Forum Discussion

Deep_287674's avatar
Deep_287674
Icon for Nimbostratus rankNimbostratus
Sep 07, 2016

Botnet Mitigation if traffic initiated from inside to outside

Hi All,   How can we mitigate botnet from inside, suppose if the traffic is initiated by Application server to the Internet. Can we mitigate ?  
ASM Advanced WAF
BIG-IP
security
IainThomson85_1's avatar
IainThomson85_1
Icon for Cumulonimbus rankCumulonimbus
Sep 07, 2016

Hi Deepak,

 

With what modules ? If a Botnet appeared on your internal Network, that's slightly worrying and hopefully would be picked up by a security function within your business.

 

If your specifically concerned about a certain application subnet, how does it currently access the internet ? Does it need to access the internet? If its just for an application, can you restrict the IP's it gets to, websites etc etc. (You're bordering on WebProxy territory here)

 

Could you deploy ASM and look at the application traffic, learn what is "Normal" and log/drop things that aren't ?

 

From the information you've provided, its very difficult to answer the question. But hopefully the above will help direct you down the right path.

 

  • Deep_287674's avatar
    Deep_287674
    Icon for Nimbostratus rankNimbostratus
    Sep 07, 2016

    We have deployed Big Ip AFM/ASM and done L4 and L7 DDOS profiling.

     

    But one Bluecoat proxy is there , they want F5 ASM acting as a proxy and traffic initiated from inside proxy to Internet through F5 ASM should work for software up-gradation like stuff. In this scenario can we mitigate any Bot from inside, As before implementing we need solution for this.

     

  • IainThomson85_1's avatar
    IainThomson85_1
    Icon for Cumulonimbus rankCumulonimbus
    Sep 07, 2016

    We're "solutionising" different products here.

     

    You've stated you want to mitigate a botnet potentially accessing external resources (Internet)

     

    In this instance your Bluecoat (in my opinion) is in a far better position to lock down access based on Source IP address. You can also do things on the Bluecoat SG like enabling Threat Detection amongst other features.

     

    From the F5 perspective. You can apply an ASM policy to a VIP which is controlled/admistered to applications you want the service to access.

     

  • Deep_287674's avatar
    Deep_287674
    Icon for Nimbostratus rankNimbostratus
    Sep 07, 2016

    We would configure forwarding virtual server from inside to outside.

     

    SourceProxyIP--> Destination any any--> SNAT to VIP

     

    In this scenario u mean let the proxy do the botnet protection . Then F5 will by pass the traffic only to the internet.

     

  • IainThomson85_1's avatar
    IainThomson85_1
    Icon for Cumulonimbus rankCumulonimbus
    Sep 07, 2016

    You need to ask why you'd have a botnet on your Local network in the first place! Kind of a lock the door after the horse has bolted approach.

     

    Also depends on what that "botnet" is doing as to if you'd be able to realistically mitigate against it.

     

  • Deep_287674's avatar
    Deep_287674
    Icon for Nimbostratus rankNimbostratus
    Sep 07, 2016

    Well you are right to certain extent today I will have con-call and will try to explain these things and try get concrete solution.