Cisco ACS 4.2 and RSA authentication Manager Integration Guide



Table of Contents



1.1.       Introduction
1.2.       Prerequisites
1.3.       Traffic flow
1.4.       Dns configuration is necessary to download the database from Cisco
1.5.       Botnet Database
1.6.       Exclusions
1.7.       enabled this on the interface you need to scan namely outside
1.8.       Credits




Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses (the blacklist), and then logs or blocks any suspicious activity.
You can also supplement the Cisco dynamic database with blacklisted addresses of your choosing by adding them to a static blacklist; if the dynamic database includes blacklisted addresses that you think should not be blacklisted, you can manually enter them into a static whitelist. Whitelisted addresses still generate syslog messages, but because you are only targeting blacklist syslog messages, they are informational.



Cisco ASA appliance running 8.2 or later release
Cisco Botnet license (trial can be obtained by contacting Channel Partner)
Strong Encryption (3DES/AES) License to download the dynamic database.

Traffic flow




Dns configuration is necessary to download the database from Cisco


dns domain-lookup outside
dns server-group DefaultDNS

Botnet Database



In order to proceed you need to enable the bothnet database



Make sure you add some exclusions for traffic to be bypassed
access-list forexclusion extended deny ip any 
access-list forexclusion extended permit ip any any

dynamic-filter use-database

Enable this on the interface you need to scan namely outside


dynamic-filter enable interface outside classify-list forexclusion

and finally apply the policy
class-map botnet-DNS
match port udp eq domain
 policy-map botnet-inspection
class botnet-DNS
inspect dns dynamic-filter-snoop
 service-policy botnet-inspection interface outside

Credits was used to compile this document


Recommended Reading


  1. Cisco ACS Best Practices document
  2. Cisco ASA Best Practices and Security Hardening Document.
  3. Cisco-vpn-ipsec-configuration-examples
  4. Cisco-ids-ips-aip-idsm-configuration-examples
  5. Detailed Cisco ACS 5.2 installation and configuration example with print screens

Share The Link And Enjoy Thanks !