Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Zero-configuration networking wikipedia , lookup
Network tap wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Deep packet inspection wikipedia , lookup
Wireless security wikipedia , lookup
Computer security wikipedia , lookup
Firewall Audit The firewall is the first line of defense for protecting corporate data. Installing the firewall requires enabling interfaces, defining zones, access rules and device management. The security engineer should deploy firewall configuration and design best practices for optimized security. The default settings cause security problems that leave company data vulnerable to hacker attacks. The following is a survey of firewall security best practices from Cisco and industry standards groups. They include specific recommendations for firewall configuration, management and security policies. Run Cisco Active Advisor regularly for life cycle alerts (PSIRT etc.) Configure granular Access Control Lists (ACL’s) and application ports Log all transactions including user sign-on and configuration changes Configure security alerts from NMS and vendor notifications to email. Log denied traffic with ACL Configure complex passwords with minimum length 12 characters Change password every 60 days Encrypt firewall management passwords Configure AAA server keys and timeout Deploy SNMPv3 for encryption Configure complex SNMP community strings Configure Failover keys between firewalls Manage firewalls from ASDM or Cisco Security Manager Manage the CLI from LAN interface or dedicated management interface Turn off Telnet, SSH and SSL services Define VTY access list with permitted source addresses Define SNMP access list with permitted source traffic Disable SNMP on firewall public interfaces Turn off all unused or vulnerable network services Disable CDP protocol on all router public interfaces Enable DNS snooping Configure static routing between internet routers and DMZ switches Deploy private RFC 1918 IP addressing Configure Network Address Translation (NAT) Define granular outside, DMZ and inside security zones Configure network and service objects for creating rules Test firewall rules and ACLs from outside network Test firewall failover Add script descriptions to optimize support and troubleshooting Run vulnerability assessment testing every 30 days Enable firepower malware filter, Cisco CWS and IPS Use the most specific ACL’s possible for rules Avoid rules that allow any source/destination to any server port. Delete rules that are redundant and have no effect Add comment descriptions for ACLs. access-list 100 remark [text] Copyright © 2016 Shaun Hummel All Rights Reserved Run show log to examine firewall errors Match security zones to network interfaces Do not configure direct connectivity internet zone and server farm zone. Instead configure a DMZ zone between them for traffic filtering control. Configure UDP for zone transfers instead of TCP that has known vulnerabilities. Lab test firewall changes with VIRL or lab setup Promote a policy to send email to firewall group when server removed Add deny ip any any log command at end of each access-list to deny all traffic with explicit deny packet rule not matching any rule and note with log file firewall# show access-list [number] and note hit count. Unused ACL’s will have no hits so not required. Server IP addresses are often reassigned without alerting security group. Cisco IOS Commands (CLI) Show ASA Code, License, Serial Number, Memory, Uptime:# show version Show Running Configuration: # show running-config Show Syslog Settings and Messages Log: # show logging Show Configured VLANs: # show vlan Show All Interface Details: # show interface detail Show ARP Table: # show arp Show Connection Information: # show conn [detail] Show Start-Up Configuration: # show configuration Show IKE Connectivity: # show crypto isakmp sa Show IPsec Connectivity: # show crypto ipsec sa Show IKEv1 SA Details: # show crypto ikev1 sa detail Show IKEv2 SA Details: # show crypto ikev2 sa detail Show Power, Fan, Temperature: # show environment Show Firewall Mode: # show firewall Show IPS Information: # show ips Show All Interfaces: # show interface Show Redundancy Status and Configuration: # show failover Show Chassis Serial Number and PID: # show inventory Show Security Context: # show mode Show Modules, MAC Address, ASA Code: # show module Show NAT Policies and Counters: # show nat [detail] Show Password Encryption Settings:# show password encryption Show Various Performance Metrics: # show perfmon Show CPU Utilization: # show proc cpu-usage [cpu-hog] Show Memory Utilization Detail: # show processes memory Show Firewall Route Table: # show route Show Packet Rate and Drops Per Interface: # show traffic Show Configured VLANs: # show vlan Show NAT Translation Table: # show xlate Copyright © 2016 Shaun Hummel All Rights Reserved Security Audit Tools 1. Nipper Studio This is a configuration auditing tool designed to harden switches, routers and firewalls through examining and listing current security vulnerabilities. 2. Firemon Security Manager This is a firewall management solution that provides automated change management, policy optimization and risk assessment. 3. Checkpoint CPDB2HTML This security tool exports the checkpoint firewall security configuration to a readable html or xml format for easier analysis. It enables analysis of current firewall configuration and rules. 4. Nmap This is an open source scanner used for detecting hosts, services enabled, operating systems and firewalls. It is typically used for multi-platform network discovery and vulnerability testing. 5. Firewalk This is a firewall configuration audit tool that determines all layer 4 protocols permitted to pass through the current firewall to internal servers. 6. Nessus Cloud Scan This provides external and internal detection, scanning and auditing of enterprise infrastructure along with support for verifying PCI DSS compliance. 7. Skybox Audit This is a firewall security management solution that provides vulnerability assessment, policy compliance monitoring and rule life cycle management. Copyright © 2016 Shaun Hummel All Rights Reserved