Cisco Cisco ASA 5525-X Adaptive Security Appliance Hoja De Datos
White Paper
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 3 of 11
Figure 2. Cisco Security Intelligence Operations
Cisco ASA Botnet Traffic Filter Overview
Cisco ASA 5500 Series Adaptive Security Appliances provide reputation-based control for an IP address or domain
name, similar to the control that IronPort
®
SenderBase
®
provides for email and web servers. This has proved to be
very successful in combating rogue email and web servers that typically use dynamic or changing IP addresses.
The Cisco ASA Botnet Traffic Filter is integrated into all Cisco ASA appliances, and inspects traffic traversing the
appliance to detect rogue traffic in the network. When internal clients are infected with malware and attempt to
phone home across the network, the Botnet Traffic Filter alerts the system administrator of this though the regular
logging process for manual intervention. This is an effective way to combat botnets and other malware that shares
the same phone-home communications pattern.
The Botnet Traffic Filter monitors all ports and performs a real-time lookup in its database of known botnet IP
addresses and domain names. Based on this investigation, the Botnet Traffic Filter will determine if a connection
attempt is benign and should be allowed, or if it is a risk and should be tagged for mitigation.
3
Figure 3 shows how the Botnet Traffic Filter works.
3
Cisco ASA Software Release 8.2.1 does not support dynamic blocking of this traffic. This will be addressed in a later software
release.