Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
295
Views
0
Helpful
2
Replies

A way to Dynamically configure Security Policy with CSM/ASA?

dkarlsberg
Level 1
Level 1

‎03-03-2008 12:33 PM - edited ‎03-11-2019 05:11 AM

We have an interface on an ASA with an ANY ANY. This ASA is managed by our CSM Server. We need to build this particular security policy for this interface. We have utilities that can assist here (i.e. Mazu Sniffer) and we can also rely on application owners to tell us what speaks to what on what ports. These options will be very tedius and very time consuming and far from full proof. My question is...Is there a way to dynamically build the policy for this interface? Possibly through CSM or another Cisco Product or a 3rd Party Application?

Labels:
0 Helpful
2 Replies 2

jbayuka
Level 5
Level 5

‎03-07-2008 02:23 PM

Probably, you can try by using Cisco NAC appliance which fulfils your requirement

0 Helpful

tim.riegert
Level 1
Level 1

‎03-12-2008 12:57 PM

Unfortunately, there really isn't a dynamic method. We have been going through this process and it is definitely a chore. We basically find out all of the ports that a server is listening on (through nmap scan or netstat locally on box) and have the server / app guys let us know their requirement. Additionally, we look at netflow from a downstream switch to see what traffic is actually going to those servers -- we have found some instances where necessary ports have not been identified by the server / app guys.

Then we add access-list lines per each server:

permit tcp any host serverA eq x,y,z ports (required ports)

permit udp any host serverA eq a,b,c ports (required ports)

permit ip any host serverA log

We monitor that for a week to make sure that we arent blocking any legitimate traffic. We check the hitcounts on the permit ip any lines to see if there is a potential issue. Once we are happy (after making any necessary changes), we change the permit ip any to deny ip any.

It is extremely tedious, but there doesnt appear to be any better way. I definitely recommend using netflow if your topology permits. nfdump is a great open source application that allows you to grep the netflow data -- it has scaled much better for us than using tcpdump for sniffing.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card