ASA5510 - protecting the web server

Unanswered Question

i am trying to protect single web server behind an asa5510. i am using access lists, tcp normalization, connection limiting and http inspection (blocking http methods i know i won't need). can anyone see what else i can do as far as security goes? thanks in advance.

ASA Version 8.0(3)

!

firewall transparent

hostname xxxx

enable password xxxx

names

!

interface Ethernet0/0

nameif outside

security-level 0

!

interface Ethernet0/1

nameif inside

security-level 100

!

interface Ethernet0/2

shutdown

no nameif

no security-level

!

interface Ethernet0/3

shutdown

no nameif

no security-level

!

interface Management0/0

shutdown

no nameif

no security-level

management-only

!

passwd xxxx

regex trace "TRACE"

ftp mode passive

access-list inspect_web_traffic extended permit tcp any host xxxx eq https

access-list inspect_web_traffic extended permit tcp any host xxxx eq www

access-list allow_web_traffic extended permit tcp any host xxxx eq www

access-list allow_web_traffic extended permit tcp any host xxxx eq https

access-list inspect_tcp_traffic extended permit tcp any any

!

tcp-map tcp_normalization_map

check-retransmission

checksum-verification

reserved-bits clear

syn-data drop

!

pager lines 24

mtu outside 1500

mtu inside 1500

ip address xxxx xxxx

ip audit name FW-IDS-info info action reset

ip audit name FW-IDS-attack attack action reset

ip audit interface outside FW-IDS-info

ip audit interface outside FW-IDS-attack

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group allow_web_traffic in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

fragment chain 1 outside

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection scanning-threat shun

threat-detection statistics

!

class-map inspect_http_traffic

description Inspect HTTP and HTTPS

match access-list inspect_web_traffic

class-map tcp_normalization

description TCP normalization

match access-list inspect_tcp_traffic

class-map type regex match-any methods_to_drop

match regex trace

class-map type inspect http match-all http_method_policy

match request method regex class methods_to_drop

class-map connection_limits

description Limit number of connection and number of embrionic connections per client

match access-list inspect_tcp_traffic

!

!

policy-map type inspect http http_policy

parameters

spoof-server "noyb"

protocol-violation action reset

class http_method_policy

reset

policy-map global_policy

class connection_limits

set connection per-client-max 500 per-client-embryonic-max 100

class tcp_normalization

set connection advanced-options tcp_normalization_map

class inspect_http_traffic

inspect http http_policy

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
brettmilborrow Fri, 03/07/2008 - 15:50

I think you have it covered! You are also able to install an IPS module in the 5510 chassis and protect the web server further using the module to protect it further.

Actions

This Discussion