Lori Hyde discusses the new Botnet Traffic Detector feature in the latest version of the Cisco ASA firewall. She explains how it's supposed to work but wonders how it will fare in the real world.
Cisco has released a new software version, 8.2, for the ASA that includes many new features, one of which is a Botnet Traffic Filter (license required). Botnets can be quite troublesome to corporations as the infected hosts are often difficult to identify. With this new traffic filter feature, this identification may be easier, but the skeptic in me wonders if this is too good to be true.
As always, Cisco recommends a defense-in-depth model with this new feature being but one of your many security detection and mitigation tools. That being said, let's look a bit deeper into how this Botnet Traffic Filter works.
The Cisco ASA Botnet Traffic Filter looks for command and control traffic that is being sent from an infected host to a remote server. It looks at all IP addresses, ports, and protocols and then classifies the traffic based on an internal database that is continuously updated with malicious IP addresses and domain names. Once the hosts sending this data to the command and control server have been identified, you can mitigate the traffic via normal mechanisms, such as ACLs, or "shun" and then clean the infected host.
There are three main components of the ASA Botnet Traffic Filter:
- Blacklist data
- Traffic classification and reporting
- DNS snooping
The Botnet Traffic Filter relies heavily on the work done by the Cisco Security Intelligence Operations Center (CSIOC). This center is purported to have the largest footprint of security devices in the world, the largest and most dynamic collection of intelligence data from both Cisco and third-party reporting, as well as the largest investment of resources dedicated to dynamic threats. The CSIOC produces a database of "known malicious" domain names and IP addresses. This database is periodically updated and dynamically downloaded to the ASA. Additionally, you can configure your own blacklist and whitelist (known good) as needed for your specific environment.
Traffic classification and reporting
Traffic transiting the ASA is compared against these lists for source and destination IP addresses and ports. Blacklist matches are logged by the ASDM and sent to your syslog server. The ASDM can then report statistically on the malicious site traffic as well as the infected hosts.
DNS snooping is used to map IP addresses to domain names that are contained in the dynamic database or local lists. DNS snooping looks at UPD (not TCP) DNS replies and builds a DNSRC (DNS Reverse Cache) that maps the IP addresses to the domain names. Note: This should be enabled only for Internet-facing interfaces as the blacklist database only contains Internet routable IP addresses (versus internal IP addresses).
Some questions remain
This new software is available for all ASA models, but be sure to read the release notes as there are memory recommendations for the 5505 and 5510 models.
Now, the truth is that I have not implemented this feature as yet, but a few questions come quickly to mind. Reflecting on my own previous Botnet Traffic work, I wonder...
- How big is the blacklist database?
- How often is it updated?
- What impact will this filter have on my system performance and throughput?
- What will the false positive rate be?
- How can I verify (validate) alerts?
Guess I'll have to fire up my lab equipment and update you with my findings. In the meantime, check out the other new features of the Cisco ASA 8.2 software release. And if you've already tried this feature, let us know what you've found. Happy Hunting!
Want to learn more about router and switch management? Automatically sign up for our free Cisco Technology newsletter, delivered each Friday!