Introduction This document provides administrators and engineers guidance on securing Cisco firewall appliances, which increases the overall security of an end-to end architecture. The functions of network devices cisco → [Config] ASA 5510 used for VPN concentrator structured around three planes: management, control, and data. The three functional planes of a network each provide different functionality that needs to be protected.
Control plane: The control plane of a network device processes the traffic that is paramount to maintaining the functionality of the network infrastructure. Data plane: The data plane forwards data through a network device. The data plane does not include traffic that is sent to the local Cisco firewall device. In addition to providing configuration details, this document serves primarily as a best practices guide. Therefore, security concepts will be recommended, although the exact configuration details may not be provided.
The feature will be explained in a manner that allows the security practitioner and decision makers to determine whether the feature is required in a certain environment. Prerequisites Engineers and administrators should possess a conceptual understanding of Cisco firewall product software and the basic configuration options available. Components Used This document addresses the capabilities of Cisco ASA versions 8. Earlier releases of Cisco ASA Software may not include all features or capabilities outlined.
ASA 5510 used for VPN concentrator” style=”max-width:400px”]
Security practitioners who are using any Cisco firewall devices or ASA versions other than 8. Note: Some of the features referenced in this document may refer to, or show, examples of options that use strong encryption algorithms. Not all encryption algorithms may be available in all releases of Cisco firewall device software in all countries because of U. Conventions Refer to Cisco Technical Tips Conventions for more information on document conventions.
Some command line examples in this document are wrapped to enhance readability. Principles of Secure Operations Secure network operations are a substantial topic. Although most of this document is devoted to the secure configuration of a Cisco firewall device, configurations alone do not completely secure a network. The operational procedures in use on the network contribute as much to security as the configuration of the underlying devices. These topics contain operational recommendations that administrators and engineers are advised to implement. These topics highlight specific critical areas of network operations and are not comprehensive.
Cisco Firewalls as Security Devices Cisco firewalls provide advanced stateful firewall and VPN concentrator functionality in one device. Cisco firewalls protect network segments from unauthorized access by users or miscreants while also enforcing security policies and posture. There are key details that establish a firewall as a firewall and not a Layer 3 forwarding device. The Cisco firewall performs numerous intrinsic functions to ensure the security of an environment. These are key functions that differentiate a Cisco firewall from a standard Layer 3 device. For further details see the Cisco ASA 5500 Series Configuration Guide. Security Policies and Configuration Security policies are the top tier of formalized security documents.
These high-level documents take into account a risk assessment, and subsequently offer general statements regarding the organization’s assets and resources and the level of protection they should have. Furthermore, security policies do not provide detailed specifics on how to accomplish the stated goals. This policy also dictates which architecture solutions should be adopted for a given environment. The policy should be used as a high-level guide when pursuing firewall configuration details, including which traffic should be permitted to pass through the firewall to access another network and which traffic should not be permitted to pass. Note: An organization’s established security policies, and not product features, should be the key factor when determining configuration details.
For further details, see the Cisco ASA 5500 Series Configuration Guide in addition to the Resources section of this document. Though obvious, the details surrounding the physical security of a device are often overlooked. Physical security, as it applies to a firewall, refers to ensuring the device is placed in a physical location that is restricted to authorized personnel. For details regarding the environmental factors and statistics, refer to the product data sheets for the respective firewall on the Cisco website. PSIRT advisories, for security-related issues in Cisco products. The method for communication of less-severe issues is the Cisco Security Response.
Additional information about these communication vehicles is available in the Cisco Security Vulnerability Policy. To maintain a secure network, one must be aware of the Cisco advisories and responses that have been released. Moreover, one must have knowledge of a vulnerability before evaluating the threat it can pose to a network. Refer to Risk Triage for Security Vulnerability Announcements for assistance with this evaluation process.
Report: Bitcoin (BTC) Mempool Shows Backlogged Transactions, Increased Fees if so?
The AAA framework provides authentication of management sessions and can also limit users to specific, administrator-defined commands in addition to logging all commands entered by all users. See the Leverage Authentication, Authorization, and Accounting section of this document for more information about using AAA. Centralize Log Collection and Monitoring To understand existing, emerging, and historic events related to security incidents, an organization needs a unified strategy for event logging and correlation. This strategy must employ logging from all network devices and use prepackaged and customizable correlation capabilities.
After centralized logging is implemented, one must develop a structured approach to log analysis and incident tracking. Based on the needs of the organization, this approach can range from a simple, diligent review of log data to advanced rule-based analysis. See the Logging Best Practices section of this document for more information about implementing logging on Cisco firewall devices. Use Secure Protocols When Possible Many protocols are used to carry sensitive network management data.
ASA 5510 used for VPN concentrator” style=”max-width:400px”]
One must use secure protocols whenever possible. A secure protocol choice includes using SSH instead of Telnet so that both authentication data and management information are encrypted. In addition, one must use secure file transfer protocols when copying configuration data. See the Securing Interactive Management Sessions section of this document for more information about the secure management of Cisco firewall devices. IP flow tracking method that exports only records that indicate significant events in a flow. In stateful flow tracking, tracked flows go through a series of state changes. NSEL events are used to export data about flow status and are triggered by the event that caused the state change.
Each NSEL record has an event ID and an extended event ID field, which describes the flow event. Configuration Management Configuration management, also known as change management, is a process by which configuration changes are proposed, reviewed, approved, and deployed. In the context of a Cisco firewall device configuration, two additional aspects of configuration management are critical: configuration archiving and security. One can use configuration archives to roll back changes that are made to network devices. In a security context, configuration archives can also be used to determine which security changes were made and when these changes occurred.
In conjunction with AAA log data, this information can assist in the security auditing of network devices. The configuration of a Cisco firewall device contains many sensitive details. Usernames, passwords, and the contents of ACLs are examples of this type of information. The repository used to archive Cisco firewall device configurations needs to be secured.
Insecure access to this information can undermine the security of the entire network. Securing the Management Plane The management plane consists of functions that achieve the management goals of the network. When considering the security of a network device, it is critical that the management plane be protected. The Management Plane sections of this document provide the security features and configurations available in Cisco ASA Software that help fortify the management plane. General Management Plane Hardening The purpose of the management plane is to provide the capability to access, configure, and manage a device and to monitor its operations and the network on which it is deployed. The management plane receives and sends traffic for these functions.
One must secure both the management plane and control plane of a device because operations of the control plane directly affect operations of the management plane. Steps must be taken to ensure the survival of the management and control planes during security incidents. If one of these planes is successfully exploited, all planes can be compromised. Moreover, exploitation can heavily impact the incident handling process, specifically regarding postmortem and lessons learned. Password Management Passwords control access to resources and devices when they are required for request authentication. When a request for access to a resource or device is received, the request is challenged for verification of the password and identity.
Nimuro 25.06.2017 in 02:26
Access can be granted, denied, or limited based on the result. The enable password command is used to set the password that grants privileged administrative access to the Cisco firewall system. This algorithm has had considerable public review and is not known to be reversible. However, the algorithm is subject to dictionary attacks, in which an attacker attempts various dictionary words in addition to other lists of candidate passwords to search for a match. User passwords are also hashed using the MD5 algorithm after they have been concatenated with a salt value that provides resilience against dictionary attacks. Any Cisco firewall configuration file that contains passwords must be treated with care. Beginning with Cisco ASA version 8.
ASA 5510 used for VPN concentrator” style=”max-width:400px”]
4) Bitcoin’s governance
3, the firewall can store plaintext passwords in an encrypted format. Login Password Retry Lockout The ASA allows an administrator to lock out a local user account after a configured number of unsuccessful login attempts. Once a user is locked out, the account is locked until the administrator unlocks it. An authorized user who is configured with privilege level 15 cannot be locked out with this feature. The number of users with privilege level 15 must be kept to a minimum. Note that authorized users can lock themselves out of a device if the number of unsuccessful login attempts is reached. LOCAL aaa authentication ssh console LOCAL aaa local authentication attempts max-fail 5 !
Refer to the Configuring AAA for Network Access section of the Cisco ASA 5500 Series Configuration Guide for more information about this feature. Disabling Password Recovery The no service password-recovery feature prevents anyone with console access from insecurely accessing the device configuration and clearing the password. It also does not allow users to change the configuration register value and access NVRAM. In ROMMON mode, the device software can be reloaded to prompt a new system configuration that includes a new password. The current password recovery procedure enables anyone with console access to access the device. The no service password-recovery feature prevents the completion of the Break key sequence and the entering of ROMMON mode during system startup.
Caution: If no service password-recovery is enabled on a device, it is recommended that an offline copy of the device configuration be saved and that a configuration archiving solution be implemented. If it is necessary to recover the password after this feature is enabled, the entire configuration is deleted. Refer to the Performing Password Recovery section of the Cisco ASA 5500 Series Configuration Guide for more information about this feature. As a security best practice, any unnecessary services must be disabled. These unneeded services, especially those that use UDP, are infrequently used for legitimate purposes, but can also be used to launch DoS and other attacks that are otherwise prevented by packet filtering. If NTP is used, it is important to explicitly configure a trusted time source and to use proper authentication.
VPN connectivity when depending on certificates for Phase 1 authentication. NTP time zone: When configuring NTP, the time zone must be configured so that time stamps can be accurately correlated. There are usually two approaches to configuring the time zone for devices in a network with a global presence. The other approach is to configure network devices with the local time zone.
Sweet Potato Pie
NTP authentication: Configuring NTP authentication provides assurance that NTP messages are exchanged between trusted NTP peers. By default, sessions are disconnected after 5 minutes of inactivity. Using Management Interfaces The management plane of a device is accessed via in-band and out-of-band methods through physical and logical means. Ideally, both in-band and out-of-band management access exists for each network device so that the management plane can be accessed during network outages.
Cisco firewalls define a specific interface as being the Management interface. This designation is defined by configuring the management-only command on the specific interface. By default the physically defined Management interface has this command defined. This interface is used for in-band access to a Cisco firewall. The Management interface can also be used for regular traffic when removing the management-only interface configuration command. Memory Threshold Notifications The Memory Threshold Notification feature, added in Cisco ASA 8.
4, provides administrators and engineers with insight to mitigate low-memory conditions on a device. This feature enables a device to generate an SNMP notification when the memory pool buffer usage reaches a new peak. Note: The default memory threshold is 70 percent. 4, the CPU threshold notification feature allows administrators and engineers to detect, and be notified, when the CPU load on a device crosses the set threshold for a configured period of time. When the threshold is crossed, the device generates and sends an SNMP trap message. Configuring a CPU Usage Threshold section of the Cisco ASA 5500 Series Configuration Guide for more information about this feature.
ICMP is designed as an IP control protocol. As such, the messages it conveys can have far-reaching ramifications to the TCP and IP protocols in general. While the network troubleshooting tools ping and traceroute use ICMP, external ICMP connectivity is rarely needed for the proper operation of a network. Cisco firewall software provides functionality to filter ICMP messages destined to itself by name or type and code. Cisco firewalls will, by default, allow pings to the firewalls’ interfaces. Securing Interactive Management Sessions Management sessions destined to devices allow one to view and collect information about a device and its operations. If this information is disclosed to a malicious user, the device can become the target of an attack, compromised, and used to perform additional attacks.
Anyone with privileged access to a device has the capability for full administrative control of that device. It is not recommended to access the security appliance through an HTTP-based GUI session. The authentication credential information, such as the password, is sent as clear text. Cisco recommends the use of HTTPS for secure GUI-based data communication. Cisco recommends the use of SSH for secure CLI data communication. Encrypting Management Sessions Because information can be disclosed during an interactive management session, this traffic must be encrypted so a malicious user cannot access the data being transmitted. Encrypting the traffic allows a secure remote access connection to the device.
If the traffic for a management session is sent over the network in clear text, an attacker can obtain sensitive information about the device and the network. As previously stated, it is not recommended to access the security appliance through an HTTP or Telnet session because the authentication credential information is sent in clear text. By default, a Cisco firewall will not accept Telnet to its lowest trusted interface, as defined via the interface-configured security levels. Cisco recommends using SSH for more secure data communication.
Note that SSHv1 and SSHv2 are not compatible. In addition, IPsec can be used for encrypted and secure remote access connections to a Cisco firewall device, if supported, but IPsec adds additional CPU overhead to the device. Also, SSH must still be enforced as the transport even when IPsec is used. Cisco firewall software supports the SCP, which allows an encrypted and secure connection for copying device configurations or software images. Configuring Management Access section of the Cisco ASA 5500 Series Configuration Guide for more information about the Cisco firewall software SSH feature. Console Port On Cisco firewall devices, the console port is an asynchronous line that can be used for local and remote access to a device.
Free Crochet All Double Afghan Blanket Pattern:
One must be aware that the console port on Cisco firewall devices has special privileges. In particular, these privileges allow an administrator to perform the password recovery procedure. Any method used to access the console port of a device must be secured in a manner that is equal to the security that is enforced for privileged access to a device. Methods used to secure access must include the use of AAA, console timeouts, and modem passwords if a modem is attached to the console. Control Management Sessions Cisco firewall interactive management sessions include console, Telnet, SSH, HTTP, and HTTPS. To ensure that a device can be accessed via a local or remote management session, proper controls must be enforced for the management protocols. The simplest form of access control to a device is through authenticated management sessions.
Furthermore, authentication can be enforced through the use of AAA, which is the recommended method for authenticated access to a device. AAA uses the local user database or theenable password in the case of Telnet and console sessions. Refer to the Configuring Management Access section of the ASA 5500 Series Configuration Guide for details regarding management access configuration. The CSC-SSM operates as a content scanning and filtering module. The CSC-SSM can scan and filter HTTP, SMTP, POP3, and FTP traffic.
Much like the Cisco ASA device, securing management sessions for the SSMs is imperative to prevent information disclosure and unauthorized access. If the traffic for a management session is sent over the network in clear text, an attacker may obtain sensitive information about the device and the network. Furthermore, an SSM should be configured to accept only encrypted and secure remote-access management connections to the device. ASA command line via thesession 1 EXEC command.
For the CSC-SSM, one can use the ASDM or CLI session 1 EXEC command. Refer to the Cisco ASA 5500 Series Configuration Guide using ASDM for more information on setting up management access on the AIP-SSM and CSC-SSM. One method to provide this notification is the banner message configuration on the Cisco firewall using the banner login command. Legal notification requirements are complex, vary by jurisdiction and situation, and should be discussed with legal counsel. Even within jurisdictions, legal opinions can differ. From a security point of view, a login banner should not contain any specific information about the device name, model, software, or ownership because this information can be abused by malicious users.
Refer to the Configuring a Login Banner section of the Cisco ASA 5500 Series Configuration Guide for more information about Cisco firewall banners. The AAA framework provides a highly scalable architecture consisting of flexibility and granular configuration that can be tailored to the needs of the network. These management users can access the firewall device via SSH, Telnet, HTTP, or HTTPS. AAA authentication, provides the ability to use individual user accounts for each administrator or engineer, employing the use of access controls. In removing the dependence on a single shared password, the security of the network is improved and accountability is strengthened.