Because the infected hosts are located on a secure side of the ASA, they are likely to be free to open outbound connections just like any other protected host. You can leverage the Cisco ASA Botnet Traffic Filter feature to detect botnet activity and prevent infected hosts from contacting their control servers.
When the Botnet Traffic Filter is enabled, an ASA maintains two reputation databases:
* A dynamic SensorBase database that is downloaded periodically from Cisco, which contains information about known botnet control servers.
* A static database that you can populate, which can contain a "whitelist" of known good IP addresses and domain names or a "blacklist" of known bad servers.
The Botnet Traffic Filter feature is dependent upon four things:
* A Botnet Traffic Filter license purchased from Cisco and installed on the ASA
* A DNS server, which the ASA uses to lookup names and addresses in the static database
* Botnet Traffic Filter DNS snooping, which enables the ASA to intercept DNS queries from infected hosts and match against hostnames it finds in the databases
* Live connectivity to the Internet, so that the Botnet Traffic Filter feature can communicate with Cisco
Before you begin configuring Botnet Traffic Filtering, verify that the feature license has been enabled. You can use the show version command to see a list of ASA features and their license status. Make sure Botnet Traffic Filter is listed as Enabled
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 8.4(2)
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
ciscoasa up 11 mins 39 secs
Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is 00ab.cd92.5200, irq 0
1: Ext: GigabitEthernet1 : address is 0000.abf1.d701, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab9a.0e02, irq 0
3: Ext: GigabitEthernet3 : address is 0000.ab64.2f03, irq 0
4: Ext: GigabitEthernet4 : address is 0000.ab84.7804, irq 0
5: Ext: GigabitEthernet5 : address is 0000.abfa.5105, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 5 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 10 perpetual
Total UC Proxy Sessions : 10 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Enabled perpetual
This platform has an ASA 5520 VPN Plus license.
Use the following steps to configure botnet traffic filtering:
Step 1: Configure the dynamic database.
Step 2: Configure the static database.
Step 3: Enable DNS snooping.
Step 4: Enable the Botnet Traffic Filter.
ciscoasa(config)# dynamic-filter ?
configure mode commands/options:
ambiguous-is-black Handle (ambiguous) greylist matched traffic as blacklist
for Dynamic Filter drop
blacklist Configure Dynamic Filter blacklist
drop Enable traffic drop based on Dynamic Filter traffic
classification
enable Enable Dynamic Filter classification
updater-client Configure Dynamic Filter updater client
use-database Use Dynamic Filter data downloaded from updater-server
whitelist Configure Dynamic Filter whitelist
exec mode commands/options:
database Dynamic Filter data commands
ciscoasa(config)# dynamic-filter updater-client ?
configure mode commands/options:
enable Enable Dynamic Filter updater client
ciscoasa(config)# dynamic-filter updater-client enable
WARNING: Can't resolve update-manifests.ironport.com, make sure dns nameserver is configured // CISCO'S DYNAMIC DATABASE UPDATE
ciscoasa(config)# dynamic-filter use-database
ciscoasa(config)# dns ? // CONFIGURE DNS AS PER ERROR GIVEN
configure mode commands/options:
domain-lookup Enable/Disable DNS host-to-address translation
expire-entry-timer Specify DNS entry expire timer
name-server Specify DNS servers
poll-timer Specify dns update interval
retries Configure DNS retries
server-group Configure a DNS server group
timeout Configure DNS query timeout
ciscoasa(config)# dns domain-lookup outside
ciscoasa(config)# dns server-group MY-DNS-GROUP
ciscoasa(config-dns-server-group)# ?
DNS server group commands:
domain-name Domain name to append to DNS queries for this server group
name-server Specify DNS servers
no Remove a server-group command or set to its default
retries DNS retries
timeout DNS query timeout
ciscoasa(config-dns-server-group)# name-server 4.2.2.2
ciscoasa(config)# dynamic-filter blacklist
ciscoasa(config-llist)# ?
Dynamic Filter list configuration
address Add IP address to local list
name Add domain name to local list
no Negate a command
ciscoasa(config-llist)# name ?
dynamic-filter-list mode commands/options:
WORD < 256 char Enter domain name
configure mode commands/options:
A.B.C.D The IPv4 address of the host/network being named
X:X:X:X::X The IPv6 address of the host/network being named
ciscoasa(config-llist)# name www.badsite.com
ciscoasa(config-llist)#exit
ciscoasa(config)# dynamic-filter whitelist
ciscoasa(config-llist)# name www.goodsite.com
ciscoasa(config-llist)#exit
ciscoasa(config)# policy-map ?
configure mode commands/options:
type Specifies the type of policy-map
Policy-map names:
global_policy
WORD < 41 char New policy-map name
ciscoasa(config-pmap)# policy-map global_policy
ciscoasa(config-pmap)# class ?
mpf-policy-map mode commands/options:
WORD class-map name
class-default System default class matching otherwise unclassified packets
configure mode commands/options:
WORD < 41 char class-map name
type Specifies the type of class-map
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# ?
MPF policy-map class configuration commands:
exit Exit from MPF class action configuration mode
help Help for MPF policy-map class/match submode commands
no Negate or set default values of a command
police Rate limit traffic for this class
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
service-policy Configure QoS Service Policy
set Set connection values
shape Traffic Shaping
user-statistics configure user statistics for identity firewall
<cr>
csc Content Security and Control service module
flow-export Configure filters for NetFlow events
inspect Protocol inspection services
ips Intrusion prevention services
ciscoasa(config-pmap-c)# inspect ?
mpf-policy-map-class mode commands/options:
ctiqbe
dcerpc
dns
esmtp
ftp
gtp
h323
http
icmp
ils
im
ip-options
ipsec-pass-thru
ipv6
mgcp
mmp
netbios
pptp
rsh
rtsp
sip
skinny
snmp
ciscoasa(config-pmap-c)# inspect dns ?
mpf-policy-map-class mode commands/options:
WORD < 41 char Optional DNS type policy-map name
dynamic-filter-snoop Enable DNS snooping for Dynamic Filter
<cr>
ciscoasa(config-pmap-c)# inspect dns preset_dns_map ?
mpf-policy-map-class mode commands/options:
dynamic-filter-snoop Enable DNS snooping for Dynamic Filter
<cr>
ciscoasa(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
ciscoasa(config)# dynamic-filter enable ?
configure mode commands/options:
classify-list Set the access-list for classification
interface Enable classification on an interface
<cr>
ciscoasa(config)# dynamic-filter enable interface ?
configure mode commands/options:
Current available interface(s):
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet1
ciscoasa(config)# dynamic-filter enable interface outside?
configure mode commands/options:
classify-list Set the access-list for classification
<cr>
ciscoasa(config)# dynamic-filter enable interface outside classify-list ?
configure mode commands/options:
WORD Specify the name of an access-list
ciscoasa(config)# dynamic-filter enable interface outside classify-list BOTNET_ACL
ciscoasa(config)# dynamic-filter drop ?
configure mode commands/options:
blacklist Drop traffic matching blacklist
ciscoasa(config)# dynamic-filter drop blacklist ?
configure mode commands/options:
action-classify-list Set the access-list for drop
interface Enable drop on an interface
threat-level Set the threat-level for drop
<cr>
ciscoasa(config)# dynamic-filter drop blacklist interface ?
configure mode commands/options:
Current available interface(s):
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet1
ciscoasa(config)# dynamic-filter drop blacklist interface outside ?
configure mode commands/options:
action-classify-list Set the access-list for drop
threat-level Set the threat-level for drop
<cr>
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list ?
configure mode commands/options:
WORD Specify the name of an access-list
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list BOTNET_ACL ?
configure mode commands/options:
threat-level Set the threat-level for drop
<cr>
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list BOTNET_ACL threat-level ?
configure mode commands/options:
eq Threat-level equal to operator
range Threat-level range operator
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list BOTNET_ACL threat-level eq ?
configure mode commands/options:
high high threat
low Low threat
moderate moderate threat
very-high Highest threat
very-low lowest threat
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list BOTNET_ACL threat-level eq very-high
No comments:
Post a Comment