03-07-2008 02:55 PM - edited 03-11-2019 05:14 AM
i am trying to protect single web server behind an asa5510. i am using access lists, tcp normalization, connection limiting and http inspection (blocking http methods i know i won't need). can anyone see what else i can do as far as security goes? thanks in advance.
ASA Version 8.0(3)
!
firewall transparent
hostname xxxx
enable password xxxx
names
!
interface Ethernet0/0
nameif outside
security-level 0
!
interface Ethernet0/1
nameif inside
security-level 100
!
interface Ethernet0/2
shutdown
no nameif
no security-level
!
interface Ethernet0/3
shutdown
no nameif
no security-level
!
interface Management0/0
shutdown
no nameif
no security-level
management-only
!
passwd xxxx
regex trace "TRACE"
ftp mode passive
access-list inspect_web_traffic extended permit tcp any host xxxx eq https
access-list inspect_web_traffic extended permit tcp any host xxxx eq www
access-list allow_web_traffic extended permit tcp any host xxxx eq www
access-list allow_web_traffic extended permit tcp any host xxxx eq https
access-list inspect_tcp_traffic extended permit tcp any any
!
tcp-map tcp_normalization_map
check-retransmission
checksum-verification
reserved-bits clear
syn-data drop
!
pager lines 24
mtu outside 1500
mtu inside 1500
ip address xxxx xxxx
ip audit name FW-IDS-info info action reset
ip audit name FW-IDS-attack attack action reset
ip audit interface outside FW-IDS-info
ip audit interface outside FW-IDS-attack
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group allow_web_traffic in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
fragment chain 1 outside
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
!
class-map inspect_http_traffic
description Inspect HTTP and HTTPS
match access-list inspect_web_traffic
class-map tcp_normalization
description TCP normalization
match access-list inspect_tcp_traffic
class-map type regex match-any methods_to_drop
match regex trace
class-map type inspect http match-all http_method_policy
match request method regex class methods_to_drop
class-map connection_limits
description Limit number of connection and number of embrionic connections per client
match access-list inspect_tcp_traffic
!
!
policy-map type inspect http http_policy
parameters
spoof-server "noyb"
protocol-violation action reset
class http_method_policy
reset
policy-map global_policy
class connection_limits
set connection per-client-max 500 per-client-embryonic-max 100
class tcp_normalization
set connection advanced-options tcp_normalization_map
class inspect_http_traffic
inspect http http_policy
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
03-07-2008 03:50 PM
I think you have it covered! You are also able to install an IPS module in the 5510 chassis and protect the web server further using the module to protect it further.
03-10-2008 07:10 AM
the budget does not allow for the AIP-SSM module right now. that's why i implemented basic IPS with the asa. any other suggestions/recommendations? thanks.
03-10-2008 07:21 AM
You have it covered mate!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: