Cisco ACS 4.2 and RSA authentication Manager Integration Guide

 

 

Table of Contents


 

 

1.1.       Introduction
1.2.       Prerequisites
1.3.       Traffic flow
1.4.       Dns configuration is necessary to download the database from Cisco
1.5.       Botnet Database
1.6.       Exclusions
1.7.       enabled this on the interface you need to scan namely outside
1.8.       Credits

 

Introduction


 

Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses (the blacklist), and then logs or blocks any suspicious activity.
You can also supplement the Cisco dynamic database with blacklisted addresses of your choosing by adding them to a static blacklist; if the dynamic database includes blacklisted addresses that you think should not be blacklisted, you can manually enter them into a static whitelist. Whitelisted addresses still generate syslog messages, but because you are only targeting blacklist syslog messages, they are informational.

Prerequisites


 

Cisco ASA appliance running 8.2 or later release
Cisco Botnet license (trial can be obtained by contacting Channel Partner)
Strong Encryption (3DES/AES) License to download the dynamic database.

Traffic flow


 

asa-botnet-traffic-flow

 

Dns configuration is necessary to download the database from Cisco


 

dns domain-lookup outside
dns server-group DefaultDNS
name-server 1.1.1.1

Botnet Database


 

 

In order to proceed you need to enable the bothnet database

Exclusions


 

Make sure you add some exclusions for traffic to be bypassed
access-list forexclusion extended deny ip any 192.168.0.0 255.255.0.0 
access-list forexclusion extended permit ip any any

dynamic-filter use-database

Enable this on the interface you need to scan namely outside


 

dynamic-filter enable interface outside classify-list forexclusion

and finally apply the policy
class-map botnet-DNS
match port udp eq domain
 policy-map botnet-inspection
class botnet-DNS
inspect dns dynamic-filter-snoop
 service-policy botnet-inspection interface outside

Credits


 

www.cisco.com was used to compile this document

 


Recommended Reading


 

  1. Cisco ACS Best Practices document
  2. Cisco ASA Best Practices and Security Hardening Document.
  3. Cisco-vpn-ipsec-configuration-examples
  4. Cisco-ids-ips-aip-idsm-configuration-examples
  5. Detailed Cisco ACS 5.2 installation and configuration example with print screens

Share The Link And Enjoy Thanks !