Unanswered Question
May 22nd, 2009

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to defend networks against Botnet attacks with Cisco ASA Botnet Traffic Filter with expert Tom Hunter. Tom is a technical marketing engineer for the Cisco Security Technology Group. In his 15-year career at Cisco, Hunter has provided technical marketing support for the Cisco PIX and ASA family of products, starting with release 1.7. From hands-on network operations to supporting deployment of multi site topologies, Hunter brings a wealth of experience to his role. He has been a network security specialist for his entire professional career, beginning with cryptographic communications in the military. Before coming to Cisco, Hunter worked in the security industry for several defense-related corporations. You will find him regularly contributing to the Security VT program as well as presenting the latest Cisco security product solutions in the Executive Briefing Center and at Networkers symposiums. Hunter holds a master of science degree in computer science.

Remember to use the rating system to let Tom know if you have received an adequate response.

Tom might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 5, 2009. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Hunter Tue, 05/26/2009 - 13:21

The Botnet Traffic Filter license is a time based license. A 30 day trial is available through your Cisco product contact. The license will start automatically when you configure it. The ASA will ask for an update ... which when first activated will do a download of the current database. For the evaluation period update checks will occur regularly (hourly) and if an updated database is available it will be downloaded. The expiration of the Timebased License will shutdown the update process by a change in the license key to feature for Botnet Traffic Filter to disabled.

The "paid for license" is 52 weeks long and activates as soon as installed and configured. If you have a 12 month license in place for 6 months (6 months time left) and you install a new 12 month license ... you have ONLY 12 months before the feature turns off. Licenses do not stack.

leon.mflai Sun, 05/24/2009 - 07:33

Can you briefly introduce the use of botnet filter and its benefit.

Can you also share some configuration guidelines of Botnet filter on ASA8.2?

Hunter Tue, 05/26/2009 - 14:05

"Can you briefly introduce the use of botnet filter and its benefit."

The Botnet Traffic Filter is the first firewall tool that is specifically designed to look at _outbound_ traffic. It does this by checking the destination address of each packet exiting the firewall. It checks this address against a list of known malware sites (all ports all protocols) and logs them immediately for further analysis. The benefit primarily comes from the reporting, you learn two things: what destination attempting host control at your site, and which of your hosts are infected.

When you configure interfaces, select Global, a "bot" will look for any exit to the Internet, even one thru a partner site that may be connect via intranets.

"Can you also share some configuration guidelines of Botnet filter on ASA8.2?"

Botnet Traffic Filter is extremely easy to configure. Install the license key, and mark three checkboxes. You can go to the dashboard on the ASDM homepage and locate the box that reports Botnet activity. If you haven't configured it yet, there is a link there that goes to the Configurtion>Firewall>Botnet section. Check the checkboxes, apply, and you're started. The CLI commands have addtional show capability for additional detailed information.

Erik Ingeberg Mon, 05/25/2009 - 11:44

I have a hard time understanding the purpose of the Cisco ASA 5500 Botnet Traffic Filter. I understand that it is a tool that can show you statistics of suspicious traffic going through the ASA.

However, the ASA cannot do anything to block this traffic automatically. This has to be done using shun or ACL's. This tells me that the Botnet Traffic Filter is marketed towards larger customers who employ their own ASA administrator.

The problem I see is that a company who can afford a full time ASA administrator probably can afford to purchase an IPS blade or an Ironport S series to actually block the malicious traffic. Smaller companies who rely on external consultants to configure their ASA would not benefit from this feature, due to the cost of hiring a consultant each time the Botnet Traffic Filter results need to be enforced.

One scenario I'm considering is offering customers a 30 day Botnet Traffic Filter trial on their ASA, and then using the results after 30 days to show them the benefits of purchasing an IPS or Ironport S series.

Am I missing something? Is there any other good reason to sell this feature license?

Hunter Tue, 05/26/2009 - 14:54

"Am I missing something? Is there any other good reason to sell this feature license?"

The additional piece of information needed to clarify this is ... the code available today is just the first phase. It is recognized that blocking is a necessary feature. There are more features planned around Botnet Traffic Filtering. Considering that the syslog from ASA contains all the information to do a block, its fairly clear an automatic blocking function can be enabled. There are stategic features planned for follow on ASA releases.

Hunter Tue, 05/26/2009 - 13:10

Thanks for the introduction. Looking forward to providing information on the newest feature in the ASA arsenal.

... TomH

b.hsu Thu, 05/28/2009 - 08:45

Does Botnet Traffic Filter stop only Botnets, or can it be used for worms, viruses, Trojans and other malware in the network?

Erik Ingeberg Mon, 06/01/2009 - 08:18

I'm running the Botnet Traffic Filter in a test enviroment before I start selling the license to customers. The Botnet Traffic Filter is triggering on some very popular sites, like and akamai sites (akamai is used by google, microsoft, many antivirus vendors, etc...).

Blocking the akamai IP's caused hotmail / live to be blocked for certain hosts. Many ASA customers allow access to sites like hotmail or myspace during work hours.

My current issue with the BTF is that there is no "rating" on the sites being reported by the filter. I understand the possibility of white-listing sites, but how can I know which sites are safe to whitelist?

I need something to tell me why sites are listed as "Botnet Sites". As it stands today there is too much administrative overhead involved with manually blocking IP's with ACL's or shun, then waiting for end users to complain...

Hunter Mon, 06/01/2009 - 09:13

BTF will provide information to block any site that has been identified as a source of Botnet traffic. Currently the end use can apply ACLs or SHUN to accomplish this. The goal is to block outbound from a subnet address space (blocks all infected hosts in that subnet from communicating with the Botnet command and control) and to block inbound connections from the Botnet command and control to the secure network (blocks all inbound Botnet command and control to all your internal networks). Whatever traffic could be sourced from that command and control site will be blocked, that could include more than just botnet traffic. It could include other forms of malware. At this time significant additional features are being planned for this feature.

Hunter Mon, 06/01/2009 - 12:36

Actually it identifies the site. Depending on how the site blocking ACL is created enforces what is blocked.

mshamkumar Mon, 06/01/2009 - 23:58

hi experts...i need solution....

we have web-servers and we host the the sites for few clients as well as we use them for our own sites....but these servers are managed by some other service providers....we are planing to have our own servers in our what i need is how can i manage these traffic and load balance no of hits....what i need to manage these traffic with security....i need a router or firewall and what is the best product to go with....thanks in advance.....

Hunter Fri, 06/05/2009 - 09:37

Actually I think you need a load balancer and a firewall ... I can't provide recommendations for the balancer. I like the feature set of the ASA (a little biased here).


This Discussion