cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
509
Views
0
Helpful
3
Replies

ASA5510 - protecting the web server

george
Level 1
Level 1

i am trying to protect single web server behind an asa5510. i am using access lists, tcp normalization, connection limiting and http inspection (blocking http methods i know i won't need). can anyone see what else i can do as far as security goes? thanks in advance.

ASA Version 8.0(3)

!

firewall transparent

hostname xxxx

enable password xxxx

names

!

interface Ethernet0/0

nameif outside

security-level 0

!

interface Ethernet0/1

nameif inside

security-level 100

!

interface Ethernet0/2

shutdown

no nameif

no security-level

!

interface Ethernet0/3

shutdown

no nameif

no security-level

!

interface Management0/0

shutdown

no nameif

no security-level

management-only

!

passwd xxxx

regex trace "TRACE"

ftp mode passive

access-list inspect_web_traffic extended permit tcp any host xxxx eq https

access-list inspect_web_traffic extended permit tcp any host xxxx eq www

access-list allow_web_traffic extended permit tcp any host xxxx eq www

access-list allow_web_traffic extended permit tcp any host xxxx eq https

access-list inspect_tcp_traffic extended permit tcp any any

!

tcp-map tcp_normalization_map

check-retransmission

checksum-verification

reserved-bits clear

syn-data drop

!

pager lines 24

mtu outside 1500

mtu inside 1500

ip address xxxx xxxx

ip audit name FW-IDS-info info action reset

ip audit name FW-IDS-attack attack action reset

ip audit interface outside FW-IDS-info

ip audit interface outside FW-IDS-attack

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group allow_web_traffic in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

fragment chain 1 outside

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection scanning-threat shun

threat-detection statistics

!

class-map inspect_http_traffic

description Inspect HTTP and HTTPS

match access-list inspect_web_traffic

class-map tcp_normalization

description TCP normalization

match access-list inspect_tcp_traffic

class-map type regex match-any methods_to_drop

match regex trace

class-map type inspect http match-all http_method_policy

match request method regex class methods_to_drop

class-map connection_limits

description Limit number of connection and number of embrionic connections per client

match access-list inspect_tcp_traffic

!

!

policy-map type inspect http http_policy

parameters

spoof-server "noyb"

protocol-violation action reset

class http_method_policy

reset

policy-map global_policy

class connection_limits

set connection per-client-max 500 per-client-embryonic-max 100

class tcp_normalization

set connection advanced-options tcp_normalization_map

class inspect_http_traffic

inspect http http_policy

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

3 Replies 3

brettmilborrow
Level 1
Level 1

I think you have it covered! You are also able to install an IPS module in the 5510 chassis and protect the web server further using the module to protect it further.

the budget does not allow for the AIP-SSM module right now. that's why i implemented basic IPS with the asa. any other suggestions/recommendations? thanks.

You have it covered mate!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: