Sunday, November 1, 2015

Configuring Websense URL Filtering and Botnet feature in Cisco ASA

I was asked to migrate a customer that's using Websense URL filtering and Botnet feature to an ASA context. I install a Botnet license (1 year license) on our ASA firewalls and I'm glad to know this feature works. I believe Cisco is now moving towards a new approach with Advanced Malware Protection (AMP) on their next-gen ASA firewalls (5500-X series) and next-gen IPS (FirePower).


Botnet config:

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 10             perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Enabled        168 days
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual

This platform has an ASA5525 VPN Premium license.

Serial Number: FCH18087ABC
Running Permanent Activation Key: 0xc22ecd45 0x78ac555a 0xa9637128 0xfe9838f8 0x0e15edef
Running Timebased Activation Key: 0x9c1876cf 0x49ca6c5e 0xc949bb03 0xdbf386df 0x847c2123
Configuration register is 0x1

ciscoasa/CUST(config)# dynamic-filter ?

configure mode commands/options:
  ambiguous-is-black  Handle (ambiguous) greylist matched traffic as blacklist
                      for Dynamic Filter drop
  blacklist           Configure Dynamic Filter blacklist
  drop                Enable traffic drop based on Dynamic Filter traffic
                      classification
  enable              Enable Dynamic Filter classification
  use-database        Use Dynamic Filter data downloaded from updater-server
  whitelist           Configure Dynamic Filter whitelist

exec mode commands/options:
  database  Dynamic Filter data commands
ciscoasa/CUST(config)# dynamic-filter use-database ?

configure mode commands/options:
  <cr>
ciscoasa/CUST(config)# dynamic-filter use-database

ciscoasa/CUST(config)# access-list DYNAMIC-FILTER-ACL extended permit ip any any

ciscoasa/CUST(config)# dynamic-filter enable ?    

configure mode commands/options:
  classify-list  Set the access-list for classification
  interface      Enable classification on an interface
  <cr>
ciscoasa/CUST(config)# dynamic-filter enable interface ?

configure mode commands/options:
Current available interface(s):
  inside    Name of interface GigabitEthernet0/1
  outside  Name of interface GigabitEthernet0/0
ciscoasa/CUST(config)# dynamic-filter enable interface outside ?

configure mode commands/options:
  classify-list  Set the access-list for classification
  <cr>
ciscoasa/CUST(config)# dynamic-filter enable interface outside classify-list ?                       

configure mode commands/options:
  WORD  Specify the name of an access-list
ciscoasa/CUST(config)# dynamic-filter enable interface outside classify-list DYNAMIC-FILTER-ACL
ciscoasa/CUST(config)# dynamic-filter drop ?

configure mode commands/options:
  blacklist  Drop traffic matching blacklist
ciscoasa/CUST(config)# dynamic-filter drop blacklist ?

configure mode commands/options:
  action-classify-list  Set the access-list for drop
  interface             Enable drop on an interface
  threat-level          Set the threat-level for drop
  <cr>
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface ?

configure mode commands/options:
Current available interface(s):
  inside    Name of interface GigabitEthernet0/1
  outside  Name of interface GigabitEthernet0/0
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface outside ?

configure mode commands/options:
  action-classify-list  Set the access-list for drop
  threat-level          Set the threat-level for drop
  <cr>
ciscoasa/CUST(config)# $st interface outside threat-level ?                

configure mode commands/options:
  eq     Threat-level equal to operator
  range  Threat-level range operator
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface outside threat-level range ?

configure mode commands/options:
  high       high threat
  low        Low threat
  moderate   moderate threat
  very-high  Highest threat
  very-low   lowest threat
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface outside threat-level range high ?

configure mode commands/options:
  high       high threat
  low        Low threat
  moderate   moderate threat
  very-high  Highest threat
  very-low   lowest threat
ciscoasa/CUST(config)# dynamic-filter drop blacklist interface outside threat-level range range high very-high     

ciscoasa/CUST(config)# dynamic-filter whitelist
ciscoasa/CUST(config-llist)# ?

Dynamic Filter list configuration
  address  Add IP address to local list
  name     Add domain name to local list
  no       Negate a command
ciscoasa/CUST(config-llist)# address ?

dynamic-filter-list mode commands/options:
  Hostname or A.B.C.D  Add IP address or network to local list
ciscoasa/CUST(config-llist)# address 208.67.220.220 ?

dynamic-filter-list mode commands/options:
  A.B.C.D  The IP netmask to apply to the IP address
ciscoasa/CUST(config-llist)# address 208.67.220.220 255.255.255.255   // OPEN DNS IP

class-map DYNAMIC-FILTER-DNS-CMAP
 match port udp eq domain

policy-map DYNAMIC-FILTER-DNS-PMAP
 class dynamic-filter_snoop_class
  inspect dns dynamic-filter-snoop

ciscoasa/CUST(config)# service-policy ?

configure mode commands/options:
Available policy-maps:
  global_policy
  DYNAMIC-FILTER-DNS-PMAP
service-policy DYNAMIC-FILTER-DNS-PMAP interface outside


Here are some useful show commands to verify Botnet feature:

ciscoasa/CUST# show dynamic-filter data      
Dynamic Filter is using downloaded database version '1446144909'   // UPDATE FROM CISCO SIO
Fetched at 15:17:36 UTC Oct 29 2015, size: 2097145
Sample contents from downloaded database:
  loubouscoc.narod.ru  alkhair.org  mfqr.cn.com  azpros.com
  tubez11.cu.cc  72.66.16.146  monitor4eg.ru  wildroute.biz
Sample meta data from downloaded database:
  threat-level: very-high,      category: Malware,
  description: "These are sources that use various exploits to deliver adware, spyware and other malware to victim computers.  Some of these are associated with rogue online vendors and distributors of dialers which deceptively call premium-rate phone numbers."
  threat-level: high,   category: Bot and Threat Networks,
  description: "These are rogue systems that control infected computers.  They are either systems hosted on threat networks or systems that are part of the botnet itself."
  threat-level: moderate,       category: Malware,
  description: "These are sources that deliver deceptive or malicious anti-spyware, anti-malware, registry cleaning, and system cleaning software."
  threat-level: low,    category: Ads,
  description: "These are advertising networks that deliver banner ads, interstitials, rich media ads, pop-ups, and pop-unders for websites, spyware and adware.  Some of these networks send ad-oriented HTML emails and email verification services."
Total entries in Dynamic Filter database:
  Dynamic data: 79504 domain names , 2942 IPv4 addresses
  Local data: 0 domain names , 2 IPv4 addresses
Active rules in Dynamic Filter asp table:
  Dynamic data: 0 domain names , 2942 IPv4 addresses
  Local data: 0 domain names , 2 IPv4 addresses

ciscoasa/CUST# show dynamic-filter reports infected-hosts all
Total 149 infected-hosts in buffer
Host (interface)                        Latest malicious conn time, filter action  Conn logged, dropped
=======================================================================================================
172.27.199.123 (inside)         13:52:06 UTC Oct 29 2015, dropped                14109  14109
Malware-sites connected to (not ordered)
Site                                            Latest conn port, time, filter action   Conn logged, dropped Threat-level Category
-------------------------------------------------------------------------------------------------------
158.85.62.205 (x.rafomedia.com)                  80, 13:52:06 UTC Oct 29 2015, dropped             6      6   very-high  Malware
54.149.242.159 (neutral-sky.info)                80, 13:21:05 UTC Oct 29 2015, dropped             9      9   very-high  Malware
54.213.23.40 (neutral-sky.info)                  80, 13:20:23 UTC Oct 29 2015, dropped             9      9   very-high  Malware
54.213.128.72 (neutral-sky.info)                 80, 13:21:26 UTC Oct 29 2015, dropped             6      6   very-high  Malware
52.25.206.149 (neutral-sky.info)                 80, 13:20:44 UTC Oct 29 2015, dropped             6      6   very-high  Malware
=======================================================================================================
172.27.181.179 (inside)         11:23:38 UTC Oct 29 2015, dropped                  229    229

Last clearing of the infected-hosts report: Never


ciscoasa/CUST# show dynamic-filter reports top infected-hosts
Infected Hosts (since last clear)
Host                                            Connections Logged
----------------------------------------------------------------------
172.27.199.121 (inside)                      49660
172.27.199.123 (inside)                      14109

Last clearing of the top infected-hosts report: Never


ciscoasa/CUST# show dynamic-filter reports top malware-ports
Malware Ports (since last clear)
Port                                            Connections Logged
----------------------------------------------------------------------
tcp 80                                           78693
tcp 443                                            273
udp >8192                                           37
udp 4682                                             1

Last clearing of the top ports report: Never


ciscoasa/CUST# show dynamic-filter reports top malware-sites
Malware Sites (since last clear)
Site                            Connections Logged Dropped Threat-level Category
---------------------------------------------------------------------------------
158.85.62.205 (x.rafomedia.com)            13649    13649    very-high  Malware
173.193.251.201 (x.rafomedia.com)          12643    12643    very-high  Malware
94.75.230.226 (a.adquantix.com)             9338     9338    very-high  Malware
94.75.230.225 (a.adquantix.com)             8519     8519    very-high  Malware
211.100.56.174 (analytics3.dopool.com)      3627     3627    very-high  Malware
104.28.9.72 (zigad.winnerical.org)           906      906    very-high  Malware
104.28.8.72 (zigad.winnerical.org)           906      906    very-high  Malware
52.74.115.82 (in1.apusapps.com)              831      831    very-high  Malware
54.255.128.61 (in1.apusapps.com)             828      828    very-high  Malware
212.113.89.75 (abs.proxistore.com)           636      636    very-high  Malware

Last clearing of the top sites report: Never


Websense URL filtering config:

ciscoasa/CUST(config)# url-server ?

configure mode commands/options:
  (  Open parenthesis for the network interface where the URL filtering server
     resides
ciscoasa/CUST(config)# url-server (inside) ?

configure mode commands/options:
  host    Configure the IP address of the URL filtering server after this
          keyword
  vendor  The URL server vendor, default is Websense
ciscoasa/CUST(config)# url-server (inside) vendor ?

configure mode commands/options:
  smartfilter  Secure Computing SmartFilter (N2H2) URL server
  websense     Websense URL server
ciscoasa/CUST(config)# url-server inside) vendor websense ?

configure mode commands/options:
  host  Configure the IP address of the URL filtering server after this keyword
ciscoasa/CUST(config)# url-server (inside) vendor websense host ?

configure mode commands/options:
  Hostname or A.B.C.D  IP address of the URL filtering server
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 ?

configure mode commands/options:
  protocol  Protocol to be used for communicating to the URL server, TCP
            protocol will be used by default
  timeout   The maximum idle time permitted before the system switches to the
            next server specified, default is 30 seconds
  version   Optional version number for the Websense server, the version can be
            1 or 4, default is 1. UDP protocol is available only in version 4
  <cr>
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol ?               

configure mode commands/options:
  tcp  TCP to be used as transport protocol
  udp  UDP to be used as transport protocol
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp ?

configure mode commands/options:
  connections  Optional simultaneous TCP connection count
  version      Optional version number for the Websense server, the version can
               be 1 or 4, default is 1. UDP protocol is available only in
               version 4
  <cr>
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp version ?

configure mode commands/options:
  1  Websense version 1
  4  Websense version 4
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp version 1 ?

configure mode commands/options:
  connections  Optional simultaneous TCP connection count
  <cr>
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp version 1 connections ?               

configure mode commands/options:
  <1-100>  Specify number of TCP connections to this URL server, default is 5
ciscoasa/CUST(config)# url-server (inside) vendor websense host 10.160.6.77 protocol tcp version 1 connections 10ciscoasa/CUST(config)# url-block ?

configure mode commands/options:
  block        Configure number of blocks that will be buffered
  url-mempool  Configure memory resource to be allocated for long URL buffer
  url-size     Configure maximum allowed URL size
ciscoasa/CUST(config)# url-block url-mempool ?

configure mode commands/options:
  <2-10240>  Memory resource allocated for long URL buffer in KB
ciscoasa/CUST(config)# url-block url-mempool 512
ciscoasa/CUST(config)# url-block url-size ? 

configure mode commands/options:
  <2-4>  Maximum allowed URL size in KB
ciscoasa/CUST(config)# url-block url-size  4
ciscoasa/CUST(config)# url-block block ?

configure mode commands/options:
  <1-16>  Number of blocks that will be buffered
ciscoasa/CUST(config)# url-block block 16

ciscoasa/CUST(config)# filter ?

configure mode commands/options:
  activex  ActiveX filtering
  ftp      FTP filtering
  https    HTTPS filtering
  java     Java filtering
  url      HTTP filtering
ciscoasa/CUST(config)# filter https ?

configure mode commands/options:
  except             Create an exception to previously specified set of IP
Enter the port or port range <start>[-<end>]
  aol               
  bgp               
  biff              
  bootpc            
  bootps            
  chargen           
  cifs              
  citrix-ica        
  cmd               
  ctiqbe            
  daytime           
  discard           
  dnsix             
  domain            
  echo              
  exec              
  finger            
  ftp               
  ftp-data          
  gopher            
  h323              
ciscoasa/CUST(config)# filter https 443 ?

configure mode commands/options:
  Hostname or A.B.C.D  The address of local/internal host which is source for
                       connections requiring filtering
ciscoasa/CUST(config)# filter https 443 172.24.0.0 ?

configure mode commands/options:
  A.B.C.D  Network mask to be applied to local IP address
ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 ?

configure mode commands/options:
  Hostname or A.B.C.D  The address of foreign/external host which is
                       destination for connections requiring filtering
ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 0.0.0.0 ?

configure mode commands/options:
  A.B.C.D  Network mask to be applied to foreign IP address
ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 0.0.0.0 ?                     

configure mode commands/options:
  allow  When url-server is down, allow outbound <service> traffic
  <cr>
ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 0.0.0.0 allow

ciscoasa/CUST(config)# filter https 443 172.24.0.0 255.255.0.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter https 443 172.26.103.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter url http 172.24.0.0 255.255.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
ciscoasa/CUST(config)# filter url http 172.26.103.0 255.255.255.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
ciscoasa/CUST(config)# filter ftp 21 172.24.0.0 255.255.0.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter ftp 21 172.26.103.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter https 443 10.48.41.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter url http 10.48.41.0 255.255.255.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
ciscoasa/CUST(config)# filter ftp 21 10.48.41.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter https 443 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 allow
ciscoasa/CUST(config)# filter url http 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate
ciscoasa/CUST(config)# filter ftp 21 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 allow

ciscoasa/CUST# ping 10.160.6.77
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.160.6.77, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/128/130 ms

ciscoasa/CUST# ping ping 10.15.16.45 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.15.16.45, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 320/326/330 ms


Here are some useful show commands for Websense redirection:

ciscoasa/CUST# show run url-server
url-server (inside) vendor websense host 10.15.16.45 timeout 30 protocol TCP version 1 connections 10
url-server (inside) vendor websense host 10.160.6.77 timeout 30 protocol TCP version 4 connections 10
url-server (inside) vendor websense host 10.13.16.45 timeout 30 protocol TCP version 4 connections 10

ciscoasa/CUST# show url-server statistics

Global Statistics:
--------------------
URLs total/allowed/denied         137923/135998/1925
URLs allowed by cache/server      0/135998
URLs denied by cache/server       0/1925
HTTPSs total/allowed/denied       76109/55125/20984
HTTPSs allowed by cache/server    0/55125
HTTPSs denied by cache/server     0/20984
FTPs total/allowed/denied         0/0/0
FTPs allowed by cache/server      0/0
FTPs denied by cache/server       0/0
Requests dropped                  64884
Server timeouts/retries           6/80
Processed rate average 60s/300s   0/0 requests/second
Denied rate average 60s/300s      0/0 requests/second
Dropped rate average 60s/300s     0/0 requests/second

Server Statistics:
--------------------
10.160.6.77                       UP
  Vendor                          websense

  Port                            15868
  Requests total/allowed/denied   214036/191121/22909
  Server timeouts/retries         6/80
  Responses received              214030
  Response time average 60s/300s  0/0
10.15.16.45                       UP
  Vendor                          websense

  Port                            15868
  Requests total/allowed/denied   0/0/0
  Server timeouts/retries         0/0
  Responses received              0
  Response time average 60s/300s  0/0

URL Packets Sent and Received Stats:
------------------------------------
Message                 Sent    Received
STATUS_REQUEST          194372  191704
LOOKUP_REQUEST          217845  217759
LOG_REQUEST             0       NA

Errors:
-------
RFC noncompliant GET method     0
URL buffer update failure       0

ciscoasa/CUST# show url-block block statistics

URL Pending Packet Buffer Stats with max block  16
-----------------------------------------------------
Cumulative number of packets held:              2091333
Maximum number of packets held (per URL):       8
Current number of packets held (global):                0
Packets dropped due to
       exceeding url-block buffer limit:        510456
       HTTP server retransmission:              39723
Number of packets released back to client:      2072781

No comments:

Post a Comment