Outbound Traffic Monitoring

BlueyVIII · ‎01-10-2010

Hello,

We have an ASA5520 which connects our offices to a larger corporate WAN which we deem as hostile. We've always allowed traffic to flow off our network and onto the corporate network without any controls, however, following a recent virus outbreak (which flooded the corporate network with ICMP!) we've been told by our corporate IT Team that we must now restrict outbound traffic.

This is fair enough and to be honest it's something we should have done a long time ago. Because we control inbound traffic via ACL's we know what traffic is allowed in, however, as we've never controlled outbound traffic before I'd like to get an idea of what traffic is heading onto the corporate WAN before I remove the outbound "permit any any" and replace with more specific ACLS's.

My initial plan was to place a probe on the outside of the firewall for around a month to monitor outbound traffic so we can use this info to come out with an appropriate set of rules. I guess this will also highlight any illeigitmate traffic which we can block.

I then wondered if the ASA has any ASDM tools or CLI options that could help with this?

I'd be interested to hear from anyone who's done something similar or knows of any tools (particulary free/shareware) that could help.

Any help greatfully received.

Dileep Sivadas Padmini · ‎01-10-2010

Hi,

There are two features you can use on ASA 8.2.X code.

1. Threat detection

2. Netflow

And also by enabling access-list logging you will get some idea about traffic flow, in my opinion you can create deny rules on top access-list permit any any rule.Start with blocking ports like UDP 137,138,139,TCP 445, 139 etc with will definitely help to reduce the worms spreading and also restrict ICMP message types.

Starting with 8.X code , the threat detection is good feature to analyse network traffic.

Netflow feature is available with 8.2.1 code, you can use free netflow analyser from sloarwinds or cisco( evaluation versions) to analyse traffic.

Dileep

BlueyVIII · ‎01-10-2010

Thanks Dileep,

Those sound ideal for what I'm trying to acheive..

Can you please point me in the direction of how I can enable netflow and threat detection. The ASA5520 also has an IPS module if that helps?

Dileep Sivadas Padmini · ‎01-10-2010

In ASDM

For threat-detection

Configuration --> Firewall--> threat-detection

For Netflow

Configuration --> Device management --> logging --> netflow

You can see threat detection statistics at Home-->Firewall Dashboard

IPS do give some statistics about network traffic, If you using Cisco IME go to dashboard and add top application gadjets

If you are looking for CLI all threat detection commands start with

threat-detection

And for netflow

flow-export destination interface ip-address port

Dileep

vilaxmi · ‎01-11-2010

Hello,

Though threat detection statistics may help you get a hang of n/w resource usage on ASA, but really it is a very basic tool for monitoring purposes. Moreover, it will consume 15-20% CPU on the box. According to my experience with Cisco, when most of the ASAs are running at high CPU, then it is always good to turn OFF the threat-detection stats, as it is not much of use.

In my opinion, Netflow Secure Event Logging ( NSEL in 8.2 +) is a better option for your scenario.Please refer the link below :

http://cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_nsel.html#wpmkr1111173

Thanks

Vijaya