A way to Dynamically configure Security Policy with CSM/ASA?
We have an interface on an ASA with an ANY ANY. This ASA is managed by our CSM Server. We need to build this particular security policy for this interface. We have utilities that can assist here (i.e. Mazu Sniffer) and we can also rely on application owners to tell us what speaks to what on what ports. These options will be very tedius and very time consuming and far from full proof. My question is...Is there a way to dynamically build the policy for this interface? Possibly through CSM or another Cisco Product or a 3rd Party Application?
Re: A way to Dynamically configure Security Policy with CSM/ASA?
Unfortunately, there really isn't a dynamic method. We have been going through this process and it is definitely a chore. We basically find out all of the ports that a server is listening on (through nmap scan or netstat locally on box) and have the server / app guys let us know their requirement. Additionally, we look at netflow from a downstream switch to see what traffic is actually going to those servers -- we have found some instances where necessary ports have not been identified by the server / app guys.
Then we add access-list lines per each server:
permit tcp any host serverA eq x,y,z ports (required ports)
permit udp any host serverA eq a,b,c ports (required ports)
permit ip any host serverA log
We monitor that for a week to make sure that we arent blocking any legitimate traffic. We check the hitcounts on the permit ip any lines to see if there is a potential issue. Once we are happy (after making any necessary changes), we change the permit ip any to deny ip any.
It is extremely tedious, but there doesnt appear to be any better way. I definitely recommend using netflow if your topology permits. nfdump is a great open source application that allows you to grep the netflow data -- it has scaled much better for us than using tcpdump for sniffing.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...