Priveon Labs Security Blog

ASA 8.2 includes several new features including Dynamic Filtering. Dynamic Filtering detects outbound traffic from the internal network to known malicious destinations. The feature uses the Cisco SIO (Security Intelligence Operations) threat data also utilized by IronPort to match traffic to malicious destinations. For more information on the Cisco SIO and the collection/classification process, please see here.

How it works:

• Database of blacklist destinations downloaded from the Cisco SIO and a local database is created (whitelist/greylist/unknown traffic can be administratively defined)
• Traffic to watch is defined (specific networks, interfaces, or traffic using an ACL)
• DNS snooping is used to match lookups for connection requests (Cisco documentation should be consulted to determine the maximum number of DNS reverse cache entries supported by a specific ASA model)
• Blacklist traffic outbound to known malware sites will result in a syslog event (traffic can be denied manually using an ACL or the shun command)

Dynamic filter traffic information is contained in two encrypted files on the ASA. disk0:/internal_df_data contains the update database and database server information. The disk0:/internal_df_file contains the dynamic blacklist. These files *should not* be deleted from disk, but rather should be removed using

dynamic-filter database purge

Once the initial database has been downloaded to internal_df_file, updates are downloaded at 60 minute intervals (default).

Enabling Dynamic Botnet Filtering

Common commands used to enable and manage Dynamic Botnet Filtering include:

[no] dynamic-filter updater-client enable Enable the updater client
[no] dynamic-filter use-database Allow context to use downloaded database.
[no] dynamic-filter blacklist Use this CLI to enter sub-mode to configure domain names and IP addresses for a local blacklist
[no] dynamic-filter whitelist Use this CLI to enter sub-mode to configure domain names and IP addresses for a local whitelist
[no] name name | address ip-address mask Use for adding entries to the local blacklist or whitelist
[no] dynamic-filter enable [interface nameif] [classify-list access-list]
Use this CLI to enable dynamic-filter classification globally or on an interface.
[no] inspect dns [dns-map] [dynamic-filter-snoop] This option is added as an extension to the existing DNS inspection configuration to provide DNS snooping.
clear configure dynamic-filter This command will remove all dynamic-filter configuration

You can test the ability to connect and download the database with the following command:

dynamic-filter database fetch

Note that the dynamic-filter database fetch command will not save the database! This command is used to verify connectivity and for testing. It is also useful if you wish to query a local (temporary) copy of the database for specific entries (use the dynamic-filter database find command to query the database for an IP or DNS name)

To enable dynamic filtering, the first step is to enable the feature (this must be done first!).

dynamic-filter updater-client enable
dynamic-filter use-database

Once the feature has been enabled, the next step is to add static (administratively defined) filters to the database:

hostname(config)# dynamic-filter blacklist
hostname(config-llist)# name bad1.example.com
hostname(config-llist)# name bad2.example.com
hostname(config-llist)# address 10.1.1.1 255.255.255.0
hostname(config-llist)# dynamic-filter whitelist
hostname(config-llist)# name good.example.com
hostname(config-llist)# name great.example.com
hostname(config-llist)# name awesome.example.com
hostname(config-llist)# address 10.1.1.2 255.255.255.255

The next step is to enable DNS Snooping using a class-map and policy-map statement.

hostname(config)# class-map dynamic-filter_snoop_class
hostname(config-cmap)# match port udp eq domain
hostname(config-cmap)# policy-map dynamic-filter_snoop_policy
hostname(config-pmap)# class dynamic-filter_snoop_class
hostname(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop
hostname(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface outside

Finally, we need to identify the traffic that we want to monitor with Dynamic (and Static) Filtering.

To monitor all traffic on a given interface:

hostname(config)# dynamic-filter enable interface outside

To monitor specific traffic with an ACL:

hostname(config)# access-list dynamic-filter_acl extended permit tcp any any eq 80
hostname(config)# dynamic-filter enable interface outside classify-list dynamic-filter_acl

Licensing Requirements

Please note that an annual license is required to enable the Dynamic Filter ASA 8.2 feature. A trial license can be obtained from your channel partner or Cisco Account Manager through December 31st, 2009. For details on the Dynamic Filter trial license, see http://www.cisco.com/en/US/prod/vpndevc/ps6032/ps6094/ps6120/botnet_index.html

Additional command examples and configs for the Dynamic Botnet Filter ASA feature can be found here.