Cisco ACS 4.2 and RSA authentication Manager Integration Guide

 

 

Table of Contents

 

 

1.1.       Introduction
1.2.       Prerequisites
1.3.       Traffic flow
1.4.       Dns configuration is necessary to download the database from Cisco
1.5.       Botnet Database
1.6.       Exclusions
1.7.       enabled this on the interface you need to scan namely outside
1.8.       Credits

 

Introduction

 

Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses (the blacklist), and then logs or blocks any suspicious activity.
You can also supplement the Cisco dynamic database with blacklisted addresses of your choosing by adding them to a static blacklist; if the dynamic database includes blacklisted addresses that you think should not be blacklisted, you can manually enter them into a static whitelist. Whitelisted addresses still generate syslog messages, but because you are only targeting blacklist syslog messages, they are informational.

Prerequisites

 

Cisco ASA appliance running 8.2 or later release
Cisco Botnet license (trial can be obtained by contacting Channel Partner)
Strong Encryption (3DES/AES) License to download the dynamic database.

Traffic flow

 

asa-botnet-traffic-flow

 

Dns configuration is necessary to download the database from Cisco

 

dns domain-lookup outside
dns server-group DefaultDNS
name-server 1.1.1.1

Botnet Database

 

 

In order to proceed you need to enable the bothnet database

Exclusions

 

Make sure you add some exclusions for traffic to be bypassed
access-list forexclusion extended deny ip any 192.168.0.0 255.255.0.0 
access-list forexclusion extended permit ip any any

dynamic-filter use-database

Enable this on the interface you need to scan namely outside

 

dynamic-filter enable interface outside classify-list forexclusion

and finally apply the policy
class-map botnet-DNS
match port udp eq domain
 policy-map botnet-inspection
class botnet-DNS
inspect dns dynamic-filter-snoop
 service-policy botnet-inspection interface outside

Credits

 

www.cisco.com was used to compile this document

 


Recommended Reading

 

  1. Cisco ACS Best Practices document
  2. Cisco ASA Best Practices and Security Hardening Document.
  3. Cisco-vpn-ipsec-configuration-examples
  4. Cisco-ids-ips-aip-idsm-configuration-examples
  5. Detailed Cisco ACS 5.2 installation and configuration example with print screens

Share The Link And Enjoy Thanks !

 

 

For a free assessment and recommendations on how to optimize your current Cisco ASA solution contact us here