Community.cisco.com



Firewall Audit The firewall is the first line of defense for protecting corporate data. Installing the firewall requires enabling interfaces, defining zones, access rules and device management. The security engineer should deploy firewall configuration and design best practices for optimized security. The default settings cause security problems that leave company data vulnerable to hacker attacks. The following is a survey of firewall security best practices from Cisco and industry standards groups. They include specific recommendations for firewall configuration, management and security policies.Run Cisco Active Advisor regularly for life cycle alerts (PSIRT etc.) Configure granular Access Control Lists (ACL’s) and application ports Log all transactions including user sign-on and configuration changesConfigure security alerts from NMS and vendor notifications to email. Log denied traffic with ACL Configure complex passwords with minimum length 12 charactersChange password every 60 daysEncrypt firewall management passwords Configure AAA server keys and timeout Deploy SNMPv3 for encryption Configure complex SNMP community strings Configure Failover keys between firewalls Manage firewalls from ASDM or Cisco Security Manager Manage the CLI from LAN interface or dedicated management interfaceTurn off Telnet, SSH and SSL servicesDefine VTY access list with permitted source addresses Define SNMP access list with permitted source traffic Disable SNMP on firewall public interfaces Turn off all unused or vulnerable network services Disable CDP protocol on all router public interfaces Enable DNS snoopingConfigure static routing between internet routers and DMZ switchesDeploy private RFC 1918 IP addressingConfigure Network Address Translation (NAT)Define granular outside, DMZ and inside security zones Configure network and service objects for creating rules Test firewall rules and ACLs from outside networkTest firewall failover Add script descriptions to optimize support and troubleshooting Run vulnerability assessment testing every 30 days Enable firepower malware filter, Cisco CWS and IPS Use the most specific ACL’s possible for rulesAvoid rules that allow any source/destination to any server port. Delete rules that are redundant and have no effect Add comment descriptions for ACLs. access-list 100 remark [text] Run show log to examine firewall errors Match security zones to network interfaces Do not configure direct connectivity internet zone and server farm zone. Instead configure a DMZ zone between them for traffic filtering control. Configure UDP for zone transfers instead of TCP that has known vulnerabilities. Lab test firewall changes with VIRL or lab setup Promote a policy to send email to firewall group when server removedAdd deny ip any any log command at end of each access-list to deny all traffic with explicit deny packet rule not matching any rule and note with log filefirewall# show access-list [number] and note hit count. Unused ACL’s will have no hits so not required. Server IP addresses are often reassigned without alerting security group. Cisco IOS Commands (CLI)Show ASA Code, License, Serial Number, Memory, Uptime:# show versionShow Running Configuration: # show running-configShow Syslog Settings and Messages Log: # show loggingShow Configured VLANs: # show vlanShow All Interface Details: # show interface detailShow ARP Table: # show arpShow Connection Information: # show conn [detail]Show Start-Up Configuration: # show configurationShow IKE Connectivity: # show crypto isakmp saShow IPsec Connectivity: # show crypto ipsec saShow IKEv1 SA Details: # show crypto ikev1 sa detailShow IKEv2 SA Details: # show crypto ikev2 sa detailShow Power, Fan, Temperature: # show environmentShow Firewall Mode: # show firewallShow IPS Information: # show ipsShow All Interfaces: # show interfaceShow Redundancy Status and Configuration: # show failoverShow Chassis Serial Number and PID: # show inventoryShow Security Context: # show modeShow Modules, MAC Address, ASA Code: # show moduleShow NAT Policies and Counters: # show nat [detail]Show Password Encryption Settings:# show password encryptionShow Various Performance Metrics: # show perfmonShow CPU Utilization: # show proc cpu-usage [cpu-hog]Show Memory Utilization Detail: # show processes memoryShow Firewall Route Table: # show routeShow Packet Rate and Drops Per Interface: # show trafficShow Configured VLANs: # show vlanShow NAT Translation Table: # show xlateSecurity Audit Tools1. Nipper Studio This is a configuration auditing tool designed to harden switches, routers and firewalls through examining and listing current security vulnerabilities.2. Firemon Security Manager This is a firewall management solution that provides automated change management, policy optimization and risk assessment.3. Checkpoint CPDB2HTML This security tool exports the checkpoint firewall security configuration to a readable html or xml format for easier analysis. It enables analysis of current firewall configuration and rules.4. Nmap This is an open source scanner used for detecting hosts, services enabled, operating systems and firewalls. It is typically used for multi-platform network discovery and vulnerability testing.5. Firewalk This is a firewall configuration audit tool that determines all layer 4 protocols permitted to pass through the current firewall to internal servers.6. Nessus Cloud Scan This provides external and internal detection, scanning and auditing of enterprise infrastructure along with support for verifying PCI DSS compliance.7. Skybox Audit This is a firewall security management solution that provides vulnerability assessment, policy compliance monitoring and rule life cycle management. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download