Information
Filters Botnet traffic on the untrusted interface
Rationale:
In a Botnet condition, many computers in the Enterprise network after being infected with malware and mostly trojans will collect data without the knowledge of the users owning them and send it to the attacker network. In other cases, the infected computers are remotely controlled to forward the same viruses that infected them to many other computers on the Internet. The Botnet protection enables the security appliance to filter and drop the botnet traffic
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Step 1: Run the following command to ensure that the DNS server is available.
hostname#sh run | i name-server
If there is no DNS server, configure the DNS server according to the related recommendation.
Step 2: Run the following commands to enable the security appliance to download and use for inspection the lists of known malware websites
hostname(config)#dynamic-filter updater-client enable
hostname(config)#dynamic-filter use-database
Step 3: Run the following command to create a class map for the security appliance to match the DNS traffic
hostname(config)#class-map <dns_class_map_name>
hostname(config-cmap)#match port udp eq domain
Step 4: Run the following to create the policy-map in order to ask the appliance to inspect the matched DNS traffic and to compare the domain name in the DNS traffic with the list of known malware related domain names.
hostname(config)#policy-map <dns_policy_map_name>
hostname(config-pmap)# class <dns_class_map_name>
hostname(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop
Step 5: Run the following for the inspection to be applied on the untrusted interface
hostname(config)# service-policy <dns_policy_map_name> interface <untrusted_interface_name>
Step 6: Run the following to monitor the Botnet traffic crossing the untrusted interface
hostname(config)# dynamic-filter enable interface <untrusted_interface_name>
Step 7: Run the following to drop any identified Botnet traffic on the untrusted interface
hostname(config)# dynamic-filter drop blacklist interface <untrusted_interface_name>
Default Value:
Disabled by default