Cisco ASA Innovation Tracks Botnet/Malicious Activity

Are there Botnet controlled hosts on your network? Are your hosts infected with malware or spyware that is trying to “phone-home"? How would you know? One way to find out is to employ Cisco ASA’s new Layer 4 Traffic Monitoring (L4TM) feature. L4TM detects infected clients by tracking rogue “phone-home” traffic.
The Cisco ASA Layer 4 Traffic Monitor feature is designed to detect command and control and data upload traffic from bots, malware, and spyware flowing through the ASA back to their “HQ”. To make this detection possible using a ASA, Cisco leveraged technology already present in its Ironport Web Security Appliance (WSA) product. Let’s look at how Botnet infection typically happens and how Cisco ASA’s new feature can help detect it.

Botnet Infection Process:
1) Client somehow gets infected with malware, spyware or other Botnet like exploit. By an large these infections happen via websites or email.
2) Infected clients then communicate with a command and control site(s) on the Internet.
3) Depending on the type of exploit it will then launch some type of attack. Common examples are Denial of Service Attack, Spam relaying, Adware infection, Identity theft, keyboard logging, data theft, click fraud, upload of confidential data, reconnaissance, an many others. The commonality is that all of these will need to talk back to their “mothership” in some manner to be worth anything to the hacker.

Layer 4 Traffic Monitor Botnet detection process:
1) Cisco ASA is configured to retrieve and install the Cisco Botnet database from Ironport.com. The ASA will then dynamically check every 60 minutes for updates to the Botnet database.
2) ASA L4TM feature compares the destination addresses flowing through its interfaces with those in its Botnet database. It is looking for matches which would indicate the destination IP is malicious.
3) When a match is encountered an alert will be sent to ASDM and syslog with the details of the source IP and malicious destination IP.

Given that all Botnets exhibit this type of command and control behavior, the Botnet traffic filter would be able to accurately alert you when hosts on your network are compromised. The Botnet dynamic database will detect attacks from 11 different main threat types. These are shown below:

In addition to the dynamic Botnet database the ASA also supports a static database that you can populate with your own blacklist and whitelist entries. You can add up to 1000 blacklist entries and 1000 whitelist entries in the static database. See figure below:


To turn on Botnet traffic filters go to the new Botnet Traffic Filter configuration section under configuration > Firewall > Botnet Traffic Filter. You can turn on the feature for all interfaces and all traffic or you can specify only certain interfaces and certain traffic (using an ACL). See figure below:

This feature is supported across the entire Cisco ASA 5500 Series, from the ASA 5505 to the ASA 5580. It requires ASA 8.2 and ASDM 6.2 code. A 30 day evaluation license is required and can be obtained from a Cisco Partner. L4TM pricing has not been set as of this writing. Note that the Botnet traffic filter will use up some RAM on the ASA. However, this is usually only a potential issue on the ASA5505 and 5510 models. If you disable threat detection on the ASA this will free up memory. If you need a memory upgrade on your ASA5510 one will be available starting in june.

For more information on the Cisco ASA Botnet traffic filter see here
www.cisco.com/go/btf

or

http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/ns441/...

The ASA 8.2 release notes can be found here:
http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82...

The ASA 8.2 configuration docs can be found here:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/c...

Do you have an existing product or procedure that lets you detect Botnets on your network? Will you be upgrading to ASA 8.2 code to use this feature? I’d also like to hear any feedback from those that have used it already.

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Cisco enters the crowded AV and DLP client market
*Cisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhere
* Cisco targets Symantec, McAfee with its new antivirus client
* Google's Chrome raises security concerns and tastes like chicken feet a>

Go to Jamey’s Blog for more articles on security.

• Cisco
• Security
• asa 8.2
• botnet
• botnet detection
• botnet traffic filter
• Botnets
• CIsco ASA
• Cisco Security
• Heary
• Jamey Heary
• layer 4 traffic monitor
• malware detection
• security