Cisco ASA - Cisco adaptive security appliance Best Practices Document

 

Introduction To Cisco ASA Best Practices

This best practice document is designed to assist in optimizing your Cisco ASA appliances. It includes a an easy to use configuration and advice on how to achive the optimum performance out of your Cisco ASA appliance

The document bellow is meant to be used with some caution where specified and if at any time you feel you may be lost in too much technical detail you can always contact us to assist you in your endavours.

 

Contents


 

Restrict Infrastructure Device Accessibility
Enforce Session Management
Restrict Device Access Vulnerability to Dictionary and DoS Attacks
Legal Notification had login messages
Web-based GUI Access
SNMP Access
Locally Stored Information Protection
Infrastructure Device Management Access Logging
Secure File Management
Device Management Best Common Practices
Update to latest release with 0 down time
Vulnerability assessments to the ASA and devices behind it
Cisco ASA Redundant Pair Failover Setup
Leave the common network services to the hardened appliances
DMZ to inside restrict
Unicast RPF rules  (use with caution)
Detect problems on the network  using Security Event Management tools
routing table protection
Business Continuity
Physical Security
Logical User Access controls
ROOT or Local console device passwords
Dual factor authentication and one time only access to
Remote Access to management network via vpn
Configure a VPN idle timeout to ensure VPN tunnels do not stay up indefinitely

 

Feature

Explanation

Configuration example

Restrict Infrastructure Device Accessibility

Review all available terminal and management ports and services

!shows all the interfaces to see what has been used as management
 sh run ssh

after that make sure only the designated management interface is used for management ,and only a few authorized hosts are allowed to manage the device

 

Disable all terminal and management ports that are not explicitly required or actively being used

!Disables interface Ethernet1(inside) found to be used for other purposes

No interface ethernet1
No ssh 1.1.1.0 255.255.255.0 inside
No telnet 1.1.1.0 255.255.255.0 inside

 

Only permit device access through required and supported services and protocols, using only secure access protocols such as SSH and HTTPS where possible

 

 

 

!enables SSH and HTTP access for gui access to the management Interface 
ssh 1.1.1.0 255.255.255.0 management
http 1.1.1.0 255.255.255.0 management

 

Only accept access attempts to authorized ports and services from authorized originators

 

 

only accepts access from range 1.1.1.0 to manage the device
ssh 1.1.1.0 255.255.255.0 inside

 

Deny outgoing access unless explicitly required and log the attempts

 

!it will log all the unsuccessful attempts for outbound or inbound access to the network   

Access-list inside extended deny ip any any log

 

Authenticate all terminal and management access using centralized (or local) AAA

!using AAA server or Cisco ACS tacacs is achieved by the bellow commands on the firewall

aaa-server TACACS+ protocol tacacs+
reactivation-mode depletion deadtime 1
aaa-server TACACS+ (inside) host 192.168.1.1
timeout 2
key test

 

Authenticate all EXEC level terminal and management access using centralized (or local) AAA

aaa authentication serial console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting enable console TACACS+
aaa accounting serial console TACACS+
aaa accounting ssh console TACACS+
aaa accounting telnet console TACACS+
aaa accounting command privilege 15 TACACS+
 

Dedicated interface for management purposes. No data traffic can traverse it.

interface Management0/0
description ***Management***
nameif Management
security-level 92
ip address 172.16.11.237
management-only

 

Enforce an idle timeout to detect and close inactive sessions

Ssh timeout 5
http timeout 5
console timeout 5
telnet timeout  5
 

Enforce an active session timeout to restrict the maximum duration of a session prior to re-authentication

!on cisco switch
login block-for 1800 attempts 3 within 300
login on-failure log every 2

!on cisco asa

aaa-server TACACS+ protocol tacacs+
reactivation-mode depletion deadtime 1
aaa-server TACACS+ (inside) host 192.168.1.1
max-failed attempts 2

Enforce Session Management

Detect and close hung sessions, e.g. using keepalives

On cisco switches
exec-timeout 5

!  On cisco ASA
Ssh timeout 5

 

Enforce a strong password policy (may be done on the AAA server)

Enforce a lockout period upon multiple authentication failure attempts within a defined time window (may be done on the AAA server)

for Cisco ASA best practices document please visit our page
http://www.security-solutions.co.za/cisco-acs-best-practices.html

cisco acs complexity rules

Restrict Device Access Vulnerability to Dictionary and DoS Attacks

Restrict the maximum number of concurrent sessions and use ssh v2

 

The cisco asa concurrent session is 5 by default and can’t be changed
 Ssh version 2

 

Present legal notification banner upon all terminal, management and privileged EXEC level access

 

banner exec ************** this is a test banner

 

Employ strong secrets for authentication between the AAA server and NAS

 ASDDDDDDDD!@34#!@%@#VSasdjh109378jhgsdf7867123

Legal Notification and login messages

User Login acknowledge of legal warning messages must be recorded and alerted upon

 

banner exec **** this is a test legal notification

Web-based GUI Access

Restrict access to HTTPS only if web access required

http server enable
http 1.1.1.1 255.255.255.255 management

 

Authenticate and authorize all web access using centralized (or local) AAA

aaa authentication http console TACACS+ LOCAL

 

Authorize all web access using centralized (or local) AAA

 aaa authorization http console TACACS+ LOCAL
aaa accounting http console TACACS+ LOCAL

SNMP Access

Only use SNMP v3 where possible as its most secure

 

snmp-server host admin 172.16.1.12 community BasdasdReadonly version 3

 

Delete default community strings

No snmp-server community read-only

 

Only permit SNMP access from authorized originators

 

snmp-server host admin 172.16.1.12 community BasdasdReadonly version 3

 

Only enable minimum required access, e.g. read-only

snmp-server host admin 172.16.1.12 community BasdasdReadonly version 3

 

Define strong, non-trivial community strings where SNMP required

snmp-server host admin 172.16.1.12 community BasdasdReadonly version 3

 

Configure NTP across.

Ntp server 1.1.1.1

Locally Stored Information Protection

Log all successful interactive device management access using centralized AAA or an alternative, e.g. syslog

%ASA-6-113012: AAA user authentication Successful user:security-solutions
%ASA-6-113008: AAA transaction status ACCEPT : user = security-solutions
%ASA-6-611101: User authentication succeeded: Uname: security-solutions
%ASA-6-611101: User authentication succeeded: Uname: security-solutions
%ASA-6-605005: Login permitted from x.x.x.x/2826 to outside:y.y.y.y/ssh for user " security-solutions "

Infrastructure Device Management Access Logging

Log all successful privileged EXEC level device management access using centralized AAA or an alternative, e.g. syslog.Several different logging destinations must be used so that log tampering becomes more difficult

 

Logging at AAA server must be configured
Logs stored at AAA server locally must be backed up regularly
Logs at the AAA must be exported to 2 different syslog destinations
Refer to this page for those configurations

!asa syslog destinations must be specified
Logging enable
Logging timestamp
logging host admin 172.16.1.12
logging host admin 172.16.1.19

 

Log all failed interactive device management access using centralized AAA or an alternative, e.g. syslog

 

%PIX|ASA-6-113005: AAA user authentication Rejected: reason
%PIX|ASA-6-113006: User user locked out on exceeding number successive
failed authentication attempts

 

Log all commands entered at a privileged EXEC level using centralized AAA or an alternative.Log the command to remove logging enabled from any device and send high level alert of who implemented it .

That’s achieved by enabling the AAA server but also the syslog entries can be exported to an external syslog destination by using the command

logging host admin 172.16.1.12

 

Send an SNMP trap on community name authentication failures to track failed access attempts

Send an SNMP trap for configuration changes and environmental monitor threshold and configuration changes

Traps for snmp include:
• authentication
• linkup
• linkdown
• coldstart

 snmp-server enable traps all

Secure File Management

Device software image verification, e.g. MD5

 Using an MD5 checksum value and a utility to compare if the actual image file is the one provided from Cisco

Device Management Best Common Practices

 

Assign unique, per-user accounts

 For example default user names like cisco are not good practice
Named user accounts like name.surname is an acceptable practice
 

Remove default accounts and passwords

!user the bellow example to remove the default settings and assign new passwords

 No username cisco
enable secret difficult.password
password difficult.password1

 

Force users to periodically change their password

 That can be achieved using cisco ACS Group properties for password aging as show bellowcisco acs password aging rules
 

Define multiple servers for redundancy, e.g. AAA, NTP, syslog, SNMP.Those devices should ideally be located on a Disaster Recovery Site

aaa-server TACACS+ (inside) host 192.168.1.1
timeout 2
key test
aaa-server TACACS+ (inside) host 192.168.1.2
timeout 2
key test

 

ntp server 1.1.1.1
ntp server 1.1.1.2

logging host admin 172.16.1.12
logging host admin 172.16.1.19

 

Only grant minimum access privileges

 Privilege level 2 is for Remove vpn access only
Privilege 15 is for administrators access
If you are considering read only access to your network device you need to use shell authorization sets that will limit the access of the user to the system .A print screen is attached of such authorization set that will allow read only privileges for users but not executive level 15 on the devices

cisco acs shell authorization sets

 

Review the password recovery settings

 ! to disable password recovery on the ASA use bellow

no service password-recovery
 

The Modular policy framework coming out of the asa is default and needs to be tweaked according to network requirements

 

Use the Guide provided from Cisco to enable some more advanced features on that powerful feature.

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/mpc.html

Update to latest release with 0 down time

 

If you are struggling to manage an upgrade of your device without any network disruption please follow this procedure

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mswlicfg.html

Vulnerability assessments to the ASA and devices behind it

Don’t try this at  home kind  of thing rather leave it to the pros

Performing a Brute force attack and targeted attacks is usually best left to professionals especially when dealing with live hosts and production traffic .But in case you feel confident that you know what you are doing you can attempt a scan yourself using some freely available tools like Nessus or Qualys that’s a paid service and product.
Just make sure you are doing this after peak production hours so that if you bring down your server with a targeted attack you will have time to recover from this adverse situation.

Links to the above respectively
http://www.nessus.org/products/nessus
http://www.qualys.com/products/qg_suite/

Cisco ASA Redundant Pair Failover Setup

 

 

Please refer to this page in our conjuration section for more information on how to achieve proper redundant configuration

cisco-asa-best-security-configuration-examples.html

Leave the common network services to the hardened appliances

Only allow traffic from a specific hosts Mail server ,DNS server and Proxy server to access the internet

On the Cisco ASA only allow certain hosts to go out of the network for the common services e.g.

Access-list permitonlyappliances extended permit ip host 1.1.1.1 eq http
Access-list permitonlyappliances extended permit ip host 1.1.1.2 eq dns

Access-list permitonlyappliances extended permit ip host 1.1.1.1 eq smtp
Access-list permitonlyappliances extended deny ip any any

 

The reason why appliance should perform these functions is as there are better equipped to do so.
They will provide better service faster and at more securely and at a higher uptime rate than non-dedicated appliances

Some respected DHCP ,DNS,NTP product
http://www.infoblox.com/en/products.html
Some respected Mail Server appliance
www.mirapoint.com
Some respected Proxy server
www.bluecoat.com

DMZ to inside restrict

suppliers must access data on public Web or FTP servers in the DMZ that’s only allowed minimal interaction with internal resources

This is an example of least access granted access list

 

Grant the third party access only to the required resource from the outside

access-list outside extended permit tcp any host 196.34.43.1 eq http

then from the dmz inward permit only ftp access or whatever access is required to the inside so by segment this kind of traffic you won’t expose your inside network to an attack in case the dmz server is compromised

 

access-list dmz extended permit tcp host 1.1.1.1 host 192.168.1.1 eq ftp

Unicast RPF rules  (use with caution)

Proceed with extreme caution unless you aim to break you network.

As mentioned please make sure you understand that particular feature before applying that configuration as it has potentially disastrous consequences.

interface FastEthernet 0/0
ip verify reverse-path

Detect problems on the network  using Security Event Management tools

Cisco mars or Cisco Ips manager express are excellent products that can provide vital info to prevent DoS attacks or to report and alert upon network emergencies

Using the above configured SNMP traps and Syslog hosts you need obtain an intelligent device that will analyze the terabytes of logs and produce some meaningful alert to the appropriate personnel
An example of that kind of alert would be a triggered correlation rule producing an email alert sms alert or snmp alert in the CS MARS for some of the bellow critical situations .

 

!The bellow rule on mars triggers when configuration changes are !performed on any monitored device
Configuration changes
System Rule: Modify Network Config

!The bellow rule on mars triggers when cpu or memory is exceeding specified parameters

Resource utilizations threshold
System Rule: DoS: Network - Success Likely
System Rule: DoS: Network Device - Success Likely
System Rule: Resource Issue: Network Device

!The bellow rule on mars triggers when a device fails over to its !partner usually indicating some problem on the device on network

Failover messages
System Rule: Operational Issue: Firewall
System Rule: State Change: Network Device

If you are using a cisco AIP module in your ASA strongly consider downloading and using the Cisco IME tool .Unparalleled in its usefulness in typical Cisco Fashion

http://www.cisco.com/cisco/software/type.html?mdfid=282052550&catid=null

routing table protection

Use authentication or static routes

rip authentication mode md5
rip authentication key test key_id 1

or static routes usually a pain in the neck to configure but considered more secure
route outside 169.2.2.2 255.255.255.255 172.16.1.1

Business Continuity

 

Consider creating a DR site or Critical servers and device back up by third party solutions

If your business is critical and it does not tolerate down consider protecting it against the adversities of life and make use of some business continuity service or build your own Disaster Recovery site
Some links for that respectively

www.continuitysa.co.za/
http://www.cisco.com/warp/public/63/disrec.pdf

Physical Security

Make sure all the servers are locked in securely and access to them is restricted usually by biometric etc.

Make sure you use latest technologies in order to protect your data center from physical breaches

 

http://www.thirdfactor.com/2011/01/27/biometric-solutions-for-physical-access-control

Logical User Access controls

Make sure you follow some sort of security policy to restrict control and monitor the access of user to the resources

Make sure you control the users access to the resource adequately
After all 90% of all attacks known are caused by social engineering attacks.

 

http://www.security-solutions.co.za/cisco-acs-best-practices.html

ROOT or Local console device passwords

local passwords  from viewing and copying. Procedure must be in place to obtain console or root access to the firewalls and password must be changed after the emergency is resolved

It’s considered top notch security practice to hold the root or console access credentials into a safe. In case of an emergency security policy must be followed where by temporary access to the system is granted and root credentials are changed after the emergency measures have been taken. If you want to get paranoid about securing your access you should consider making the root password a dual factor where by the locked in the safe password is only half of the necessary credentials necessary to obtain root access or console access .

Dual factor authentication and one time only access to

RSA or Active Card dual factor authentication vendors provide some extra security.

Consider using a Dual factor authentication mechanism for your most critical assets and entries into the network .RSA is my choice of vendor for the job even after recent negative publicity

www.rsa.com
below is document describing a typical deployment scenario using a Cisco ASA and RSA server to implement dual factor authentication from cisco .It can get pretty hairy if you haven’t attempted it before but the principles are sound and logical any reasonable person should be able to follow that example  from RSA and from Cisco

www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ASA_AuthMan61.pdf

www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ASA_AuthMan7.1.pdf

Remote Access to management network via vpn

 

The benefits of DACLS or downloadable access lists are universally great. Used properly they can be a powerful tool to restrict access to mobile users to only a few resources regardless the entry point into the network .Bellow screen is from Cisco ACS server 4.2 but that DACL syntax hasnt changed even for the latest Cisco ACS 5.2 .

cisco downloadable access list

Configure a VPN idle timeout to ensure VPN tunnels do not stay up indefinitely

 

vpn-idle-timeout 30

 

 

 

Credits and References As always credit must be given where credit is due The bellow references were used in compiling this rather large document

 

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/appendxD.html

http://www.sans.org/score/firewallchecklist.php

 

 

 

 

 

To get a free assessment on how to optimize your current Cisco ASA solution contact us here

 

Cisco ASA network security firewall

 

Recommended Reading


 

  1. Cisco ACS Best Practices document
  2. Cisco ASA Best Practices and Security Hardening Document.
  3. Cisco-vpn-ipsec-configuration-examples
  4. Cisco-ids-ips-aip-idsm-configuration-examples
  5. Detailed Cisco ACS 5.2 installation and configuration example with print screens

 

 

To get a free assessment on how to optimize your current Cisco ASA solution contact us here