Skip Links

Cisco ASA Takes on Botnets

Cisco ASA 8.2.2 release adds several new features

By jheary on Tue, 01/12/10 - 12:29am.

Cisco just turned up the heat on botnets around the globe. ASA 8.2.2 and ASDM 6.2.5 upgrade code recently posted to their website. The big new feature is the Botnet traffic filter drop capabilities. The previous ASA release, 8.2.1, included a monitor/track only Botnet traffic filter feature. (If you haven't read about the Cisco botnet traffic filter yet see my previous blog on the topic to get up to speed.) With 8.2.2 ASA owners will be able to take proactive action against Botnet command and control and other malware traffic. The feature uses a subset of Cisco's extensive SensorBase IP reputation database to detect and mitigate malicious traffic and find botnets.

Customers that are currently running an 8.2 release should upgrade to this version soon due to the massive amount of bug fixes included in 8.2.2. Cisco fixed over 200 bugs or caveats in their newest release; a couple of these were critical. Check out the release notes for specifics. So if you're already on the latest 8.2 code release train then I recommend you upgrade to 8.2.2 in a couple weeks from now. Give it a couple weeks to "bake" then grab the image from CCO. As always, be sure to test this in a non-production environment before you deploy it in production.

ASA 8.2.2 adds many new features; I'll try to cover most of them in this article. My focus will be on the Botnet traffic filter since it received a major overhaul in this release. Here are the Botnet filter highlights from the release notes:

"- Supports automatic blocking of blacklisted traffic based on threat level.

-View the category and threat level of malware sites in statistics and reports.

-Reporting was enhanced to show infected hosts. The 1 hour timeout for reports for top hosts was removed; there is now no timeout."

Other notable features that released in ASA 8.2.2 and ASDM 6.2.5. I'm not going to list all of them since some are very obscure, so be sure to check out the release notes if you want to know the complete story. Here are the "other" new features:

-ASA will auto-logoff SSLVPN sessions that have been in the idle state the longest. This helps conserve your SSLVPN licenses.

-New Inspection engine has been added on the ASA to control the behavior of IP Options field. Previously, the ASA would deny all IP Options. Now, you can specify which IP Options are allowed through, clear all IP options, or deny IP options. This feature is configured using modular policy framework and is enabled by default.

-Cisco Unified Mobile Communicator clients no longer require a paid ASA UC Proxy license to work through your ASA. Cisco Unified Mobile Communicator client works on iPhones, Blackberry, Win Mobile and Nokia E&N platforms. This could be huge for those that want to save money by having calls routed through their corporate voice services instead of through a carrier.

-ASA stateful failover now supports IPv6

-ASA now supports 100 AAA Server Groups, previous limit was 15

-Cisco Smart Call Home is now supported on ASA. This feature allows the ASA to report back to a Smart Call Home Server either at your site or at Cisco TAC. It is used for proactive diagnostics and trouble signs. When reporting to Cisco TAC it can even proactively initiate the opening of trouble tickets on the customers behalf due to some issue their ASA reported. Here are some of the features Cisco says this supports:

Cisco Smart Call Home offers:
* Visibility into your network through diagnostic reports on Smart Call Home enabled devices
* Real-time trouble shooting, alerts, and remediation advice
* Automatic generation of Cisco service requests to Cisco technical engineers
* Secure, reliable data transport
* Personalized Web-based portal to review Call Home messages, detailed diagnostics, recommendations, and inventory

You can download the Cisco ASA 8.2.2 and ASDM 6.2.5 code from Please post your feedback here.

Cisco ASA 8.2 Release Notes are here:

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Google Nexus One vs. Top 10 Phone Security Requirements
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>

Go to Jamey’s Blog for more articles on security.