Outbound Traffic Monitoring

Unanswered Question
Jan 10th, 2010
User Badges:

Hello,


We have an ASA5520 which connects our offices to a larger corporate WAN which we deem as hostile.  We've always allowed traffic to flow off our network and onto the corporate network without any controls, however, following a recent virus outbreak (which flooded the corporate network with ICMP!)  we've been told by our corporate IT Team that we must now restrict outbound traffic.


This is fair enough and to be honest it's something we should have done a long time ago.  Because we control inbound traffic via ACL's we know what traffic is allowed in, however, as we've never controlled outbound traffic before I'd like to get an idea of what traffic is heading onto the corporate WAN before I remove the outbound "permit any any" and replace with more specific ACLS's.


My initial plan was to place a probe on the outside of the firewall for around a month to monitor outbound traffic so we can use this info to come out with an appropriate set of rules. I guess this will also highlight any illeigitmate traffic which we can block.


I then wondered if the ASA has any ASDM tools or CLI options that could help with this?


I'd be interested to hear from anyone who's done something similar or knows of any tools (particulary free/shareware) that could help.


Any help greatfully received.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Dileep Sivadas ... Sun, 01/10/2010 - 20:32
User Badges:

Hi,


There are two features you can use on ASA 8.2.X code.


1. Threat detection


2. Netflow


And also by enabling access-list logging you will get some idea about traffic flow, in my opinion you can create deny rules on top access-list permit any any rule.Start with blocking  ports like UDP 137,138,139,TCP 445, 139 etc with will definitely help to reduce the worms spreading and also restrict ICMP message types.


Starting with 8.X code , the threat detection is good feature to analyse network traffic.


Netflow feature is available with 8.2.1 code, you can use free netflow analyser from sloarwinds or cisco( evaluation versions) to analyse traffic.


Dileep

BlueyVIII Sun, 01/10/2010 - 23:12
User Badges:

Thanks Dileep,


Those sound ideal for what I'm trying to acheive..


Can you please point me in the direction of how I can enable netflow and threat detection. The ASA5520 also has an IPS module if that helps?

Dileep Sivadas ... Sun, 01/10/2010 - 23:31
User Badges:

In ASDM


For threat-detection


Configuration --> Firewall--> threat-detection



For Netflow


Configuration --> Device management --> logging --> netflow



You can see threat detection statistics at  Home-->Firewall Dashboard



IPS do give some statistics about network traffic, If you using Cisco IME go to dashboard and add top application gadjets


If you are looking for CLI all threat detection commands start with


threat-detection


And for netflow


flow-export destination  interface ip-address port


Dileep

vilaxmi Mon, 01/11/2010 - 21:06
User Badges:
  • Cisco Employee,

Hello,


Though threat detection statistics may help you get a hang of n/w resource usage on ASA, but really it is  a very basic tool for monitoring purposes. Moreover, it will consume 15-20% CPU on the box. According to my experience with Cisco, when most of the ASAs are running at high CPU, then it is always good to turn OFF the threat-detection stats, as it is not much of use.


In my opinion, Netflow Secure Event Logging ( NSEL in 8.2 +) is a better option for your scenario.Please refer the link below :


http://cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_nsel.html#wpmkr1111173




Thanks


Vijaya

Actions

This Discussion