08-28-2008 07:16 AM
My company requires to perform a security assessment on our PIX\ASA firewalls. I have about 20+ points that I am currently reviewing on the firewall, but I was wondering if anyone has a document with a checklist of :
-best practice
-vulnerabilities
-etc.
If you don't have one, can you please point me to such a document online.
Thanks
08-28-2008 11:43 AM
You can use cisco output interpreter, you can place PIX/ASA config, it will provide various recommendations based on your configs.
output interpreter
https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl?locale=en
Also Check this very good article
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci838230,00.html
HTH
Jorge
08-28-2008 06:50 PM
If you read the article carefully then Cisco ASA
firewalls fails this test miserably. According
to the article:
"Deny all traffic by default, and only enable those services that are needed."
Isn't the ASA, by default, allow traffics from
high security level interface to low security
security interface?
At least with version 6.x, this is not
possible due to the NAT nature of the code.
In version 7.x and 8.x, "no nat-control" is
enable by default on the ASA. Therefore,
infected hosts on the high security level
interface can infect hosts on the lower level
security interface.
Some security device.
08-29-2008 04:21 AM
cisco24x7 : that is a very good point, how would you resolve this issue? Would you for example create ACL's to restrict traffic from the inside interface to the DMZ (low security to high?)
Also in reference to this document :
http://www.nsa.gov/snac/routers/cisco_exec_sum.pdf
Should some of the ACL's in section titled "Specific Recommendations: Access Lists" also get applied for traffic going from a higher security to a lower security such as INSIDE to DMZ?
If you have some examples of a hardened config that would be very beneficial. We are trying to avoid hacks from the OUTSIDE and INSIDE as well and ensure the ASA is fully protected.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide