Any info on ASA hardening

Unanswered Question
tstanik Tue, 11/27/2007 - 12:55

ASA being a security device already has features to withstand attacks on itself. If you want to setup ASA to protect your network then this depends on your network architecture.

JORGE RODRIGUEZ Mon, 12/03/2007 - 11:23

Can you explain exactly what are you looking for or meaining of hardening or pre-hardening of asa firewalls as this is a very broad term.. if you can give details perhaps we can point to the right direction..

The hardening of a firewall is determined by the implicit inbound/outbound deny or permit of access list by a network administrator.. and how firewall is deploy in a network this can be understood by non technical folks, permit deny encrypt don't encrypt etc..

Now, if you want to find out and present to management the process the firewall uses to perform statefull inspection etc.. there are many documents out there within cisco that it can show you that.


Hi jorge,

Thanks very much for your follow-up! What I am looking for is not how firewall works. What I am looking for is that: even though a firewall can deny what it wants to, but if the firewall itself is vulnerable to attacks, then if a hacker get hold of this firewall, then it is not a good firewall anymore. And I am not talking about the desing vulnerabilities - this will be accomplished by those hackers at large. I am looking for information that a firewall administrator can do or should be to harden the firewall device itself and/or the OS running on it to make it not vulnerable to obvious attacks. (just for a simplet example: if the TFTP server is enalbed by default to the firewall device itself, then it is not a pre-hardened device. The first thing the firewall admin should do is to dsiable this TFTP server or if it is needed, give it some ACL and password. just a example.) It is like when you buy a Windows Server, you should harden it by disable some unused services, disable some registry settings,etc.

Not sure If I have explained this clearly. Thanks for your help!

JORGE RODRIGUEZ Mon, 12/03/2007 - 20:11

Hi Michael,I understand now where you are coming from and thank you for clear explanation. The answer to your question I think is short. The cisco PIX/ASA firewalls by default comes to the end users already pre-hardened,to prove this a firewall out of the box comes with default configuration.

The Firewall will at least have there important components, that is,PIX OS code,

inside,and outside interfaces. As you may well know the two interfaces are outside and inside interface. The default firewall configuration will always comes as such with outside interface with security level of(0 Zero)as the un-trusted interface or interface facing outside world, security 0 with no firewall implicit inbound access rules for connection means nothing will come inbound as requested traffic from outside as all inbound traffic is blocked. In other words, all TCP/UDP ports are blocked by default, on the other hand the inside interface comes as default with security level of 100 trusted side and some but not all ports in this interface are opened to go outbound. This is a fundamental aspect of the firewall, until you explicitly start opening or allowing inbound traffic then there is where DMZ and other aspect of security architecture comes in place such as IPS or intrution detection systems etc..

I hope I have contributed to answer your question, I could not find a document explaining the hardening of a firewall because I don't think there isn't one, however, there are many documents in security design guidelines that shows best practice for securing networks from either outside and/or internally.. I found though a link where at least says all ports by default are blocked for outside interface security 0.

rate any helpful post if it helps !




This Discussion