firewall assessment document

Unanswered Question
Aug 28th, 2008

My company requires to perform a security assessment on our PIX\ASA firewalls. I have about 20+ points that I am currently reviewing on the firewall, but I was wondering if anyone has a document with a checklist of :

-best practice

-vulnerabilities

-etc.

If you don't have one, can you please point me to such a document online.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco24x7 Thu, 08/28/2008 - 18:50

If you read the article carefully then Cisco ASA

firewalls fails this test miserably. According

to the article:

"Deny all traffic by default, and only enable those services that are needed."

Isn't the ASA, by default, allow traffics from

high security level interface to low security

security interface?

At least with version 6.x, this is not

possible due to the NAT nature of the code.

In version 7.x and 8.x, "no nat-control" is

enable by default on the ASA. Therefore,

infected hosts on the high security level

interface can infect hosts on the lower level

security interface.

Some security device.

ronshuster Fri, 08/29/2008 - 04:21

cisco24x7 : that is a very good point, how would you resolve this issue? Would you for example create ACL's to restrict traffic from the inside interface to the DMZ (low security to high?)

Also in reference to this document :

http://www.nsa.gov/snac/routers/cisco_exec_sum.pdf

Should some of the ACL's in section titled "Specific Recommendations: Access Lists" also get applied for traffic going from a higher security to a lower security such as INSIDE to DMZ?

If you have some examples of a hardened config that would be very beneficial. We are trying to avoid hacks from the OUTSIDE and INSIDE as well and ensure the ASA is fully protected.

Actions

This Discussion