Cisco Cisco ASA 5540 Adaptive Security Appliance Scheda Tecnica
White Paper
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 10 of 11
Figure 8. Integration of Botnet Traffic Filter Statistics into the ASDM Dashboard
Mitigation
Mitigation is a critical step in the botnet detection and prevention process and security incident response cycle. The
following steps can be taken to mitigate botnet infections once they have been identified by the Botnet Traffic Filter.
Manual Process
1. Security administrator identifies infected hosts reported by BTF dashboard, and on Cisco ASDM or shown in
syslog messages (as shown in the example in the next step). Next, a manual remediation process can be taken.
2. Block all transient traffic coming to and from infected hosts using “shun” or ACLs on the ASA appliance. An
administrator can perform this by the use of Cisco ASDM
7
or the CLI. Shun is preferred as it is dynamic and
non-persistent and will block existing connections without interfering with the static security policy (ACLs).
Example
The following is a sample syslog message generated by the Botnet Traffic Filter when it detects an infected host
that matches the Botnet Traffic Filter dynamic filtering database:
that matches the Botnet Traffic Filter dynamic filtering database:
ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from
inside:10.1.1.45/6798 (209.165.201.1/7890) to outside:209.165.202.129/80
(209.165.202.129/80), destination 209.165.202.129 resolved from dynamic list:
bad.example.com
inside:10.1.1.45/6798 (209.165.201.1/7890) to outside:209.165.202.129/80
(209.165.202.129/80), destination 209.165.202.129 resolved from dynamic list:
bad.example.com
Here’s how the resulting ACL entry would look:
access-list BLOCK_OUT extended deny ip host 10.1.1.45 host 209.165.202.129
access-list BLOCK_OUT extended permit ip any any access-group BLOCK_OUT out
interface outside
interface outside
The above ACL effectively would block all IP traffic sourced from the infected host 10.1.1.45 when going to the
botnet command and control server at 209.165.202.129. Specific source or destination port can be blocked for
more granular control, as needed.
botnet command and control server at 209.165.202.129. Specific source or destination port can be blocked for
more granular control, as needed.
7
A reverse ACL can be created using the Cisco ASDM real-time log by right-clicking on the syslog messages generated by the
Botnet Traffic Filter.