1. Manuals
  2. Brands
  3. Andrisoft Manuals
  4. Firewall
  5. Wanguard 5.2
  6. User and administrator manual

Andrisoft Wanguard 5.2 User And Administrator Manual

Console + sniffing sensor + flow sensor + virtual sensor + filter
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Wanguard 5.2 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Andrisoft Wanguard 5.2

Summary of Contents for Andrisoft Wanguard 5.2

  • Page 2 © ANDRISOFT S.R.L. 2013. All rights reserved. All rights reserved. This document is copyrighted and all rights are reserved by ANDRISOFT S.R.L. No part of this document may be reproduced or transmited in any form or by any means, electronic or mechanical, including photocopying and recording, or by any informaton storage and retrieval system without the permission in writng from ANDRISOFT S.R.L.

  • Page 3: Table Of Contents

    WANGUARD 5.2 User Manual & Administrator's Guide Table of Contents IP Trafc Monitoring, Anomalies Detecton & DDoS Mitgaton with WANGUARD ........IP Trafc Monitoring, Anomalies Detecton & DDoS Mitgaton with WANGUARD ........WANGUARD Key Features & Benefts..........................4 WANGUARD Components..............................5 A frst look at WANGUARD Console ......................
  • Page 4 WANGUARD 5.2 User Manual & Administrator's Guide Installaton Guide ............................Installaton Guide ............................System Requirements..........................28 Snifng Sensor Hardware Requirements........................28 Flow Sensor Hardware Requirements..........................29 Filter Hardware Requirements............................29 Console Hardware Requirements..........................29 Sofware Installaton & Download......................30 Opening Console for the frst tme......................30 Licensing Procedure..............................30 Quick Confguraton Steps........................31...

  • Page 5: Ip Trafc Monitoring, Anomalies Detecton & Ddos Mitgaton With Wanguard

    WANGUARD 5.2 User Manual & Administrator's Guide IP Traffic Monitoring, Anomalies Detection & DDoS Mitigation with WANGUARD Unforeseen trafc paterns afect user satsfacton, pressure over-subscripton plans, and clog costly transit links. Providing high performance and reliable network services is central to the success of today's organizatons. As...

  • Page 6: Wanguard Components

    WANGUARD 5.2 User Manual & Administrator's Guide ● OUTSTANDING SUPPORT – Standard Support inquiries sent by email are answered by experienced engineers in 24 hours or less. We can use Skype or TeamViewer. CONTEXTUAL HELP – Includes a Contextual Help system, an Installaton Wizard and a User Manual ●...

  • Page 7: A Frst Look At Wanguard Console

    WANGUARD 5.2 User Manual & Administrator's Guide A first look at WANGUARD Console If you're an administrator and you look on how to confgure WANGUARD, skip to the Installaton Chapter on page 28. Please read the following chapters in order to get a clear overview of the basic premises required for the proper operaton of the sofware.

  • Page 8: Reports » Anomalies & Tools

    WANGUARD 5.2 User Manual & Administrator's Guide Reports » Anomalies & Tools The Reports » Anomalies & Tools panel contains links to the Anomalies tab, to the BGP Prefxes tab, to the Flow Collector tab and to the Packet Analyzer tab.
  • Page 9 WANGUARD 5.2 User Manual & Administrator's Guide • View Trafc Graph – available if IP Graphs is enabled for the prefx • View Trafc Log – available if the Response contains a Trafc Capturing acton • Delete BGP Route – available if a BGP announcement was sent for the prefx •...

  • Page 10: Anomalies Archive

    WANGUARD 5.2 User Manual & Administrator's Guide Firewall Indicates if there was a sofware flter installed or a frewall flter, or both. From The date and tme when the atack patern was frst detected Untl The date and tme when the atack patern was last detected.

  • Page 11: Bgp Logs

    WANGUARD 5.2 User Manual & Administrator's Guide The table containing BGP announcements is visible only while announcements are actve. The table's columns are: BGP Connecton The BGP Connecton name as defned in the BGP Connecton's confguraton – see page 51.

  • Page 12: Flows Tops

    WANGUARD 5.2 User Manual & Administrator's Guide ● Time-frame Select predefned tme-frames or enter your own by selectng “Custom...”. Flows Filter ● Here you can enter a flter for fows. Click the lightbulb icon on the right to open a window containing the correct syntax.

  • Page 13: Autonomous Systems

    WANGUARD 5.2 User Manual & Administrator's Guide ● Output You can select several output formats, or you can type your own format that conforms to the format specifcaton of nfdump. For beter readability IPv6 addresses are shortened, such as that the middle nibbles are cut and replaced by dots '…'.

  • Page 14: Packet Analyzer

    WANGUARD 5.2 User Manual & Administrator's Guide the window: Help » AS Informaton » AS Numbers List. There you can apply diferent flters by clicking the table header's down icon. Export ● You can print, save as PDF or email the generated AS graphs.

  • Page 15: Actve Captures

    WANGUARD 5.2 User Manual & Administrator's Guide ● BPF Expression Click the lightbulb icon on the right to open a window containing the correct BPF – Berkley Packet Filter syntax. Ofen used BPF expressions can be saved there and used at any tme later.

  • Page 16: Captures Archive

    WANGUARD 5.2 User Manual & Administrator's Guide ● Sampling The type of sampling that is being used. From ● The date when the Snifng Sensor started capturing packets. Untl ● The tme or the conditons that will cause the stopping of the capture.

  • Page 17: Reports » Dashboards

    WANGUARD 5.2 User Manual & Administrator's Guide Reports » Dashboards Wouldn't it be nice to see all your relevant data in a single tab? The Dashboard allows you to group data according to your needs. Few sample Dashboards are included in the Console, but you can create more by going to Reports »...

  • Page 18: Reports » Interfaces

    WANGUARD 5.2 User Manual & Administrator's Guide Reports » Interfaces The Reports » Interfaces panel contains links to the Overview tab, Interface Groups tabs and to detailed Sensor tabs. The Overview tab provides a real-tme view on the status of all WANGUARD components.

  • Page 19: Actve Virtual Sensors

    WANGUARD 5.2 User Manual & Administrator's Guide Active Virtual Sensors The Virtual Sensors table has the same felds as the Snifng Sensors table explained below. The table is not displayed if there are no Virtual Sensors running. Active Sniffing Sensors The Actve Snifng Sensors table is not displayed if there are no Snifng Sensors running.

  • Page 20: Actve Filters

    WANGUARD 5.2 User Manual & Administrator's Guide Status If the actve Flow Sensor is functoning properly then a green “checked” icon is displayed. If Console cannot manage or reach the Flow Sensor then a red “X” icon is displayed. In this case make sure that Snifng Sensor is confgured correctly, make sure that the WANsupervisor daemon is running and look for errors in the Events –...

  • Page 21: Sensors

    WANGUARD 5.2 User Manual & Administrator's Guide Anomaly# If the Filter mitgates an anomaly it contains the link to the Anomaly Report. Otherwise will display the message “Filter ofine”. IP Address The IP address from your network involved in the trafc anomaly. If the IP address is clicked then a new tab opens with data specifc to the IP address.

  • Page 22: Sensor Graphs

    WANGUARD 5.2 User Manual & Administrator's Guide Sensor Graphs Sensor Graphs allows you to generate various Sensor-related histograms for the selected Sensor(s): Data Units ● Select one or more parameters: Default – Shows most used parameters, each one in a diferent graph.

  • Page 23: Sensor Tops

    WANGUARD 5.2 User Manual & Administrator's Guide ◦ IP Accountng The number of IP accountng records updated. HW Graphs ◦ The number of fles updated for trafc profling fles. IP Graphs Time ◦ The number of seconds needed to update the IP graphs fles.

  • Page 24: List Flows

    WANGUARD 5.2 User Manual & Administrator's Guide ◦ UDP Ports – the most used UDP ports IP Protocols – most used IP protocols ◦ IP Versions – IPv4 and IPv6 ◦ AS Numbers – the Autonomous Systems that generate most trafc. Available only for Flow Sensors ◦...

  • Page 25: Anomalies Overview

    WANGUARD 5.2 User Manual & Administrator's Guide Anomalies Overview Here you can view trends and summarizatons of atacks detected by Sensor(s), for the selected tme-frame and decoders. - 24 -...

  • Page 26: Reports » Ip Addresses & Groups

    WANGUARD 5.2 User Manual & Administrator's Guide Reports » IP Addresses & Groups This chapter describes how to generate complex trafc reports for IP addresses, IP subnets and IP Groups. The Reports » IP Addresses panel allows the quick generaton of IP trafc reports by entering the IP / CIDR in the upper side of the Panel, or by selectng an IP class or host from the expandable tree below.

  • Page 27: Ip Accountng

    WANGUARD 5.2 User Manual & Administrator's Guide Graphs can have an automatcally-generated ttle for the “Default” opton, no ttle for the “None” opton, or you can enter your own text that will be rendered as a ttle. Graph Legend ●...

  • Page 28: List Flows

    WANGUARD 5.2 User Manual & Administrator's Guide If unchecked, each Sensor generates a diferent trafc accountng report. If checked, all selected Sensors generate a single trafc accountng report that contains the summed trafc accountng data. The number of decoders can be modifed in the Storage & Graphs Confguraton, see page 32.

  • Page 29: Installaton Guide

    WANGUARD 5.2 User Manual & Administrator's Guide Installation Guide WANGUARD can be installed on common server hardware, provided that the system requirements listed later in this chapter are met. If you have some basic Linux or FreeBSD operaton skills then no training is required for the sofware installaton.

  • Page 30: Flow Sensor Hardware Requirements

    WANGUARD 5.2 User Manual & Administrator's Guide Flow Sensor Hardware Requirements Flow-processing Capacity 20 monitored interfaces, 15k actve endpoints Architecture x86 (32 or 64 bit) 1 x Xeon 2.0 GHz 4 GB 1 x Fast Ethernet Network Cards RHEL / CentOS 5, RHEL / CentOS 6, Debian 6, Ubuntu Server 12, OpenSuSE 12...

  • Page 31: Sofware Installaton & Download

    WANGUARD 5.2 User Manual & Administrator's Guide Memory 1 GB Network Cards 1 x Gigabit Ethernet RHEL / CentOS 5, RHEL / CentOS 6, Debian 6, Ubuntu Server 12, OpenSUSE 12 Operatng System apache 2.x+ php 5.2+ mysql 5.x Sofware Packages rrdtool 1.3+...

  • Page 32: Quick Confguraton Steps

    WANGUARD 5.2 User Manual & Administrator's Guide Log in to Console using the default username / password combinaton of admin / changeme. To understand how to navigate within the Console, please read the chapter from page 6. If the Console is installed on a public server, you should immediately change the default password for the "admin"...

  • Page 33: Storage & Graphs Confguraton

    WANGUARD 5.2 User Manual & Administrator's Guide Storage & Graphs Configuration An important step in confguring WANGUARD is to make sure that the involved servers have enough resources to process and withhold trafc informaton. Most resource-related parameters are found in Confguraton »...

  • Page 34: Anomalies Confguraton

    WANGUARD 5.2 User Manual & Administrator's Guide Anomalies Configuration An important inital step in confguring WANGUARD is setng up anomalies detecton parameters and decoders. Anomalies detecton parameters are located in Confguraton » Global Setngs » Anomalies. The Sensors are able to detect many types of trafc anomalies.

  • Page 35: Response Confguraton

    WANGUARD 5.2 User Manual & Administrator's Guide Response Configuration Responses provide a unique and powerful way to automate reactons to trafc anomalies and atack paterns. To add a Response, go to Confguraton » Network & Policy » Add Response. If you don't plan to use this feature, you may safely skip this chapter.

  • Page 36: Conditonal & Dynamic Parameters

    WANGUARD 5.2 User Manual & Administrator's Guide Conditional & Dynamic Parameters CONDITIONAL PARAMETER TYPE DYNAMIC PARAMETER DESCRIPTION GENERAL PARAMETERS IP Address String The IP or Subnet involved in the anomaly. {ip} String {ip_dns} The reverse DNS of the IP involved in the anomaly.
  • Page 37 WANGUARD 5.2 User Manual & Administrator's Guide Anomaly ID Number {anomaly_id} The unique identfcaton number of the anomaly. Anomaly Comment String {comment} The comment added in Console by Administrators for the Anomaly. Directon [incoming,outgoing] String {direction} The directon of the rule that triggered the anomaly.
  • Page 38 WANGUARD 5.2 User Manual & Administrator's Guide Latest Link Severity Number {latest_link_severity} The feld contains the rato between the latest anomalous trafc rate and the interface's trafc rate. String {anomaly_log_10} The frst 10 packets or fows of the anomalous trafc.
  • Page 39 WANGUARD 5.2 User Manual & Administrator's Guide Filters Pkts/s Number* {filters_pps} The latest packets/second throughput recorded by actve Filter(s) in the anomalous trafc. Filters Bits/s Number* {filters_bps} The latest bits/second throughput recorded by actve Filter(s) in the anomalous trafc. Filters Max Pkts/s...
  • Page 40 WANGUARD 5.2 User Manual & Administrator's Guide String {attacker_isp} If the atack patern is an IP, the Dynamic Parameter provides the email of the atacker's ISP. String {filter_log_10} The frst 10 packets of the atack patern's trafc. String {filter_log_50} The frst 50 packets of the atack patern's trafc.

  • Page 41: Ip Zone Confguraton

    WANGUARD 5.2 User Manual & Administrator's Guide IP Zone Configuration IP Zones are hierarchical, tree-like structures that must include your IP address ranges and important IPs. Add an IP Zone by going to Confguraton » Network & Policy » Add IP Zone. Sensors use IP Zones to learn about your network and to extract per-subnet setngs.

  • Page 42: Anomaly Detecton Setngs & Thresholds Templates

    WANGUARD 5.2 User Manual & Administrator's Guide Anomaly detection settings & Thresholds Templates Thresholds Anomalies panel in the IP Zone Confguraton window can contain user-defned trafc thresholds. To ease the additon of thresholds with the same values for multple prefxes, use Thresholds Templates (Confguraton »...

  • Page 43: Choosing A Method Of Trafc Monitoring

    WANGUARD 5.2 User Manual & Administrator's Guide Choosing a method of traffic monitoring This secton explains the available methods you can use for trafc monitoring. Reading this chapter is strongly recommended, as it will help you understand how to deploy Sensor in your network.

  • Page 44: Comparison Between Packet Snifng And Flow Monitoring

    WANGUARD 5.2 User Manual & Administrator's Guide Comparison between Packet Sniffing and Flow Monitoring The table below provides a quick comparison between the two available trafc capturing technologies. The hardware requirements for each method are diferent. We keep an updated hardware requirements list on our website.

  • Page 45: Snifng Sensor Confguraton

    WANGUARD 5.2 User Manual & Administrator's Guide Sniffing Sensor Configuration In switched networks only the trafc for a specifc device is sent to the device's network card. If the Sensor system is not deployed in the main data-path then a network TAP, or a switch or router that ofers a "monitoring port"...
  • Page 46 WANGUARD 5.2 User Manual & Administrator's Guide ● IP Validaton This opton can be used to distnguish the directon of the packets or to ignore unwanted IP trafc: Of – The Sensor analyzes all trafc, but you must enable MAC Validaton to distnguish the ○...
  • Page 47 WANGUARD 5.2 User Manual & Administrator's Guide like tcpdump. The syntax is “tcpdump -i <interface_usually_eth1> -n -c 100”. If the IP Validaton is not disabled, then the IP Zone must contain all your subnets. ✔ - 46 -...

  • Page 48: Flow Sensor Confguraton

    WANGUARD 5.2 User Manual & Administrator's Guide Flow Sensor Configuration Many routers and switches can collect IP trafc statstcs on monitored interfaces, and later export those statstcs as fow records, towards the Flow Sensor to do the actual trafc analysis.
  • Page 49 WANGUARD 5.2 User Manual & Administrator's Guide ○ Interface Name – A short descripton used to identfy the monitored interface Graph Color – The color used in graphs for this interface. The default color is random, but you can ○...
  • Page 50 WANGUARD 5.2 User Manual & Administrator's Guide All received fows can be stored in an efcient binary format and queried in Reports » Collectons. Graphs Accuracy ● Low values increase the Sensor's accuracy but the Flow Sensor will use more RAM.

  • Page 51: Virtual Sensor Confguraton

    WANGUARD 5.2 User Manual & Administrator's Guide Virtual Sensor Configuration Virtual Sensor aggregates Snifng Sensors and Flow Sensors' Interfaces into a single anomaly detecton domain. It disables the anomaly detecton features of containing Sensors, and provides anomaly detecton for the summed up trafc data.

  • Page 52: Bgp Connecton Confguraton

    WANGUARD 5.2 User Manual & Administrator's Guide BGP Connection Configuration Operators and Administrators can view, send and withdraw BGP announcements manually from the Console. The BGP announcements records are stored in Reports » Anomalies & Tools » BGP Prefxes » BGP Archive.
  • Page 53 WANGUARD 5.2 User Manual & Administrator's Guide The passwords for the zebra daemon. Reject External IPs ● If this is selected no BGP announcement will be sent for an IP that's not present in any of the confgured IP Zones' subnets, excluding 0.0.0.0/0.

  • Page 54: Filter Configuration

    WANGUARD 5.2 User Manual & Administrator's Guide Filter Configuration WANGUARD Filter was designed to protect networks from internal and external threats (availability atacks on DNS, VoIP, Mail and similar services, unauthorized trafc resultng in network congeston), botnet atacks, zero- day worm and virus outbreaks. It includes sophistcated trafc analysis algorithms that are able to detect and side- flter malicious trafc in a granular manner without impactng the user experience or resultng in downtme.
  • Page 55 WANGUARD 5.2 User Manual & Administrator's Guide opton makes the Filter consume less CPU, because the malicious packets that are dropped do not reach the Outbound Interface. The disadvantage of this opton is that the Filter will not record trafc statstcs for the dropped trafc Outbound Interface ●...
  • Page 56 WANGUARD 5.2 User Manual & Administrator's Guide ○ Limit the atack paterns and accept local valid trafc – The Filter detects, reports and rate-limits the atack paterns to the threshold values. The Filter only accepts atack paterns trafc that does not exceed the anomaly's trafc type packets/second threshold value for the atacked IP address Apply default INPUT policy –...
  • Page 57 WANGUARD 5.2 User Manual & Administrator's Guide your DNS server making your DNS partally unreachable. In this case, it's best to confgure a Whitelist that will prevent this behavior. To add a new rule to the Whitelist you must enter the following felds: ○...

  • Page 58: Scheduled Reports

    WANGUARD 5.2 User Manual & Administrator's Guide Scheduled Reports One of the greatest strengths of the Console is the ease to generate complex Reports. Most Reports created through the Side Region can be printed, exported as PDF or sent by email. But if you want to create periodic Reports, go to Confguraton »...

  • Page 59: Events Reportng

    WANGUARD 5.2 User Manual & Administrator's Guide Events Reporting An "event" is a text message generated by a WANGUARD component and logged by the Console. To see the latest Events, raise the South Side by clicking the small botom edge on the window.

  • Page 60: Users Management

    WANGUARD 5.2 User Manual & Administrator's Guide Users Management In the Side Region select Confguraton » Global Setngs » Users Management. Currently there are three available access levels or "roles" for users: Administrator – Has all privileges. Can manage other accounts and can reset passwords. Passwords are ●...

  • Page 61: Appendix 1 - Network Basics You Should Be Aware Of

    WANGUARD 5.2 User Manual & Administrator's Guide Appendix 1 – Network Basics You Should Be Aware Of If you are new to network administraton and network monitoring, read about the technical basics in this secton. It will help you understand how WANGUARD works. If you are already used to IP addresses and IP classes you can safely skip this appendix.
  • Page 62 WANGUARD 5.2 User Manual & Administrator's Guide IP Classes Class A addresses always have the frst bit of their IP addresses set to “0”. Since Class A networks have an 8- bit network mask, the use of a leading zero leaves only 7 bits for the network porton of the address, allowing for a maximum of 128 possible network numbers, ranging from 0.0.0.0 –...

  • Page 63: Ipv4 Subnet Cidr Notaton

    WANGUARD 5.2 User Manual & Administrator's Guide IPv4 Subnet CIDR Notation CIDR CLASS HOSTS NO. MASK 1/256 C 255.255.255.255 1/128 C 255.255.255.254 1/64 C 255.255.255.252 1/32 C 255.255.255.248 1/16 C 255.255.255.240 1/8 C 255.255.255.224 1/4 C 255.255.255.192 1/2 C 255.255.255.128 255.255.255.000...

  • Page 64: Appendix 2 - Confguring Netflow Data Export

    WANGUARD 5.2 User Manual & Administrator's Guide Appendix 2 – Configuring NetFlow Data Export This appendix is a brief guide to setng up the NetFlow data export (NDE) on Cisco and Juniper routers or intelligent Cisco Layer 2 / Layer 3 / Layer 4 switches. If you have problems with the confguraton contact your network administrator or Cisco consultant.

  • Page 65: Confguring Nde On A Catos Device

    WANGUARD 5.2 User Manual & Administrator's Guide The following commands break up fows into shorter segments: 1 minute for actve trafc and 30 seconds for inactve trafc. Please use only this values as it decreases the RAM usage and increases performance of the Flow Sensor.

  • Page 66: Confguring Nde On A 4000 Series Switch

    WANGUARD 5.2 User Manual & Administrator's Guide To confgure NDE use the same commands as for the IOS device. In the enable mode on the Supervisor Engine, issue the following, to set up the NetFlow export version 5. switch(config)# mls nde sender version 5 The following commands break up fows into shorter segments: ~1 minute for actve fows and ~ 30 seconds for inactve fows.
  • Page 67 WANGUARD 5.2 User Manual & Administrator's Guide accept; forwarding-options { sampling { input { family inet { rate 100; output { cflowd 192.168.1.100 { port 2000; version 5; - 66 -...

  • Page 68: Appendix 3 - Confguring Trafc Diversion

    WANGUARD 5.2 User Manual & Administrator's Guide Appendix 3 – Configuring Traffic Diversion This appendix describes how to confgure trafc diversion for Filter. Informaton provided here regarding router confguratons is for informatonal purposes only. Please refer to the appropriate router user guides for detailed informaton.

  • Page 69: Bgp Confguraton Guidelines

    WANGUARD 5.2 User Manual & Administrator's Guide Afer BGP diversion is established, the router's routng tables points to the Filter server as the best route to the atacked addresses and the router forwards all trafc destned to those addresses to the Filter server.

  • Page 70: Filter System Bgp Confguraton Example

    WANGUARD 5.2 User Manual & Administrator's Guide following commands: [root@localhost ~]# telnet 127.0.0.1 2601 localhost> enable localhost# config terminal localhost(config)# service password-encryption localhost(config)# write localhost(config)# exit localhost# exit To confgure the bgpd daemon you must telnet to port 2605 and enter the previously defned password (“bgppass”).

  • Page 71: Cisco Router Bgp Confguraton

    WANGUARD 5.2 User Manual & Administrator's Guide router bgp 64000 bgp router-id 192.168.1.100 neighbor 192.168.1.1 remote-as 1000 neighbor 192.168.1.1 description divert-from router neighbor 192.168.1.1 soft-reconfiguration inbound neighbor 192.168.1.1 distribute-list nothing-in in neighbor 192.168.1.1 route-map WANGUARD-Filter-out out access-list nothing-in deny any...

  • Page 72: Understanding Trafc Forwarding Methods

    WANGUARD 5.2 User Manual & Administrator's Guide neighbor 192.168.1.100 description Filter appliance neighbor 192.168.1.100 soft-reconfiguration inbound neighbor 192.168.1.100 distribute-list routesToWANGUARDFilter out neighbor 192.168.1.100 route-map WANGUARD-Filter-in no synchronization ip bgp community new-format ip community-list expanded WANGUARD-Filter permit 1000:64000 no-export no-advertise route-map WANGUARD-Filter-in permit 10...

  • Page 73: Confguring Gre / Ip Over Ip Tunneling - Layer 3 Forwarding Method

    WANGUARD 5.2 User Manual & Administrator's Guide The Layer-2 Forwarding (L2F) method is used in a Layer 2 topology when all three devices—the Filter system, the divert-from router, and the next-hop router—are located in one shared IP network. In a Layer 2 topology, a divert-from router and an inject-to router are two separate devices.

Table of Contents