Detections
Analytics

3.9 Ensure Botnet protection is enabled for untrusted interfaces

Information

Filters Botnet traffic on the untrusted interface

 Rationale:

 In a Botnet condition, many computers in the Enterprise network after being infected with malware and mostly trojans will collect data without the knowledge of the users owning them and send it to the attacker network. In other cases, the infected computers are remotely controlled to forward the same viruses that infected them to many other computers on the Internet. The Botnet protection enables the security appliance to filter and drop the botnet traffic

 NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Step 1: Run the following command to ensure that the DNS server is available.

 hostname#sh run | i name-server

 If there is no DNS server, configure the DNS server according to the related recommendation.

 Step 2: Run the following commands to enable the security appliance to download and use for inspection the lists of known malware websites

 hostname(config)#dynamic-filter updater-client enable
 hostname(config)#dynamic-filter use-database

 Step 3: Run the following command to create a class map for the security appliance to match the DNS traffic

 hostname(config)#class-map <dns_class_map_name>
 hostname(config-cmap)#match port udp eq domain

 Step 4: Run the following to create the policy-map in order to ask the appliance to inspect the matched DNS traffic and to compare the domain name in the DNS traffic with the list of known malware related domain names.

 hostname(config)#policy-map <dns_policy_map_name>
 hostname(config-pmap)# class <dns_class_map_name>
 hostname(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop

 Step 5: Run the following for the inspection to be applied on the untrusted interface

 hostname(config)# service-policy <dns_policy_map_name> interface <untrusted_interface_name>

 Step 6: Run the following to monitor the Botnet traffic crossing the untrusted interface

 hostname(config)# dynamic-filter enable interface <untrusted_interface_name>

 Step 7: Run the following to drop any identified Botnet traffic on the untrusted interface

 hostname(config)# dynamic-filter drop blacklist interface <untrusted_interface_name>

 Default Value:

 Disabled by default

See Also

https://workbench.cisecurity.org/files/3294

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-2, CSCv7|11.1

Plugin: Cisco

Control ID: 9c59e4f4d1445f081b4625514c73596b10c0945ea929efce58b9ffddf04b1e82