Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

protecting a web server

i have set up my ASA 5505 with a DMZ, in the DMZ i have my web server. Is it possible for my server to be attacked by hackers? what do i need to do to "harden" the config and make sure i avoid ANY attacks on my server. Most of my users access this server via FTP and this is a vulnerability, i ned to harden my ASA 5505 in this place.         

Everyone's tags (3)
5 REPLIES
VIP Purple

protecting a web server

First: You will never make your server 100% secure, but with some effort you can rise the bar that mach, that a casual attacker won't have much luck in that.

Some things to do:

1) Host-security / patch-management. That depends on the OS and the application you use.

2) Application-Inspection on the ASA. The ASA can inspect many protocols for protocol-conformance and application-layer attacks. That are the layer5-7 policy-maps. These are available both for your used protocols FTP and also HTTP. For that you first have to understand the applications and the protocol they are using.

3) Use IPS. The build-in IPS of the ASA is completely outdated to a module is needed. Fot the 5505 the module is EOL announced and so it's probably not an option.

So you are left with hardening the server and then look into the Layer7-policies.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

protecting a web server

Hi Karsten,

thanks for the response. please see below, are those the application inspections you are refering to? i didnt configure them though, they were there by default. do i need to changeanything?

thanks.

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

VIP Purple

protecting a web server

no, that's the Layer3-4 inspection. Here is the link to the L7-inspection in the config-guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_basic.html#wp2161256

Before you can start on configuring that you have to know exactly how you want to protect the protocol.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

protecting a web server

Hi Karsten,

is there an easy way to do this like through ASDM? i have tried to go throgh the link you pasted but eesh i dont get it. am not the best of ASA admins. Thanks for the link too!

VIP Purple

protecting a web server

Yes, you can configure that also through ASDM, but it's still complex:

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/inspect_basic.html#wp2161256

Perhaps you should first focus on the host-security of your server.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
415
Views
12
Helpful
5
Replies
CreatePlease login to create content