Cisco Cisco Web Security Appliance S690 사용자 가이드

The Web Security appliance has an integrated Layer-4 Traffic Monitor that detects rogue traffic across 
all network ports and stops malware attempts to bypass port 80. Additionally, when internal clients are 
infected with malware and attempt to phone-home across non-standard ports and protocols, the L4 
Traffic Monitor prevents phone-home activity from going outside the corporate network.

The L4 Traffic Monitor listens to network traffic that comes in over all ports on the appliance and 
matches domain names, and IP addresses against entries in its own database tables to determine whether 
to allow incoming and outgoing traffic. 

All web destinations fall under one of the following categories:

Known allowed address. Any IP address or hostname listed in the Allow List property. These 
addresses appear in the log files as “whitelist” addresses.

Unlisted address. Any IP address that is not known to be a malware site nor is a known allowed 
address. They are not listed on the Allow List or Additional Suspected Malware Addresses 
properties, nor are they listed in the L4 Traffic Monitor Database as a known malware site. These 
addresses do not appear in the log files.

Ambiguous address. These addresses appear in the log files as “greylist” addresses. They include 
any of the following addresses:

Any IP address that is associated with both an unlisted hostname and a known malware 
hostname.

Any IP address that is associated with both an unlisted hostname and a hostname from the 
Additional Suspected Malware Addresses property. 

Known malware address. These addresses appear in the log files as “blacklist” addresses. They 
include any of the following addresses: