Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
25-23 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security User traffic is compared to these rules in order; if this Match rule is first in the list, then all traffic, including traffic to test_network, will match only that rule and the Do not match rule will never be hit. If you move the Do not match rule above the Match rule, then traffic to test_network will match the Do not match rule, and all other traffic will match the Match rule. Step 13Repeat the above steps with the following changes: add a new traffic class called “scansafe-https,” and choose HTTPS for the inspection policy map. Step 14Click Apply. (Optional) Configuring Whitelisted Traffic If you use user authentication, you can exempt some traffic from being filtered by Cloud Web Security based on the username and/or groupname. When you configure your Cloud Web Security service policy rule, you can reference the whitelisting inspection class map. Both IDFW and AAA user credentials can be used with this feature. Although you can achieve the same results of exempting traffic based on user or group when you configure the service policy rule, you might find it more straightforward to use a whitelist instead. Note that the whitelist feature is only based on user and group, not on IP address.
25-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Detailed Steps Step 1Choose Configuration > Firewall > Objects > Class Maps > Cloud Web Security. Step 2Click Add to create a new class map. The Add Cloud Web Security Traffic Class Map screen appears. Step 3In the Name field, enter the name of the new class map (40 characters or less). Step 4In the Description field, provide a description for the class map (200 characters or less). Step 5Choose the Match Option for the criteria you define when you click ADD: Match All—Specifies that traffic must match all criteria to match the class map. Match Any—Specifies that the traffic matches the class map if it matches at least one of the criteria. Step 6Click Add. The Add Cloud Web Security Match Criterion Window appears. Step 7Choose the Match Type: Match—Specifies the user and/or group that you want to whitelist. No Match—Specifies the user and/or group that you do not want to whitelist; for example, if you whitelist the group “cisco,” but you want to scan traffic from users “johncrichton” and “aerynsun,” you can specify No Match for those users. Step 8Choose the Match Criterion: User—Specifies the user. Group—Specifies the group. User and Group—Specifies a user and group. Step 9Click OK. Step 10Continue to add match criteria as desired.
25-25 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 11Click OK to add the class map. Step 12Click Apply. Step 13Use the whitelist in the Cloud Web Security policy according to the “Configuring a Service Policy to Send Traffic to Cloud Web Security” section on page 25-10. (Optional) Configuring the User Identity Monitor When you use IDFW, the ASA only downloads user identity information from the AD server for users and groups included in active ACLs; the ACL must be used in a feature such as an access rule, AAA rule, service policy rule, or other feature to be considered active. Because Cloud Web Security can base its policy on user identity, you may need to download groups that are not part of an active ACL to get full IDFW coverage for all your users. For example, although you can configure your Cloud Web Security service policy rule to use an ACL with users and groups, thus activating any relevant groups, it is not required; you could use an ACL based entirely on IP addresses.The user identity monitor feature lets you download group information directly from the AD agent. Restrictions The ASA can only monitor a maximum of 512 groups, including those configured for the user identity monitor and those monitored through active ACLs. Detailed Steps Step 1Choose Configuration > Firewall > Identity Options, and scroll to the Cloud Web Security Configuration section. Step 2Click Add. The Add Monitor User dialog box appears. Step 3To add a domain, click Manage, and then click Add. You can only monitor groups for domains you have pre-defined on the ASA. The Configure Identity Domains dialog box appears. For detailed information about adding domains, see the “Configuring Identity Options” section on page 38-16 in the general operations configuration guide. Step 4When you are finished adding domains, click OK. Step 5You can either type in a group name, or you can search for groups on the AD agent per domain. To type in a group name directly, enter the name in the bottom field in the following format, and click OK: domain-name\\group To search for a group on the AD agent: a.Choose the domain from the Domain drop-down list. b.In the Find field, enter a text string to match group names, and click Find. The ASA downloads names from the AD agent for the specified domain. c.Double-click the name you want to monitor; it is added to the bottom field. d.Click OK.
25-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Monitoring Cloud Web Security Repeat for additional groups. Step 6After you add the groups you want to monitor, click Apply. Configuring the Cloud Web Security Policy After you configure the ASA service policy rules, launch the ScanCenter Portal to configure Web content scanning, filtering, malware protection services, and reports. Detailed Steps Go to: https://scancenter.scansafe.com/portal/admin/login.jsp. For more information, see the Cisco ScanSafe Cloud Web Security Configuration Guides: http://www.cisco.com/en/US/products/ps11720/products_installation_and_configuration_guides_list.h tml Monitoring Cloud Web Security Command Purpose Monitoring > Properties > Cloud Web Security Shows the status of the server, whether it is the current active server, the backup server, or unreachable. Shows total and current HTTP(S) connections. In multiple context mode, statistics are only shown within a context. See the following URL: http://Whoami.scansafe.netFrom a client, access this web site to determine if your traffic is going to the Cloud Web Security server.
25-27 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Related Documents Related Documents Feature History for Cisco Cloud Web Security Table 25-1 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Related Documents URL Cisco ScanSafe Cloud Web Security Configuration Guideshttp://www.cisco.com/en/US/products/ps11720/products_installati on_and_configuration_guides_list.html Table 25-1 Feature History for Cloud Web Security Feature NamePlatform Releases Feature Information Cloud Web Security 9.0(1) This feature was introduced. Cisco Cloud Web Security provides content scanning and other malware protection service for web traffic. It can also redirect and report about web traffic based on user identity. We introduced or modified the following screens: Configuration > Device Management > Cloud Web Security Configuration > Firewall > Objects > Class Maps > Cloud We b S e c u r i t y Configuration > Firewall > Objects > Class Maps > Cloud Web Security > Add/Edit Configuration > Firewall > Objects > Inspect Maps > Cloud We b S e c u r i t y Configuration > Firewall > Objects > Inspect Maps > Cloud Web Security > Add/Edit Configuration > Firewall > Objects > Inspect Maps > Cloud Web Security > Add/Edit > Manage Cloud Web Security Class Maps Configuration > Firewall > Identity Options Configuration > Firewall > Service Policy Rules Monitoring > Properties > Cloud Web Security
25-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Feature History for Cisco Cloud Web Security
CH A P T E R 26-1 Cisco ASA Series Firewall ASDM Configuration Guide 26 Configuring the Botnet Traffic Filter Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses (the blacklist), and then logs or blocks any suspicious activity. You can also supplement the Cisco dynamic database with blacklisted addresses of your choosing by adding them to a static blacklist; if the dynamic database includes blacklisted addresses that you think should not be blacklisted, you can manually enter them into a static whitelist. Whitelisted addresses still generate syslog messages, but because you are only targeting blacklist syslog messages, they are informational. NoteIf you do not want to use the Cisco dynamic database at all, because of internal requirements, you can use the static blacklist alone if you can identify all the malware sites that you want to target. This chapter describes how to configure the Botnet Traffic Filter and includes the following sections: Information About the Botnet Traffic Filter, page 26-1 Licensing Requirements for the Botnet Traffic Filter, page 26-6 Prerequisites for the Botnet Traffic Filter, page 26-6 Guidelines and Limitations, page 26-6 Default Settings, page 26-6 Configuring the Botnet Traffic Filter, page 26-7 Monitoring the Botnet Traffic Filter, page 26-14 Where to Go Next, page 26-16 Feature History for the Botnet Traffic Filter, page 26-16 Information About the Botnet Traffic Filter This section includes information about the Botnet Traffic Filter and includes the following topics: Botnet Traffic Filter Address Types, page 26-2 Botnet Traffic Filter Actions for Known Addresses, page 26-2
26-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter Botnet Traffic Filter Databases, page 26-2 How the Botnet Traffic Filter Works, page 26-5 Botnet Traffic Filter Address Types Addresses monitored by the Botnet Traffic Filter include: Known malware addresses—These addresses are on the blacklist identified by the dynamic database and the static blacklist. Known allowed addresses—These addresses are on the whitelist. The whitelist is useful when an address is blacklisted by the dynamic database and also identified by the static whitelist. Ambiguous addresses—These addresses are associated with multiple domain names, but not all of these domain names are on the blacklist. These addresses are on the greylist. Unlisted addresses—These addresses are unknown, and not included on any list. Botnet Traffic Filter Actions for Known Addresses You can configure the Botnet Traffic Filter to log suspicious activity, and you can optionally configure it to block suspicious traffic automatically. Unlisted addresses do not generate any syslog messages, but addresses on the blacklist, whitelist, and greylist generate syslog messages differentiated by type. See the “Botnet Traffic Filter Syslog Messaging” section on page 26-14 for more information. Botnet Traffic Filter Databases The Botnet Traffic Filter uses two databases for known addresses. You can use both databases together, or you can disable use of the dynamic database and use the static database alone. This section includes the following topics: Information About the Dynamic Database, page 26-2 Information About the Static Database, page 26-3 Information About the DNS Reverse Lookup Cache and DNS Host Cache, page 26-4 Information About the Dynamic Database The Botnet Traffic Filter can receive periodic updates for the dynamic database from the Cisco update server. This database lists thousands of known bad domain names and IP addresses. How the ASA Uses the Dynamic Database The ASA uses the dynamic database as follows: 1.When the domain name in a DNS reply matches a name in the dynamic database, the Botnet Traffic Filter adds the name and IP address to the DNS reverse lookup cache. 2.When the infected host starts a connection to the IP address of the malware site, then the ASA sends a syslog message informing you of the suspicious activity and optionally drops the traffic if you configured the ASA to do so.
26-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter 3.In some cases, the IP address itself is supplied in the dynamic database, and the Botnet Traffic Filter logs or drops any traffic to that IP address without having to inspect DNS requests. Database Files The database files are downloaded from the Cisco update server, and then stored in running memory; they are not stored in flash memory. Be sure to identify a DNS server for the ASA so that it can access the Cisco update server URL. In multiple context mode, the system downloads the database for all contexts using the admin context interface; be sure to identify a DNS server in the admin context. If you need to delete the database, use theConfiguration > Firewall > Botnet Traffic Filter > Botnet Database pane Purge Botnet Database button instead. Be sure to first disable use of the database by unchecking the Use Botnet data dynamically downloaded from updater server check box in the Configuration > Firewall > Botnet Traffic Filter > Botnet Database > Dynamic Database Configuration area. NoteTo filter on the domain names in the dynamic database, you need to enable DNS packet inspection with Botnet Traffic Filter snooping; the ASA looks inside the DNS packets for the domain name and associated IP address. Database Traffic Types The dynamic database includes the following types of addresses: Ads—These are advertising networks that deliver banner ads, interstitials, rich media ads, pop-ups, and pop-unders for websites, spyware and adware. Some of these networks send ad-oriented HTML emails and email verification services. Data Tracking—These are sources associated with companies and websites that offer data tracking and metrics services to websites and other online entities. Some of these also run small advertising networks. Spyware—These are sources that distribute spyware, adware, greyware, and other potentially unwanted advertising software. Some of these also run exploits to install such software. Malware—These are sources that use various exploits to deliver adware, spyware and other malware to victim computers. Some of these are associated with rogue online vendors and distributors of dialers which deceptively call premium-rate phone numbers. Adult—These are sources associated with adult networks/services offering web hosting for adult content, advertising, content aggregation, registration & billing, and age verification. These may be tied to distribution of adware, spyware, and dialers. Bot and Threat Networks—These are rogue systems that control infected computers. They are either systems hosted on threat networks or systems that are part of the botnet itself. Information About the Static Database You can manually enter domain names or IP addresses (host or subnet) that you want to tag as bad names in a blacklist. Static blacklist entries are always designated with a Very High threat level. You can also enter names or IP addresses in a whitelist, so that names or addresses that appear on both the dynamic blacklist and the whitelist are identified only as whitelist addresses in syslog messages and reports. Note that you see syslog messages for whitelisted addresses even if the address is not also in the dynamic blacklist.
26-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter When you add a domain name to the static database, the ASA waits 1 minute, and then sends a DNS request for that domain name and adds the domain name/IP address pairing to the DNS host cache. (This action is a background process, and does not affect your ability to continue configuring the ASA). We recommend also enabling DNS packet inspection with Botnet Traffic Filter snooping. The ASA uses Botnet Traffic Filter snooping instead of the regular DNS lookup to resolve static blacklist domain names in the following circumstances: The ASA DNS server is unavailable. A connection is initiated during the 1 minute waiting period before the ASA sends the regular DNS request. If DNS snooping is used, when an infected host sends a DNS request for a name on the static database, the ASA looks inside the DNS packets for the domain name and associated IP address and adds the name and IP address to the DNS reverse lookup cache. If you do not enable Botnet Traffic Filter snooping, and one of the above circumstances occurs, then that traffic will not be monitored by the Botnet Traffic Filter. Information About the DNS Reverse Lookup Cache and DNS Host Cache When you use the dynamic database with DNS snooping, entries are added to the DNS reverse lookup cache. If you use the static database, entries are added to the DNS host cache (see the “Information About the Static Database” section on page 26-3 about using the static database with DNS snooping and the DNS reverse lookup cache). Entries in the DNS reverse lookup cache and the DNS host cache have a time to live (TTL) value provided by the DNS server. The largest TTL value allowed is 1 day (24 hours); if the DNS server provides a larger TTL, it is truncated to 1 day maximum. For the DNS reverse lookup cache, after an entry times out, the ASA renews the entry when an infected host initiates a connection to a known address, and DNS snooping occurs. For the DNS host cache, after an entry times out, the ASA periodically requests a refresh for the entry. For the DNS host cache, the maximum number of blacklist entries and whitelist entries is 1000 each. The number of entries in the DNS reverse lookup cache varies per model.