3.9 Ensure Botnet protection is enabled for untrusted interfaces

Information

Filters Botnet traffic on the untrusted interface

Rationale:

In a Botnet condition, many computers in the Enterprise network after being infected with malware and mostly trojans will collect data without the knowledge of the users owning them and send it to the attacker network. In other cases, the infected computers are remotely controlled to forward the same viruses that infected them to many other computers on the Internet. The Botnet protection enables the security appliance to filter and drop the botnet traffic

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Step 1: Run the following command to ensure that the DNS server is available.

hostname#sh run | i name-server

If there is no DNS server, configure the DNS server according to the related recommendation.

Step 2: Run the following commands to enable the security appliance to download and use for inspection the lists of known malware websites

hostname(config)#dynamic-filter updater-client enable
hostname(config)#dynamic-filter use-database

Step 3: Run the following command to create a class map for the security appliance to match the DNS traffic

hostname(config)#class-map <dns_class_map_name>
hostname(config-cmap)#match port udp eq domain

Step 4: Run the following to create the policy-map in order to ask the appliance to inspect the matched DNS traffic and to compare the domain name in the DNS traffic with the list of known malware related domain names.

hostname(config)#policy-map <dns_policy_map_name>
hostname(config-pmap)# class <dns_class_map_name>
hostname(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop

Step 5: Run the following for the inspection to be applied on the untrusted interface

hostname(config)# service-policy <dns_policy_map_name> interface <untrusted_interface_name>

Step 6: Run the following to monitor the Botnet traffic crossing the untrusted interface

hostname(config)# dynamic-filter enable interface <untrusted_interface_name>

Step 7: Run the following to drop any identified Botnet traffic on the untrusted interface

hostname(config)# dynamic-filter drop blacklist interface <untrusted_interface_name>

Default Value:

Disabled by default

See Also

https://workbench.cisecurity.org/benchmarks/7194

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-6, 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, 800-53|SC-23, CSCv7|11.1

Plugin: Cisco

Control ID: 5894fe30f9752bfc9d678f632f86b71492e0095b9c79d8ddc7ef0d1486f2051e