Create the Data Center Best Practice Anti-Spyware Profile
Protect your data center from spyware such as command-and-control,
backdoor, data theft, and keylogging attacks.
Attach an Anti-Spyware profile to all security policy
rules that allow data center traffic. The Anti-Spyware profile detects command-and-control
(C2) traffic initiated from spyware installed on a server or endpoint,
including categories such as adware, backdoor, browser-hijack, data
theft, and keylogging, and prevents compromised systems from establishing
an outbound connection from your network.
To create the best practice profile, clone the predefined strict
Anti-Spyware profile and edit it. If you have a sinkhole set up
to which you can send traffic for analysis, enable DNS sinkhole
with packet capture to help you track down the endpoint that attempted
to resolve the malicious domain. The best practice Anti-Spyware profile
retains the default
to reset the connection
when the firewall detects a medium, high, or critical severity threat,
and enables single packet capture (PCAP) for those threats.
Don’t enable PCAP for informational activity because it generates
a relatively high volume of that traffic and it’s not particularly
useful compared to potential threats. Apply extended PCAP (as opposed
to single PCAP) to high-value traffic to which you apply the
Apply PCAP using the same logic you use to decide what traffic to
log—take PCAPs of the traffic you log. Apply single PCAP to traffic
you block. The default number of packets that extended PCAP records
and sends to the management plane is five packets, which is the
recommended value. In most cases, capturing five packets provides
enough information to analyze the threat. If too much PCAP traffic
is sent to the management plane, then capturing more than five packets
may result in dropping PCAPs.
The best practice
Action on DNS Queries
to block or to sinkhole DNS queries for known malicious
domains and when you don’t have visibility into DNS queries, and
to enable PCAPs.
Enabling DNS sinkhole identifies potentially compromised hosts
that attempt to access suspicious domains by tracking the hosts
and preventing them from accessing those domains. Enable DNS sinkhole
when the firewall can’t see the originator of the DNS query (typically
when the firewall is north of the local DNS server) so that you
can identify infected hosts. Don’t enable DNS sinkhole when the
firewall can see the originator of the DNS query (typically when
the firewall is south of the local DNS server; in this case, the
firewall’s blocking rules and logs provide visibility into the traffic)
or on traffic you block.
In addition to protecting hosts with DNS sinkholing, attach the
best practice Anti-Spyware profile to all security policy rules
that allow traffic to identify infected hosts as traffic leaves
the network and to stop attackers by preventing compromised systems
from communicating with the malicious C2 network. If a system can’t communicate
with the C2 network, the C2 network can’t control the system. For
Traffic from users to the data center, intra data center
traffic, and traffic from the internet to the data center—The Anti-Spyware
profile blocks peer-to-peer C2 traffic.
Traffic from the data center to the internet—The Anti-Spyware
profile, along with the Antivirus profile, helps identify and block
C2 traffic and initial downloads of malware and hacking tools.