For a new Cisco ASA firewall to be installed in a data center and connect it to a network infrastructure for an enterprise organization, as a network administrator or a network engineer or security engineer, it is importance to secure this firewall device with the common security best practices. If a Cisco ASA firewall is compromised to hackers, the whole security of the network infrastructure can be consequently terrible.
In this article will provides the best practices and security hardening configuration for a new Cisco ASA firewall to secure it and also increases the overall security of a network security architecture in an enterprise data center.
In this document of how to configure security hardening on a Cisco ASA firewall for a network security architecture, it is assumed that:
a. You already have Tacacs+ server up and running in your network infrastructure. In case that you don’t, please refer to this link. Configuring Tacacs Plus with Tacacs Plus User Authentication on RHEL/CentOS 7
b. You already have network monitoring server, such as Cacti or Nagios up and running in your network infrastructure. In case that you don’t, please refer to the following links.
Installing Cacti Web-based Network Monitoring on RHEL/CentOS 7
Installing Nagios Core For IT Infrastructure Monitoring on RHEL/CentOS 7
3. Scenario Setup
The following picture show you how we are going to do in this tutorial. There is computer connected to Cisco ASA firewall console port with console cable. The Cisco ASA firewall in Data Center is connected to the network infrastructure via Ethernet connections.
Four dedicated servers for Tacacs+ service for AAA protocol, Network Monitoring System using SNMP protocol, a Central Logging server, and an NTP server are already installed and configured in place. The network administrator or a network engineer is doing the security hardening on Cisco ASA firewall via console interface now and his/her computer also connected to the network security architecture in Data Center.
4. Configure Host Name
In an enterprise Data Center, there are many network devices such as switches, routers, and firewalls which configured for an network infrastructure to function. Setting up host name for those network devices is really important for a manageable network infrastructure because we can easily identify the device’s location and its purpose/function/service with their host name.
# hostname DCFW-INT01
5. Create Local User Admin Account
A local user admin account must be created. So, whenever we access to the Cisco ASA firewall whether via SSH remote management or via console interface, we need to enter a correct username and password first for we gain access to the router. It is also used when Tacacs+ server is not reachable from Cisco ASA firewall.
# username netadmin password XXXX privilege 15 # enable password YYYY # aaa authentication serial console LOCAL # aaa authentication ssh console LOCAL # aaa authentication http console LOCAL # aaa local authentication attempts max-fail 10
6. Configure Management IP
The “inside” interface with the highest security level with number value of 100 is always found on an interface that connect to Local Area Network (LAN). They normally name it as “inside”. We can use this interfaces for SSH remote management access to the Cisco ASA firewall.
# interface gi0/0 nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0
7. Configure SSH Options
SSH is a remote management protocol that the network administrator or a network engineer used to again control access on Cisco ASA firewall because it provides an encrypted and secure remote access management connection. Never use Telnet to gain access to any network devices because telnet connection is in plaintext and your password can be captured easily. The following are some recommend SSH options to be configured.
# domain-name techspacekh.com # crypto key generate rsa modulus 2048 # ssh version 2 # ssh timeout 30
8. Restrict and Secure Remote Management Access
It is very important security configurations to prevent unauthorized SSH remote access management to Cisco ASA firewall, A list of authorized IP address or an authorized IP subnet, must be configured to restrict what IP addresses can remote SSH access to Cisco switch. So, Only the IP addresses of network administrator or a network engineer team is allowed.
# ssh 10.10.10.0 255.255.255.0 inside
9. Restrict Console Access
It is best to set the console sessions idle timeout, so the console interface will be disconnected after a specific time of inactivity.
# console timeout 15
10. Enable Logging
Logging is also important for security hardening configurations on Cisco ASA firewall. To correlate and audit security events Cisco ASA firewall more effectively, It is recommended to send logging information to a remote central syslog server.
# logging buffered informational # logging buffer-size 128000 # logging host inside 10.10.10.7 # logging timestamp # logging console critical
11. Disable Log to Console or Monitor Sessions
It is always advised to send logging information to the local log buffer, which can be viewed with the show logging command rather then to send log messages to monitor and console sessions. The monitor and console sessions are interactive management sessions and it can elevate the CPU load of Cisco ASA firewall.
# no logging console # no logging monitor
12. Enable NTP Server
NTP is very important to have an accurate and uniform clock settings on Cisco ASA firewall for log data to be listed with the correct time and timezone. It helps tremendously in incident handling and proper log monitoring and correlation.
# clock timezone PHN 7 # ntp server 10.10.10.8
13. Restrict and Secure SNMP Access
It is recommend to use a standard SNMP monitoring community strings on every network device with a combination of uppercase characters, lowercase characters, numbers, and special characters. Default strings, such as public or private must be removed. SNMP monitoring must be configured to be accessible from authorized IP only. Only SNMP monitoring version 2.0 and 3 is allowed.
The following is the SNMP monitoring version 2 configuration.
# snmp-server host inside 10.10.10.8 community T@s9aMon version 2c # snmp-server contact email@example.com # snmp-server location DC
The following is the SNMP monitoring version 3 configuration.
# snmp-server group SYSMON v3 priv # snmp-server user nms-v3 SYSMON v3 auth md5 3333 priv 3des 4444
To verify, we can use the following snmpwalk command from network monitoring server.
# snmpwalk -v2c -c A@B9aMon 10.10.10.1 # snmpwalk -v3 -u nms-v3 -A 33331111 -l auth -a MD5 -x DES -X 44442222 10.100.1.36
If you want to know more detail about how SNMP protocol works with network monitoring system, please refer to below links.
Monitoring Cisco Switch With Nagios Core Web Application
Monitoring Huawei Switch S5700 With Nagios Core Web Application
Monitoring Cisco ASA Firewall With Nagios Core Web Application
14. Disable Unused Services
For security hardening best practice, it is recommended to disabled any unnecessary service because they are frequently used for legitimate purposes but can be used in order to launch DoS and other attacks that are otherwise prevented by packet filtering.
# no http server enable # clear configure dhcpd # no dhcpd enable inside
15. Enable Login Banner
Following the publication of the “Computer Misuse Act 1990“, it is strongly recommended that computers should display a banner message before allowing users to log in. The Act stipulates that an offense of unauthorized access can only be committed if the offender knew at the time that the access he intended to obtain was unauthorized. Base on the “Regulation of Investigatory Powers Act 2000” also requires information to be given to users who access the computer. Login banners are the best way to achieve this.
# banner login UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED! You must have explicit permission to access or configure this system. All activities performed on this system may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. Use of this system shall constitute consent to monitoring. # banner motd AUTHORIZED ACCESS ONLY! If you are not an authorized user, disconnect IMMEDIATELY! All connections are monitored and recorded.
16. Enable Secure Copy
Cisco ASA firewall also relies on SSH to supports the Secure Copy Protocol (SCP), which allows an encrypted and secure connection in order to copy device configurations or software images.
# ssh scopy enable # copy scp://firstname.lastname@example.org//home/username/x flash:
17. Enable Inspection
ICMP and ICMP error inspection engines should be enabled Cisco ASA firewall because it allows ICMP traffic to be inspected in the same way as TCP and UDP traffic. It is recommended not to allow ICMP through the Cisco ASA in an ACL without the ICMP inspection engine enable on Cisco ASA firewall. Without stateful inspection, ICMP can be used to attack a network. The ICMP inspection engine ensures that there is only one response for each request, and that the sequence number is correct.
# policy-map global_policy class inspection_default inspect icmp inspect icmp error
18. Interface Security Level
Cisco ASA bases on security level to determine the traffic flow between the connected interfaces. The security level is known as the number which value between from 0 to 100. The higher the security level assigned to an interface of Cisco ASA firewall, the more trusted interface it is. Traffic can flow from an interface with a higher security level to a lower security level interface without any Access Control List (ACL) to allow. Please kindly refer to below link for more detail about security level on Cisco ASA firewall.
Understanding Security Level in Cisco ASA Firewall Appliance
19. Device Authentication, Authorization, and Accounting
Tacacs+ is a protocols for security with AAA services which are , authentication, authorization, accounting. It is used as a centralized authentication to network devices instead of using local user accounts. It also can provide a specific authorization with centralized access to particular user to work with network devices. With accounting, it gives a mandatory audit logs by logging all actions executed by privileged users.
To configure AAA, Authentication, Authorization, and Accounting on Cisco ASA firewall, Please refer to the following link.
Tacacs Configuration on Cisco ASA 9.x
That’s all about how to configure security hardening on a Cisco ASA firewall for a network security architecture from Tech Space KH. Hopefully, you can find this guide informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.