Manualshelf

Data Sheet

ManualsBrandsCisco Manualshardware firewallsCisco ASA 5545-X Adaptive Security Appliance - No Payload Encryption
12345678910
White Paper
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 11
Example of the Botnet Traffic Filter in Action
The client attempts to connect to phone-home server “command-control.badguy.ru.
1. Client issues a DNS query for “command-control.badguy.ru.”
2. The ASA DNS inspection snoops the query and the response to the DNS query and caches it for later use.
3. Client connects to IP address of “command-control.badguy.ru.”
Botnet Traffic Filter resolves IP address in BTF DNS cache.
Botnet Traffic Filter looks up DNS name for connection in Botnet Traffic Filter block list.
If peer address is found in Botnet Traffic Filter block list and is not in the manual whitelist, then alert via
logging that an illegal connection was attempted.
If peer address is not found, then allow connection to continue.
Deployment Guidelines
The Cisco ASA appliance with the Botnet Traffic Filter should be deployed at the edge of the enterprise Internet
edge, as the botnet database only contains information about external botnets. It is also best to address the external
threat as close to the source as possible. This feature is restricted to IPv4 traffic.
The Botnet Traffic Filter is supported in all firewall modes (single and multiple), and in routed and transparent modes.
The Cisco ASA appliance supports Botnet Traffic Filter in High Availability (HA) mode (Active/Active and
Active/Standby). It is essential to note that the DNSRC is not replicated between the ASA HA devices and must
therefore be relearned upon a device failover event.
A typical Botnet Traffic Filter deployment will be where the ASA appliance is deployed between the Internet and the
corporate networks. The corporate networks in can be divided across multiple interfaces and will, from the Botnet
Traffic Filter’s point of view, be considered internal networks.
The following steps will need to be taken when configuring Botnet Traffic Filter dynamic filtering:
1. Enable DNS client on ASA to allow it to resolve the address of CSIO’s updater service, so the dynamic filter
update client to fetch updates.
2. Enable dynamic traffic filtering (Botnet Traffic Filter).
3. Enable the Botnet Traffic Filter database update.
4. Classify the traffic that will be subject to dynamic traffic filtering by creating an access control list (ACL) that
matches the traffic to be filtered.
5. Enable dynamic filtering on the Internet-facing (external) interface by using the classification ACL defined in the
previous step.
6. Enable DNS snooping on the external interface by adding to or modifying the DNS inspection policy map for the
external interface.
7. Define local whitelists and/or blacklists if needed.
Configuration
In the following sections we show how the Botnet Traffic Filter is configured with CLI and with the Cisco Adaptive
Security Device Manager (ASDM), which is the embedded device manager in Cisco ASA 5500 Series security
appliances.