Notesale: Turn your study into money

Document Preview

Extracts from the notes are below, to see the PDF you'll receive please use the links above

---

Cisco ASA Configuration Guidance
Abstract
The modern network perimeter is more complicated than ever
...
As firewalls increase in complexity, network administrators face a challenge of
staying up-to-date on the technology to maintain, and configure, a secure perimeter
...
1)
...
It is the responsibility of an
organization to develop a security policy that meets all of their specific needs
...


Table of Contents

Abstract
...
INTRODUCTION
...
1
...
5
1
...

Topology
...
6

2
...
7
2
...

2
...

2
...

2
...

2
...

2
...

2
...

2
...

2
...

2
...

2
...

2
...

2
...


Dedicated Management Interface
...
7
Usernames
...
8
Privileged Exec Mode
...
9
Adaptive Security Device Manager (ASDM)
...
9
System / ASDM Images
...
10
Simple Network Management Protocol (SNMP)
...
10
Authentication
...
INTERFACE CONFIGURATION
...
1
...
2
...
3
...
4
...
12
Security Levels
...
13
Enabling
...
AUDITING / LOGGING
...
1
...
2
...
3
...
4
...
5
...
6
...
7
...
14
Buffer
...
14
Timestamps
...
15
Local Time
...
15

5
...
16
5
...

5
...

5
...

5
...

5
...

5
...


Proxy Address Resolution Protocol (ARP)
...
16
Master Passphrase
...
16
Anti Spoofing
...
17

6
...
18
6
...

6
...

6
...


Access Control Lists (ACL)
...
19
Network/Port Address Translation (NAT/PAT)
...
BIBLIOGRAPHY
...
APPENDICES
...
1
...
0

1
...
1
...
The ASA is designed to stop attacks at the perimeter of a network and offers
a rich feature set of capabilities to provide security against an array of network attacks
...
Those features are useful and should be
deployed, given an operational requirement and the appropriate environment:
Suite-B IPSec VPNs (Site to Site and Remote Access)
Identity Based Firewall Security
High Availability
Web Security
Protection from botnets
Virtual Firewall
Transparent (Layer 2) Firewall

1
...
Topology
The following diagram (Figure 1-1) depicts a common network topology protected by a
firewall referred to as the three-pronged firewall and is referenced throughout this
document
...
The
external network is an untrusted, or less trusted, network (e
...
the Internet)
...
Note that the DMZ may be omitted if there are no external facing services
...

The three-pronged approach is the most common topology used today and is the
recommended design when a DMZ is present
...


Figure 1-1: Three-Pronged Firewall Topology

2
...
Management traffic should
be kept out-of-band by configuring a separate management interface connected to the
firewall
...
The following sections outline the recommendations for a
dedicated management interface as well as other available and important management
features
...
1
...
Cisco offers a management-only
feature to enforce this and deny packets attempting to traverse the interface
...

Please refer to Section 3
...

(config)# interface management 0/0
(config-if)# management-only

2
...
Passwords
For local user accounts, use the built-in password policy feature to enforce the
policy
...
An example password policy would look something
like:
Users should change passwords every 90 days
(config)# password-policy lifetime 90

Changed passwords should be at least 33% (4 out of 12 characters) different from
the previous password
(config)# password-policy minimum-changes 4

Passwords should be a minimum length of 12 characters
(config)# password-policy minimum-length 12

Passwords should contain at least two characters lowercase, uppercase, numeric and
special characters

(config)#
(config)#
(config)#
(config)#

password-policy
password-policy
password-policy
password-policy

minimum-lowercase 2
minimum-uppercase 2
minimum-numeric 2
minimum-special 2

2
...
Usernames
Individual accounts should be created for each administrator to allow for accountability and
auditing
...
Also, appropriate privileges should
be set on all accounts; an administrator with full access will have privilege level 15,
whereas users that only need to view configurations may have privilege level 1
...

(config)# username JohnDoeAdmin password password123#! privilege 15
(config)# username JaneSmithViewer password p@$sWoRd456 privilege 1
(config)# username JohnDoeVPNUser password paS$789!worD privilege 0

2
...
Console
The console port is used for a serial connection to the firewall and is the preferred method
for managing the ASA
...

By default there is no authentication required for console access and no time out for idled
sessions
...

(config)# aaa authentication serial console local

2
...
Privileged Exec Mode
Privilege exec mode is used to make nearly all of the configuration changes to the firewall
and it is recommended to limit access to this mode to administrators only
...
A password should be set to prevent unauthorized users from altering the
running configuration in privilege exec mode
...
6
...
SSH uses RSA keys as part of the key exchange process, which by default are
1024 bits in length
...
1)
...

(config)#
(config)#
(config)#
(config)#

crypto key generate rsa modulus 2048
ssh version 2
ssh key-exchange group dh-group14-sha1
aaa authentication ssh console LOCAL

Hosts that require access to the SSH service should be limited to specific hosts and/or
networks
...

(config)# ssh 192
...
255
...
255
...
255 management

2
...
Adaptive Security Device Manager (ASDM)
ASDM is the graphical management application which uses SSL to provide a secure
management connection to the ASA
...
6 for commands and guidance for
generating the proper keys)
...
ASDM management also
has a unique feature to prevent long lived management sessions
...

(config)# http server enable
(config)# http 192
...
255
...
255
...
0 management

ASDM management also has a unique feature to prevent long lived management sessions
...

(config)# http server session-timeout 60

2
...
Management Session Timeouts
Idle management sessions of any kind should be automatically timed out after a short period
of time
...
This should apply to all management services:
(config)# console timeout 9
(config)# ssh timeout 9
(config)# http server idle-timeout 9

2
...
System / ASDM Images
When booting, the ASA selects the first system image available in flash memory to load
...
It is recommended to explicitly define the images that the ASA should use
when booting and for ASDM management
...

(config)# boot system flash:/asa911-4-k8
...
bin

2
...
Banners
Login banners should be used on all networking devices as they offer multiple benefits
...
Use banners for all methods of managing the ASA
...
S
...

(config)# banner asdm You are accessing a U
...
Government (USG)
...
11
...
SHA should be used as the digest function for
authentication, as well as AES 256 encryption should be used for privacy
...

(config)# snmp-server group MySNMPServerGroup v3 priv
(config)# snmp-server user JohnDoe MySNMPServerGroup v3 auth SHA
p@$$W0rD1 priv AES 256 p@$$W0rD2
(config)# snmp-server host management 192
...
255
...
12
...
Determining release and
hardware compatibility may be found at:
http://www
...
com/en/US/docs/security/asa/compatibility/asamatrix
...
cisco
...

(Actual download requires a Cisco Connection Online (CCO) account)
...
There are several ways to securely copy files to the ASA, all of which
require an IP address on an interface and should be transferred via the management
interface
...
g
...
bin JohnDoe@192
...
255
...
bin

Or, if you have CiscoWorks Auto Update Server (AUS) you can setup automatic updates
securely on the ASA
...
168
...
103/updates source
management

2
...
Authentication
Accounts may be stored locally or on a remote AAA server, which are an excellent
resource for managing many user accounts
...
The AAA server should reside in the management outof-band network and the AAA server defined on the ASA should specify the interface
where the designated AAA server is to be accessed
...
168
...
77
(config-aaa-server-host)# key R3@11yL0nGS3cuR3Key
(config)# aaa authentication ssh console ManagementRadius LOCAL

3
...
Provided below are individual recommendations for each of those
steps
...
1
...
The names should represent the level of trust of
the connected network
...
The inside interface
contains the most trusted hosts and
,
o

...
2
...
Note, Cisco has built in names that automatically set default security
respectively
...
Interfaces with a lower
security level may not access host behind an interface with a greater than, or equal to,
security level
...
g
...
Similarly, hosts on an interface
with the security level 50 may send traffic to hosts on an interface with a security level of 0
to 49
...
However, we also recommend applying Access Control Lists (ACLs) to all
interfaces to override the default security level behavior of the ASA
...
3
...
g
...

(config)# interface GigabitEthernet 0/0
(config-if)# ip address 10
...
0
...
255
...
252
(config)# interface GigabitEthernet 0/1
(config-if)# ip address 192
...
0
...
255
...
0
(config)# interface GigabitEthernet 0/2
(config-if)# ip address 172
...
0
...
255
...
128
(config)# interface Management 0/0
(config-if)# ip address 192
...
255
...
255
...
0

3
...
Enabling
By default, all interfaces are administratively shutdown and you must enable each
interface
...

(config)# interface GigabitEthernet 0/0
(config-if)# no shutdown
(config)# interface GigabitEthernet 0/1
(config-if)# no shutdown
(config)# interface GigabitEthernet 0/2
(config-if)# no shutdown
(config)# interface Management 0/0
(config-if)# no shutdown

4
...
Data
should be written both locally and to a central log server for analysis of attacks, network
misuse and troubleshooting network issues
...
1
...
Recommended practice
is to use at minimum the notification level, and even possibly the information level
depending on the amount of messages generated from traffic on the network
...
2
...
When the buffer fills up, unsaved messages should be written to flash (space
permitting)
...

(config)#
(config)#
(config)#
(config)#
(config)#

logging
logging
logging
logging
logging

buffered notifications
buffer-size 524288
flash-bufferwrap
flash-maximum-allocation 65536
flash-minimum-free 8192

4
...
Syslog
Messages should also be sent to a remote device that is centralized, properly secured and
preferably on an out-of-band management network
...
168
...
100
(config)# logging trap informational

4
...
Timestamps
Messages should contain a timestamp allowing an auditor to compare log messages and
correlate network events across different hosts and\or log servers
...
5
...

(config)# logging device-id ipaddress management

4
...
Local Time
Part of secure logging is keeping accurate time on all hosts
...

# clock set 12:00:00 10 May 2013
(config)# configure terminal
(config)# clock timezone EST -5

4
...
Network Time Protocol (NTP)
If possible, take advantage of NTP to keep accurate network time across all hosts in the
network
...
Make sure to include the
address to the interface where the NTP server resides
...
168
...
10 key 1 source management

5
...
1
...
If NAT/PAT is not
then the service should be
disabled
...
3)
...
2
...

Additionally, ICMP can be used to gather information about a network device
...

(config)# icmp deny any dmz
(config)# icmp deny any inside
(config)# icmp deny any outside
(config)# icmp permit host 192
...
255
...
3
...
g
...

(config)# key configs-key password-encryption
(config)# password encryption aes

5
...
Secure Socket Layer (SSL) Settings
The default SSL settings are configured to allow weak encryption methods along with older
versions of SSL
...
Also, force the ASA as a
client and server to only accept Transport Layer Security (TLS) version 1
...
5
...

To prevent this, use the anti spoofing feature of the ASA which performs a check on the
source network address against the route table
...

(config)# ip verify reverse-path interface dmz
(config)# ip verify reverse-path interface inside
(config)# ip verify reverse-path interface management

5
...
IP Fragments
IP fragmentation is a technique used to break up large datagrams into smaller datagrams to
pass through a network
...
It is recommended to disable IP fragmentation on all interfaces unless a
specific operational need exists in the organization
...
Firewall Protection
6
...
Access Control Lists (ACL)
As described in the interface configuration section, the ASA has a default behavior to
permit traffic from hosts deemed at a higher security level to hosts of a lower security level
...
All interfaces
should be configured with both IPv4 and IPv6
...
The
following access lists reflect that policy:
(config)# ipv6 access-list OUTSIDE_ACL deny ip any any log
notifications
(config)# access-group OUTSIDE_ACL in interface outside
(config)# ipv6 access-list DMZ_ACL deny ip any any log alerts
(config)# access-group DMZ_ACL in interface dmz
(config)# ipv6 access-list INSIDE_ACL deny ip any any log warning
(config)# access-group INSIDE_ACL in interface inside

It is important to keep access lists as small and simple while maintaining the organization s
security policy requirements
...
To help reduce
complexity, and add readability to the ACL, use objects with meaningful names to define
networks, hosts, services, etc
...
16
...
80
(config)# object network DNS_SERVER
(configs-network-object)# host 172
...
0
...
168
...
0 255
...
255
...
Use the any keyword as sparingly as possible (e
...

when referencing all hosts on the Internet)
...


Internet users should be able to access the web server via http

(config)# access-list OUTSIDE_ACL extended permit tcp any object
WEB_SERVER eq http

2
...


Internet users should not have access to any other resources

(config)# access-list OUTSIDE_ACL extended deny ip any any log
notifications
(config)# access-group OUTSIDE_ACL in interface outside

The DMZ policy is a much more restrictive policy:
1
...


(config)# access-list DMZ_ACL extended deny ip any object
INTERNAL_HOSTS log emergencies
2
...


(config)# access-list DMZ_ACL extended permit udp object DNS_SERVER
any eq domain
3
...


(config)# access-list DMZ_ACL extended deny ip any any log error
(config)# access-group DMZ_ACL in interface dmz

Internal hosts will typically have the most access to internal and external resources:
1
...


Internal hosts should
never an external DNS Server
...


Internal hosts should not be allowed to pass any other protocols through the
firewall
...
2
...
The IP Audit Policy

feature is a very basic IPS that inspects traffic containing a limited set of signatures that can
alert an administrator via an alarm and/or drop packets
...

(config)# ip audit info action alarm drop
(config)# ip audit attack action alarm drop

In the event that a particular IP option feature needs to be allowed through the firewall, an
exception can be made to the configuration:
(config)# ip audit signature 2002 disable

6
...
NAT/PAT
The main use of NAT/PAT is to multiplex IP addresses (e
...
one or more public address to
many private addresses), helping preserve the IPv4 address space
...
168
...
0 255
...
255
...
0
...
1

(Note: Instead of providing an IP address, you may specify to use the interface or a range
of IP addresses via a network object
...

(config)# network object MyStaticPATObject
(config-network-object)# host 172
...
0
...
0
...
80 service
tcp 80 80
(config)# access-list OUTSIDE_ACL extended permit tcp any host
10
...
0
...
Bibliography
(U) Internet Site, "Cisco ASA Series Command Reference," cisco
...
, 18
March 2013, http://www
...
com/en/US/docs/security/asa/command-reference/cmdref
...
1(x)," cisco
...
, 14 March 2013, http://www
...
com/en/US/docs/security/asa/asa91/release/notes/asarn91
...

(U) Internet Site,
) Karen Scarfon and
Murugiah Souppaya, National Institute of Standards and Technology, April 2009,
http://csrc
...
gov/publications/drafts/800-118/draft-sp800-118
...

(U) Internet Site, "Cisco ASA Compatibility," cisco
...
, 18 September
2013, http://www
...
com/en/US/docs/security/asa/compatibility/asamatrix
...


UNCLASSIFIED

8
...
1

---