Are there Botnet controlled hosts on your network? Are your hosts infected with malware or spyware that is trying to “phone-home"? How would you know? One way to find out is to employ Cisco ASA’s new Layer 4 Traffic Monitoring (L4TM) feature. L4TM detects infected clients by tracking rogue “phone-home” traffic.
The Cisco ASA Layer 4 Traffic Monitor feature is designed to detect command and control and data upload traffic from bots, malware, and spyware flowing through the ASA back to their “HQ”. To make this detection possible using a ASA, Cisco leveraged technology already present in its Ironport Web Security Appliance (WSA) product. Let’s look at how Botnet infection typically happens and how Cisco ASA’s new feature can help detect it.
Botnet Infection Process:
1) Client somehow gets infected with malware, spyware or other Botnet like exploit. By an large these infections happen via websites or email.
2) Infected clients then communicate with a command and control site(s) on the Internet.
3) Depending on the type of exploit it will then launch some type of attack. Common examples are Denial of Service Attack, Spam relaying, Adware infection, Identity theft, keyboard logging, data theft, click fraud, upload of confidential data, reconnaissance, an many others. The commonality is that all of these will need to talk back to their “mothership” in some manner to be worth anything to the hacker.
Layer 4 Traffic Monitor Botnet detection process:
1) Cisco ASA is configured to retrieve and install the Cisco Botnet database from Ironport.com. The ASA will then dynamically check every 60 minutes for updates to the Botnet database.
2) ASA L4TM feature compares the destination addresses flowing through its interfaces with those in its Botnet database. It is looking for matches which would indicate the destination IP is malicious.
3) When a match is encountered an alert will be sent to ASDM and syslog with the details of the source IP and malicious destination IP.
Given that all Botnets exhibit this type of command and control behavior, the Botnet traffic filter would be able to accurately alert you when hosts on your network are compromised. The Botnet dynamic database will detect attacks from 11 different main threat types. These are shown below:
In addition to the dynamic Botnet database the ASA also supports a static database that you can populate with your own blacklist and whitelist entries. You can add up to 1000 blacklist entries and 1000 whitelist entries in the static database. See figure below:
To turn on Botnet traffic filters go to the new Botnet Traffic Filter configuration section under configuration > Firewall > Botnet Traffic Filter. You can turn on the feature for all interfaces and all traffic or you can specify only certain interfaces and certain traffic (using an ACL). See figure below:
This feature is supported across the entire Cisco ASA 5500 Series, from the ASA 5505 to the ASA 5580. It requires ASA 8.2 and ASDM 6.2 code. A 30 day evaluation license is required and can be obtained from a Cisco Partner. L4TM pricing has not been set as of this writing. Note that the Botnet traffic filter will use up some RAM on the ASA. However, this is usually only a potential issue on the ASA5505 and 5510 models. If you disable threat detection on the ASA this will free up memory. If you need a memory upgrade on your ASA5510 one will be available starting in june.
For more information on the Cisco ASA Botnet traffic filter see here
www.cisco.com/go/btf
or
http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/ns441/...
The ASA 8.2 release notes can be found here:
http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82...
The ASA 8.2 configuration docs can be found here:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/c...
Do you have an existing product or procedure that lets you detect Botnets on your network? Will you be upgrading to ASA 8.2 code to use this feature? I’d also like to hear any feedback from those that have used it already.
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Cisco enters the crowded AV and DLP client market
*Cisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhere
* Cisco targets Symantec, McAfee with its new antivirus client
* Google's Chrome raises security concerns and tastes like chicken feet a>Go to Jamey’s Blog for more articles on security.
Jamey Heary, CCIE No. 7680, is the author of the Cisco NAC Appliance: Enforcing Host Security with Clean Access book by Cisco Press. Jamey is a seasoned security technologist with over 15 years in the IT field with 10 years focused on IT security. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey is currently a Security Consulting Systems Engineer with Cisco, though the opinions expressed here are his own. Jamey is a member of Network World's Cisco Subnet blog community.
The Leader in Network Knowledge
what about performance ?
Form the last two years ago, i downloaded IP Addresses list related to the Botnet , Command&Control , RBN , Spammer and ... from (http://www.emergingthreats.net/fwrules/) as first line of defense at the internet edge. but if you look at the number of IP addresses/subnets in the list you will find that there are too many addresses (my current ACL has more than 5000 ACE).to increasing the performance and regarding the performance penalty of these large ACL , i moved my current blocking ACL to my Cisco Catalyst 6500 with SUP-720 (as Port-ACL) regarding that the ACL on CAT-6500 processes in the hardware and there is not line-by-line search as traditional software base packet filtering platform. my question is while the Cisco ASA (except ASA 5580) run by CPU and process everything in software , how the ASA software will install these large ACL in memory , how it will search in these large ip addresses list (not only a single IP address , there are to many CIDR that will need wildmask search) without severely hit the performance ?
Layer 4?
Since when did IP addresses comprise Layer 4?
yep layer 4
Layer 4 info is also used in the filtering process.
given that a single IP could have multiple issues it is necessary to take it to the port level to make a more granular report.
for example IP x.x.x.x has multiple issues. On port 80 it is a known distributor of malware. On port 443 it is a known phish site. etc. etc.
-Jamey
Post new comment