Cisco Cisco Web Security Appliance S170 Guía Del Usuario
C H A P T E R
21-1
Cisco IronPort AsyncOS 7.7 for Web User Guide
21
L4 Traffic Monitor
•
•
•
•
About L4 Traffic Monitor
The Web Security appliance has an integrated Layer-4 Traffic Monitor that detects rogue traffic across
all network ports and stops malware attempts to bypass port 80. Additionally, when internal clients are
infected with malware and attempt to phone-home across non-standard ports and protocols, the L4
Traffic Monitor prevents phone-home activity from going outside the corporate network.
all network ports and stops malware attempts to bypass port 80. Additionally, when internal clients are
infected with malware and attempt to phone-home across non-standard ports and protocols, the L4
Traffic Monitor prevents phone-home activity from going outside the corporate network.
Understanding How the L4 Traffic Monitor Works
The L4 Traffic Monitor listens to network traffic that comes in over all ports on the appliance and
matches domain names, and IP addresses against entries in its own database tables to determine whether
to allow incoming and outgoing traffic.
matches domain names, and IP addresses against entries in its own database tables to determine whether
to allow incoming and outgoing traffic.
All web destinations fall under one of the following categories:
•
Known allowed address. Any IP address or hostname listed in the Allow List property. These
addresses appear in the log files as “whitelist” addresses.
addresses appear in the log files as “whitelist” addresses.
•
Unlisted address. Any IP address that is not known to be a malware site nor is a known allowed
address. They are not listed on the Allow List or Additional Suspected Malware Addresses
properties, nor are they listed in the L4 Traffic Monitor Database as a known malware site. These
addresses do not appear in the log files.
address. They are not listed on the Allow List or Additional Suspected Malware Addresses
properties, nor are they listed in the L4 Traffic Monitor Database as a known malware site. These
addresses do not appear in the log files.
•
Ambiguous address. These addresses appear in the log files as “greylist” addresses. They include
any of the following addresses:
any of the following addresses:
–
Any IP address that is associated with both an unlisted hostname and a known malware
hostname.
hostname.
–
Any IP address that is associated with both an unlisted hostname and a hostname from the
Additional Suspected Malware Addresses property.
Additional Suspected Malware Addresses property.
•
Known malware address. These addresses appear in the log files as “blacklist” addresses. They
include any of the following addresses:
include any of the following addresses: