Download firewall_audit - Cisco Support Community

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
Document related concepts

Zero-configuration networking wikipedia , lookup

Network tap wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Deep packet inspection wikipedia , lookup

Wireless security wikipedia , lookup

Computer security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript 
Firewall Audit
The firewall is the first line of defense for protecting corporate data. Installing the firewall
requires enabling interfaces, defining zones, access rules and device management. The
security engineer should deploy firewall configuration and design best practices for optimized
security. The default settings cause security problems that leave company data vulnerable to
hacker attacks. The following is a survey of firewall security best practices from Cisco and
industry standards groups. They include specific recommendations for firewall configuration,
management and security policies.



































Run Cisco Active Advisor regularly for life cycle alerts (PSIRT etc.)
Configure granular Access Control Lists (ACL’s) and application ports
Log all transactions including user sign-on and configuration changes
Configure security alerts from NMS and vendor notifications to email.
Log denied traffic with ACL
Configure complex passwords with minimum length 12 characters
Change password every 60 days
Encrypt firewall management passwords
Configure AAA server keys and timeout
Deploy SNMPv3 for encryption
Configure complex SNMP community strings
Configure Failover keys between firewalls
Manage firewalls from ASDM or Cisco Security Manager
Manage the CLI from LAN interface or dedicated management interface
Turn off Telnet, SSH and SSL services
Define VTY access list with permitted source addresses
Define SNMP access list with permitted source traffic
Disable SNMP on firewall public interfaces
Turn off all unused or vulnerable network services
Disable CDP protocol on all router public interfaces
Enable DNS snooping
Configure static routing between internet routers and DMZ switches
Deploy private RFC 1918 IP addressing
Configure Network Address Translation (NAT)
Define granular outside, DMZ and inside security zones
Configure network and service objects for creating rules
Test firewall rules and ACLs from outside network
Test firewall failover
Add script descriptions to optimize support and troubleshooting
Run vulnerability assessment testing every 30 days
Enable firepower malware filter, Cisco CWS and IPS
Use the most specific ACL’s possible for rules
Avoid rules that allow any source/destination to any server port.
Delete rules that are redundant and have no effect
Add comment descriptions for ACLs. access-list 100 remark [text]
Copyright © 2016 Shaun Hummel All Rights Reserved
 Run show log to examine firewall errors
 Match security zones to network interfaces
 Do not configure direct connectivity internet zone and server farm zone. Instead configure
a DMZ zone between them for traffic filtering control.
 Configure UDP for zone transfers instead of TCP that has known vulnerabilities.
 Lab test firewall changes with VIRL or lab setup
 Promote a policy to send email to firewall group when server removed
 Add deny ip any any log command at end of each access-list to deny all traffic with
explicit deny packet rule not matching any rule and note with log file
 firewall# show access-list [number] and note hit count. Unused ACL’s will have no hits
so not required. Server IP addresses are often reassigned without alerting security group.
Cisco IOS Commands (CLI)





























Show ASA Code, License, Serial Number, Memory, Uptime:# show version
Show Running Configuration: # show running-config
Show Syslog Settings and Messages Log: # show logging
Show Configured VLANs: # show vlan
Show All Interface Details: # show interface detail
Show ARP Table: # show arp
Show Connection Information: # show conn [detail]
Show Start-Up Configuration: # show configuration
Show IKE Connectivity: # show crypto isakmp sa
Show IPsec Connectivity: # show crypto ipsec sa
Show IKEv1 SA Details: # show crypto ikev1 sa detail
Show IKEv2 SA Details: # show crypto ikev2 sa detail
Show Power, Fan, Temperature: # show environment
Show Firewall Mode: # show firewall
Show IPS Information: # show ips
Show All Interfaces: # show interface
Show Redundancy Status and Configuration: # show failover
Show Chassis Serial Number and PID: # show inventory
Show Security Context: # show mode
Show Modules, MAC Address, ASA Code: # show module
Show NAT Policies and Counters: # show nat [detail]
Show Password Encryption Settings:# show password encryption
Show Various Performance Metrics: # show perfmon
Show CPU Utilization: # show proc cpu-usage [cpu-hog]
Show Memory Utilization Detail: # show processes memory
Show Firewall Route Table: # show route
Show Packet Rate and Drops Per Interface: # show traffic
Show Configured VLANs: # show vlan
Show NAT Translation Table: # show xlate
Copyright © 2016 Shaun Hummel All Rights Reserved
Security Audit Tools
1. Nipper Studio
This is a configuration auditing tool designed to harden switches, routers and firewalls
through examining and listing current security vulnerabilities.
2. Firemon Security Manager
This is a firewall management solution that provides automated change management, policy
optimization and risk assessment.
3. Checkpoint CPDB2HTML
This security tool exports the checkpoint firewall security configuration to a readable html or
xml format for easier analysis. It enables analysis of current firewall configuration and rules.
4. Nmap
This is an open source scanner used for detecting hosts, services enabled, operating
systems and firewalls. It is typically used for multi-platform network discovery and
vulnerability testing.
5. Firewalk
This is a firewall configuration audit tool that determines all layer 4 protocols permitted to
pass through the current firewall to internal servers.
6. Nessus Cloud Scan
This provides external and internal detection, scanning and auditing of enterprise
infrastructure along with support for verifying PCI DSS compliance.
7. Skybox Audit
This is a firewall security management solution that provides vulnerability assessment, policy
compliance monitoring and rule life cycle management.
Copyright © 2016 Shaun Hummel All Rights Reserved
Related documents
Firewall Configuration
Firewall Configuration
CS572: Computer Security
CS572: Computer Security
Document 62752
Document 62752
I get the error message “An error occurred while
I get the error message “An error occurred while
Citrix Application Firewall
Citrix Application Firewall
Denial of Service Attacks
Denial of Service Attacks
Firewall
Firewall
Part II. Project Information, to be completed by the proposer (Faculty
Part II. Project Information, to be completed by the proposer (Faculty
Network Security
Network Security
Hot Topics: Information Retrieval for Network Security
Hot Topics: Information Retrieval for Network Security
d6828939f80d9f863813..
d6828939f80d9f863813..
the Presentation
the Presentation
Network Address Translation
Network Address Translation
Guide to Firewalls and Network Security with Intrusion Detection and
Guide to Firewalls and Network Security with Intrusion Detection and
IP Ports and Protocols used by H.323 Devices
IP Ports and Protocols used by H.323 Devices
First Line of Defense: The Firewall
First Line of Defense: The Firewall
Medical_Informatics_-_Computer_Networks
Medical_Informatics_-_Computer_Networks
Azure SQL Database Firewall Security
Azure SQL Database Firewall Security
SOHO Firewalls using Shorewall
SOHO Firewalls using Shorewall
Review Questions
Review Questions
Firewall
Firewall
Secure External Network Communications
Secure External Network Communications