured optionally:

After configuring basic initial parameters using CLI is completed, the Detector can be managed via the standard web browser from the desktop PC (Internet Explorer) by entering the following address:

https://Detector-ip-address/

Note

The Detector also supports TACACS+ authentication for user authentication. If configured, the Detector uses the TACACS+ user database for user authentication instead of its local database.


Configuring the Detector (Zones, Filters, Policies, and Learning Process)

After initializing the Detector as shown in previous section, several other parameters need to be configured on the Detector to complete the configuration, such as Zones, Zone Filters, and Policies. These can either be configured using the CLI Console or are best implemented using the built-in web-based GUI manager application.

The following section highlights some of the basic concepts for configuring Zones, Zone Filters, Policies, and the Detector Learning phase, and for activating anomaly detection and the Guard device:

As discussed previously, several parameters need to be configured to complete the Cisco Traffic Anomaly Detector deployment (refer to Table 22-1).

These entire configurations can either be done via the CLI Console access or the built-in GUI WBM application.

For complete details on configuring various options, refer to the following Cisco technical documentation.


Previous Page Next Page