Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
877
Views
0
Helpful
3
Replies

firewall assessment document

ronshuster
Level 1
Level 1

‎08-28-2008 07:16 AM

My company requires to perform a security assessment on our PIX\ASA firewalls. I have about 20+ points that I am currently reviewing on the firewall, but I was wondering if anyone has a document with a checklist of :

-best practice

-vulnerabilities

-etc.

If you don't have one, can you please point me to such a document online.

Thanks

Labels:
0 Helpful
3 Replies 3

JORGE RODRIGUEZ
Level 10
Level 10

‎08-28-2008 11:43 AM

You can use cisco output interpreter, you can place PIX/ASA config, it will provide various recommendations based on your configs.

output interpreter

https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl?locale=en

Also Check this very good article

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci838230,00.html

HTH

Jorge

Jorge Rodriguez
0 Helpful

cisco24x7
Level 6
Level 6
In response to JORGE RODRIGUEZ

‎08-28-2008 06:50 PM

If you read the article carefully then Cisco ASA

firewalls fails this test miserably. According

to the article:

"Deny all traffic by default, and only enable those services that are needed."

Isn't the ASA, by default, allow traffics from

high security level interface to low security

security interface?

At least with version 6.x, this is not

possible due to the NAT nature of the code.

In version 7.x and 8.x, "no nat-control" is

enable by default on the ASA. Therefore,

infected hosts on the high security level

interface can infect hosts on the lower level

security interface.

Some security device.

0 Helpful

ronshuster
Level 1
Level 1
In response to cisco24x7

‎08-29-2008 04:21 AM

cisco24x7 : that is a very good point, how would you resolve this issue? Would you for example create ACL's to restrict traffic from the inside interface to the DMZ (low security to high?)

Also in reference to this document :

http://www.nsa.gov/snac/routers/cisco_exec_sum.pdf

Should some of the ACL's in section titled "Specific Recommendations: Access Lists" also get applied for traffic going from a higher security to a lower security such as INSIDE to DMZ?

If you have some examples of a hardened config that would be very beneficial. We are trying to avoid hacks from the OUTSIDE and INSIDE as well and ensure the ASA is fully protected.

0 Helpful
Customers Also Viewed These Support Documents