Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
26-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter How the Botnet Traffic Filter Works Figure 26-1 shows how the Botnet Traffic Filter works with the dynamic database plus DNS inspection with Botnet Traffic Filter snooping. Figure 26-1 How the Botnet Traffic Filter Works with the Dynamic Database Figure 26-2 shows how the Botnet Traffic Filter works with the static database. Figure 26-2 How the Botnet Traffic Filter Works with the Static Database Security Appliance DNS Reverse Lookup Cache Infected Host Malware Home Site 209.165.201.3 Syslog Server Dynamic Database DNS Server DNS Snoop 1 DNS Request: bad.example.com 3Connection to: 209.165.201.3 2 DNS Reply: 209.165.201.3 Internet Botnet Traffic Filter 3b. Send Syslog Message/Drop Traffic 1a. Match? 3a. Match? 2a. Add 248631 Security Appliance DNS Host Cache Infected Host Malware Home Site 209.165.201.3 Syslog Server Static Database DNS Server Botnet Traffic Filter 3Connection to: 209.165.201.31a. DNS Request: bad.example.com Internet 3b. Send Syslog Message/Drop Traffic 2a. Add 1Add entry: bad.example.com 2 DNS Reply: 209.165.201.3 3a. Match? 248632
26-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Licensing Requirements for the Botnet Traffic Filter Licensing Requirements for the Botnet Traffic Filter The following table shows the licensing requirements for this feature: Prerequisites for the Botnet Traffic Filter To use the dynamic database, identify a DNS server for the ASA so that it can access the Cisco update server URL. In multiple context mode, the system downloads the database for all contexts using the admin context interface; be sure to identify a DNS server in the admin context. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. Failover Guidelines Does not support replication of the DNS reverse lookup cache, DNS host cache, or the dynamic database in Stateful Failover. IPv6 Guidelines Does not support IPv6. Additional Guidelines and Limitations TCP DNS traffic is not supported. You can add up to 1000 blacklist entries and 1000 whitelist entries in the static database. The packet tracer is not supported. Default Settings By default, the Botnet Traffic Filter is disabled, as is use of the dynamic database. For DNS inspection, which is enabled by default, Botnet Traffic Filter snooping is disabled by default. Model License Requirement All models You need the following licenses: Botnet Traffic Filter License. Strong Encryption (3DES/AES) License to download the dynamic database.
26-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter This section includes the following topics: Task Flow for Configuring the Botnet Traffic Filter, page 26-7 Configuring the Dynamic Database, page 26-8 Enabling DNS Snooping, page 26-9 Adding Entries to the Static Database, page 26-9 Enabling Traffic Classification and Actions for the Botnet Traffic Filter, page 26-10 Blocking Botnet Traffic Manually, page 26-12 Searching the Dynamic Database, page 26-13 Task Flow for Configuring the Botnet Traffic Filter To configure the Botnet Traffic Filter, perform the following steps: Step 1Enable use of the dynamic database. See the “Configuring the Dynamic Database” section on page 26-8. This procedure enables database updates from the Cisco update server, and also enables use of the downloaded dynamic database by the ASA. Disallowing use of the downloaded database is useful in multiple context mode so you can configure use of the database on a per-context basis. Step 2(Optional) Add static entries to the database. See the “Adding Entries to the Static Database” section on page 26-9. This procedure lets you augment the dynamic database with domain names or IP addresses that you want to blacklist or whitelist. You might want to use the static database instead of the dynamic database if you do not want to download the dynamic database over the Internet. Step 3Enable DNS snooping. See the “Enabling DNS Snooping” section on page 26-9. This procedure enables inspection of DNS packets, compares the domain name with those in the dynamic database or the static database (when a DNS server for the ASA is unavailable), and adds the name and IP address to the DNS reverse lookup cache. This cache is then used by the Botnet Traffic Filter when connections are made to the suspicious address. Step 4Enable traffic classification and actions for the Botnet Traffic Filter. See the “Enabling Traffic Classification and Actions for the Botnet Traffic Filter” section on page 26-10. This procedure enables the Botnet Traffic Filter, which compares the source and destination IP address in each initial connection packet to the IP addresses in the dynamic database, static database, DNS reverse lookup cache, and DNS host cache, and sends a syslog message or drops any matching traffic. Step 5(Optional) Block traffic manually based on syslog message information. See the “Blocking Botnet Traffic Manually” section on page 26-12. If you choose not to block malware traffic automatically, you can block traffic manually by configuring an access rule to deny traffic, or by using the shun command in the Command Line Interface tool to block all traffic to and from a host.
26-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Configuring the Dynamic Database This procedure enables database updates, and also enables use of the downloaded dynamic database by the ASA. In multiple context mode, the system downloads the database for all contexts using the admin context interface. You can configure use of the database on a per-context basis. By default, downloading and using the dynamic database is disabled. Prerequisites Enable ASA use of a DNS server in the Device Management > DNS > DNS Client > DNS Lookup area. In multiple context mode, the system downloads the database for all contexts using the admin context interface; be sure to identify a DNS server in the admin context. Detailed Steps Step 1Enable downloading of the dynamic database. In Single mode, choose the Configuration > Firewall > Botnet Traffic Filter > Botnet Database pane, then check the Enable Botnet Updater Client check box. In multiple context mode in the System execution space, choose the Configuration > Device Management > Botnet Database pane, then check the Enable Botnet Updater Client check box. This setting enables downloading of the dynamic database from the Cisco update server. In multiple context mode, enter this command in the system execution space. If you do not have a database already installed on the ASA, it downloads the database after approximately 2 minutes. The update server determines how often the ASA polls the server for future updates, typically every hour. Step 2(Multiple context mode only) In multiple context mode, click Apply. Then change to the context where you want to configure the Botnet Traffic Filter by double-clicking the context name in the Device List. Step 3In the Configuration > Firewall > Botnet Traffic Filter > Botnet Database > Dynamic Database Configuration area, check the Use Botnet data dynamically downloaded from updater server check box. Step 4Click Apply. Step 5(Optional) If you want to later remove the database from running memory, perform the following steps: a.Disable use of the database by unchecking the Use Botnet data dynamically downloaded from updater server check box. b.Click Apply. c.Click Purge Botnet Database. d.To redownload the database, re-check the Use Botnet data dynamically downloaded from updater server check box. e.Click Apply. NoteThe Fetch Botnet Database button is for testing purposes only; it downloads and verifies the dynamic database, but does not store it in running memory. For information about the Search Dynamic Database area, see the “Searching the Dynamic Database”
26-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter section on page 26-13. What to Do Next See the “Adding Entries to the Static Database” section on page 26-9. Adding Entries to the Static Database The static database lets you augment the dynamic database with domain names or IP addresses that you want to blacklist or whitelist. Static blacklist entries are always designated with a Very High threat level. See the “Information About the Static Database” section on page 26-3 for more information. Prerequisites In multiple context mode, perform this procedure in the context execution space. Enable ASA use of a DNS server in the Device Management > DNS > DNS Client > DNS Lookup area. In multiple context mode, enable DNS per context. Detailed Steps Step 1Choose the Configuration > Firewall > Botnet Traffic Filter > Black or White List pane, click Add for the Whitelist or Blacklist. The Enter hostname or IP Address dialog box appears. Step 2In the Addresses field, enter one or more domain names, IP addresses, and IP address/netmasks. Enter multiple entries separated by commas, spaces, lines, or semi-colons. You can enter up to 1000 entries for each type. Step 3Click OK. Step 4Click Apply. What to Do Next See the “Enabling DNS Snooping” section on page 26-9. Enabling DNS Snooping This procedure enables inspection of DNS packets and enables Botnet Traffic Filter snooping, which compares the domain name with those on the dynamic database or static database, and adds the name and IP address to the Botnet Traffic Filter DNS reverse lookup cache. This cache is then used by the Botnet Traffic Filter when connections are made to the suspicious address. Prerequisites In multiple context mode, perform this procedure in the context execution space.
26-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter You must first configure DNS inspection for traffic that you want to snoop using the Botnet Traffic Filter. See the “DNS Inspection” section on page 11-1 and Chapter 1, “Configuring a Service Policy,” for detailed information about configuring advanced DNS inspection options using the Modular Policy Framework. NoteYou can also configure DNS snooping directly in the Configuration > Firewall > Service Policy Rules > Rule Actions > Protocol Inspection > Select DNS Inspect Map dialog box by checking the Enable Botnet traffic filter DNS snooping check box. Restrictions TCP DNS traffic is not supported. Default DNS Inspection Configuration and Recommended Configuration The default configuration for DNS inspection inspects all UDP DNS traffic on all interfaces, and does not have DNS snooping enabled. We suggest that you enable DNS snooping only on interfaces where external DNS requests are going. Enabling DNS snooping on all UDP DNS traffic, including that going to an internal DNS server, creates unnecessary load on the ASA. For example, if the DNS server is on the outside interface, you should enable DNS inspection with snooping for all UDP DNS traffic on the outside interface. Detailed Steps Step 1Choose the Configuration > Firewall > Botnet Traffic Filter > DNS Snooping pane. All existing service rules that include DNS inspection are listed in the table. Step 2For each rule for which you want to enable DNS snooping, in the DNS Snooping Enabled column, check the check box. Step 3Click Apply. What to Do Next See the “Enabling Traffic Classification and Actions for the Botnet Traffic Filter” section on page 26-10. Enabling Traffic Classification and Actions for the Botnet Traffic Filter This procedure enables the Botnet Traffic Filter. The Botnet Traffic Filter compares the source and destination IP address in each initial connection packet to the following: Dynamic database IP addresses Static database IP addresses DNS reverse lookup cache (for dynamic database domain names) DNS host cache (for static database domain names)
26-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter When an address matches, the ASA sends a syslog message. The only additional action currently available is to drop the connection. Prerequisites In multiple context mode, perform this procedure in the context execution space. Recommended Configuration Although DNS snooping is not required, we recommend configuring DNS snooping for maximum use of the Botnet Traffic Filter (see the “Enabling DNS Snooping” section on page 26-9). Without DNS snooping for the dynamic database, the Botnet Traffic Filter uses only the static database entries, plus any IP addresses in the dynamic database; domain names in the dynamic database are not used. We recommend enabling the Botnet Traffic Filter on all traffic on the Internet-facing interface, and enabling dropping of traffic with a severity of moderate and higher. Detailed Steps Step 1Choose the Configuration > Firewall > Botnet Traffic Filter > Traffic Settings pane. Step 2To enable the Botnet Traffic Filter on specified traffic, perform the following steps: a.In the Traffic Classification area, check the Traffic Classified check box for each interface on which you want to enable the Botnet Traffic Filter. You can configure a global classification that applies to all interfaces by checking the Traffic Classified check box for Global (All Interfaces). If you configure an interface-specific classification, the settings for that interface overrides the global setting. b.For each interface, from the AC L U s e d drop-down list choose either --ALL TRAFFIC-- (the default), or any ACL configured on the ASA. For example, you might want to monitor all port 80 traffic on the outside interface. To add or edit ACLs, click Manage ACL to bring up the ACL Manager. See the “Adding ACLs and ACEs” section on page 21-2 in the general operations configuration guide for more information. Step 3(Optional) To treat greylisted traffic as blacklisted traffic for action purposes, in the Ambiguous Traffic Handling area, check the Treat ambiguous (greylisted) traffic as malicious (blacklisted) traffic check box. If you do not enable this option, greylisted traffic will not be dropped if you configure a rule in the Blacklisted Traffic Actions area. See the “Botnet Traffic Filter Address Types” section on page 26-2 for more information about the greylist. Step 4(Optional) To automatically drop malware traffic, perform the following steps. To manually drop traffic, see the “Blocking Botnet Traffic Manually” section on page 26-12. a.In the Blacklisted Traffic Actions area, click Add. The Add Blacklisted Traffic Action dialog box appears. b.From the Interface drop-down list, choose the interface on which you want to drop traffic. Only interfaces on which you enabled Botnet Traffic Filter traffic classification are available. c.In the Threat Level area, choose one of the following options to drop traffic specific threat levels. The default level is a range between Moderate and Very High.
26-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter NoteWe highly recommend using the default setting unless you have strong reasons for changing the setting. Value—Specify the threat level you want to drop: –Very Low –Low –Moderate –High –Very High NoteStatic blacklist entries are always designated with a Very High threat level. Range—Specify a range of threat levels. d.In the ACL Used area, from the ACL Use d drop-down list choose either --ALL TRAFFIC-- (the default), or any ACL configured on the ASA. NoteBe sure the ACL is a subset of the traffic you specified in the Traffic Classification area. To add or edit ACLs, click Manage to bring up the ACL Manager. See the “Adding ACLs and ACEs” section on page 21-2 in the general operations configuration guide for more information. e.Click OK. You return to the Traffic Settings pane. f.If you want to apply additional rules to a given interface, repeat steps a through e. Make sure you do not specify overlapping traffic in multiple rules for a given interface. Because you cannot control the exact order that rules are matched, overlapping traffic means you do not know which command will be matched. For example, do not specify both a rule that matches --ALL TRAFFIC-- as well as a command with and ACL for a given interface. In this case, the traffic might never match the command with the ACL. Similarly, if you specify multiple commands with ACLs, make sure each ACL is unique, and that the networks do not overlap. Step 5Click Apply. Blocking Botnet Traffic Manually If you choose not to block malware traffic automatically (see the “Enabling Traffic Classification and Actions for the Botnet Traffic Filter” section on page 26-10), you can block traffic manually by configuring an access rule to deny traffic, or by using the shun command in the Command Line Interface tool to block all traffic to and from a host. For some messages, you can automatically configure access rules in ASDM.
26-13 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter For example, you receive the following syslog message: ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (209.165.201.1/7890) to outside:209.165.202.129/80 (209.165.202.129/80), destination 209.165.202.129 resolved from dynamic list: bad.example.com You can then perform one of the following actions: Create an access rule to deny traffic. For example, using the syslog message above, you might want to deny traffic from the infected host at 10.1.1.45 to the malware site at 209.165.202.129. Or, if there are many connections to different blacklisted addresses, you can create an ACL to deny all traffic from 10.1.1.45 until you resolve the infection on the host computer. For the following syslog messages, a reverse access rule can be automatically created from the Real Time Log Viewer: –338001, 338002, 338003, 338004 (blacklist) –338201, 338202 (greylist) See Chapter 92, “Configuring Logging,” in the general operations configuration guide and Chapter 7, “Configuring Access Rules,” for more information about creating an access rule. NoteIf you create a reverse access rule form a Botnet Traffic Filter syslog message, and you do not have any other access rules applied to the interface, then you might inadvertently block all traffic. Normally, without an access rule, all traffic from a high security to a low security interface is allowed. But when you apply an access rule, all traffic is denied except traffic that you explicitly permit. Because the reverse access rule is a deny rule, be sure to edit the resulting access policy for the interface to permit other traffic. ACLs block all future connections. To block the current connection, if it is still active, enter the clear conn command. For example, to clear only the connection listed in the syslog message, enter the clear conn address 10.1.1.45 address 209.165.202.129 command. See the command reference for more information. Shun the infected host. Shunning blocks all connections from the host, so you should use an ACL if you want to block connections to certain destination addresses and ports. To shun a host, enter the following command in Tools > Command Line Interface. To drop the current connection as well as blocking all future connections, enter the destination address, source port, destination port, and optional protocol. shun src_ip [dst_ip src_port dest_port [protocol]] For example, to block future connections from 10.1.1.45, and also drop the current connection to the malware site in the syslog message, enter: shun 10.1.1.45 209.165.202.129 6798 80 After you resolve the infection, be sure to remove the ACL or the shun. To remove the shun, enter no shun src_ip. Searching the Dynamic Database If you want to check if a domain name or IP address is included in the dynamic database, you can search the database for a string.
26-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 26 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter Detailed Steps Step 1Go to the Search Dynamic Database area: In Single mode or within a context, choose the Configuration > Firewall > Botnet Traffic Filter > Botnet Database Update pane. In multiple context mode in the System execution space, choose the Configuration > Device Management > Botnet Database Update pane. Step 2In the Search string field, enter a string at least 3 characters in length, and click Find Now. The first two matches are shown. To refine your search for a more specific match, enter a longer string. Step 3To clear the displayed matches and the search string, click Clear, or you can just enter a new string and click Find Now to get a new display. Monitoring the Botnet Traffic Filter Whenever a known address is classified by the Botnet Traffic Filter, then a syslog message is generated. You can also monitor Botnet Traffic Filter statistics and other parameters by entering commands on the ASA. This section includes the following topics: Botnet Traffic Filter Syslog Messaging, page 26-14 Botnet Traffic Filter Monitor Panes, page 26-15 Botnet Traffic Filter Syslog Messaging The Botnet Traffic Filter generates detailed syslog messages numbered 338nnn. Messages differentiate between incoming and outgoing connections, blacklist, whitelist, or greylist addresses, and many other variables. (The greylist includes addresses that are associated with multiple domain names, but not all of these domain names are on the blacklist.) See the syslog messages guide for detailed information about syslog messages. For the following syslog messages, a reverse access rule can be automatically created from the Real Time Log Viewer: 338001, 338002, 338003, 338004 (blacklist) 338201, 338202 (greylist) See Chapter 92, “Configuring Logging,” in the general operations configuration guide.