Feature

Explanation

Restrict Infrastructure Device Accessibility

Review all available terminal and management ports and services

!shows all the interfaces to see what has been used as management
 sh run ssh

after that make sure only the designated management interface is used for management ,and only a few authorized hosts are allowed to manage the device

Disable all terminal and management ports that are not explicitly required or actively being used

!Disables interface Ethernet1(inside) found to be used for other purposes

No interface ethernet1
No ssh 1.1.1.0 255.255.255.0 inside
No telnet 1.1.1.0 255.255.255.0 inside

Only permit device access through required and supported services and protocols, using only secure access protocols such as SSH and HTTPS where possible

!enables SSH and HTTP access for gui access to the management Interface 
ssh 1.1.1.0 255.255.255.0 management
http 1.1.1.0 255.255.255.0 management

Only accept access attempts to authorized ports and services from authorized originators

! only accepts access from range 1.1.1.0 to manage the device
ssh 1.1.1.0 255.255.255.0 inside

Deny outgoing access unless explicitly required and log the attempts

!it will log all the unsuccessful attempts for outbound or inbound access to the network   

Access-list inside extended deny ip any any log

Authenticate all terminal and management access using centralized (or local) AAA

!using AAA server or Cisco ACS tacacs is achieved by the bellow commands on the firewall

aaa-server TACACS+ protocol tacacs+
reactivation-mode depletion deadtime 1
aaa-server TACACS+ (inside) host 192.168.1.1
timeout 2
key test

Authenticate all EXEC level terminal and management access using centralized (or local) AAA

Dedicated interface for management purposes. No data traffic can traverse it.

interface Management0/0
description ***Management***
nameif Management
security-level 92
ip address 172.16.11.237
management-only

Enforce an idle timeout to detect and close inactive sessions

Enforce an active session timeout to restrict the maximum duration of a session prior to re-authentication

!on cisco switch
login block-for 1800 attempts 3 within 300
login on-failure log every 2

!on cisco asa

aaa-server TACACS+ protocol tacacs+
reactivation-mode depletion deadtime 1
aaa-server TACACS+ (inside) host 192.168.1.1
max-failed attempts 2

Enforce Session Management

Detect and close hung sessions, e.g. using keepalives

! On cisco switches
exec-timeout 5

!  On cisco ASA
Ssh timeout 5

Enforce a strong password policy (may be done on the AAA server)

Enforce a lockout period upon multiple authentication failure attempts within a defined time window (may be done on the AAA server)

for Cisco ASA best practices document please visit our page
http://www.security-solutions.co.za/cisco-acs-best-practices.html

Restrict Device Access Vulnerability to Dictionary and DoS Attacks

Restrict the maximum number of concurrent sessions and use ssh v2

The cisco asa concurrent session is 5 by default and can’t be changed
 Ssh version 2

Present legal notification banner upon all terminal, management and privileged EXEC level access

banner exec ************** this is a test banner

Employ strong secrets for authentication between the AAA server and NAS

Legal Notification and login messages

User Login acknowledge of legal warning messages must be recorded and alerted upon

banner exec **** this is a test legal notification

Web-based GUI Access

Restrict access to HTTPS only if web access required

http server enable
http 1.1.1.1 255.255.255.255 management

Authenticate and authorize all web access using centralized (or local) AAA

aaa authentication http console TACACS+ LOCAL

Authorize all web access using centralized (or local) AAA

SNMP Access

Only use SNMP v3 where possible as its most secure

snmp-server host admin 172.16.1.12 community BasdasdReadonly version 3

Delete default community strings

No snmp-server community read-only

Only permit SNMP access from authorized originators

snmp-server host admin 172.16.1.12 community BasdasdReadonly version 3

Only enable minimum required access, e.g. read-only

snmp-server host admin 172.16.1.12 community BasdasdReadonly version 3

Define strong, non-trivial community strings where SNMP required

snmp-server host admin 172.16.1.12 community BasdasdReadonly version 3

Configure NTP across.

Locally Stored Information Protection

Log all successful interactive device management access using centralized AAA or an alternative, e.g. syslog

Infrastructure Device Management Access Logging

Log all successful privileged EXEC level device management access using centralized AAA or an alternative, e.g. syslog.Several different logging destinations must be used so that log tampering becomes more difficult

Logging at AAA server must be configured
Logs stored at AAA server locally must be backed up regularly
Logs at the AAA must be exported to 2 different syslog destinations
Refer to this page for those configurations

!asa syslog destinations must be specified
Logging enable
Logging timestamp
logging host admin 172.16.1.12
logging host admin 172.16.1.19

Log all failed interactive device management access using centralized AAA or an alternative, e.g. syslog

%PIX|ASA-6-113005: AAA user authentication Rejected: reason
%PIX|ASA-6-113006: User user locked out on exceeding number successive
failed authentication attempts

Log all commands entered at a privileged EXEC level using centralized AAA or an alternative.Log the command to remove logging enabled from any device and send high level alert of who implemented it .

That’s achieved by enabling the AAA server but also the syslog entries can be exported to an external syslog destination by using the command

logging host admin 172.16.1.12

Send an SNMP trap on community name authentication failures to track failed access attempts

Send an SNMP trap for configuration changes and environmental monitor threshold and configuration changes

Traps for snmp include:
• authentication
• linkup
• linkdown
• coldstart

 snmp-server enable traps all

Secure File Management

Device software image verification, e.g. MD5

Device Management Best Common Practices

Assign unique, per-user accounts

Remove default accounts and passwords

!user the bellow example to remove the default settings and assign new passwords

 No username cisco
enable secret difficult.password
password difficult.password1

Force users to periodically change their password

Define multiple servers for redundancy, e.g. AAA, NTP, syslog, SNMP.Those devices should ideally be located on a Disaster Recovery Site

aaa-server TACACS+ (inside) host 192.168.1.1
timeout 2
key test
aaa-server TACACS+ (inside) host 192.168.1.2
timeout 2
key test

ntp server 1.1.1.1
ntp server 1.1.1.2

logging host admin 172.16.1.12
logging host admin 172.16.1.19

Only grant minimum access privileges

 Privilege level 2 is for Remove vpn access only
Privilege 15 is for administrators access
If you are considering read only access to your network device you need to use shell authorization sets that will limit the access of the user to the system .A print screen is attached of such authorization set that will allow read only privileges for users but not executive level 15 on the devices

Review the password recovery settings

The Modular policy framework coming out of the asa is default and needs to be tweaked according to network requirements

Use the Guide provided from Cisco to enable some more advanced features on that powerful feature.

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/mpc.html

Update to latest release with 0 down time

If you are struggling to manage an upgrade of your device without any network disruption please follow this procedure

Vulnerability assessments to the ASA and devices behind it

Don’t try this at  home kind  of thing rather leave it to the pros

Performing a Brute force attack and targeted attacks is usually best left to professionals especially when dealing with live hosts and production traffic .But in case you feel confident that you know what you are doing you can attempt a scan yourself using some freely available tools like Nessus or Qualys that’s a paid service and product.
Just make sure you are doing this after peak production hours so that if you bring down your server with a targeted attack you will have time to recover from this adverse situation.

Links to the above respectively
http://www.nessus.org/products/nessus
http://www.qualys.com/products/qg_suite/

Cisco ASA Redundant Pair Failover Setup

Please refer to this page in our conjuration section for more information on how to achieve proper redundant configuration

cisco-asa-best-security-configuration-examples.html

Leave the common network services to the hardened appliances

Only allow traffic from a specific hosts Mail server ,DNS server and Proxy server to access the internet

On the Cisco ASA only allow certain hosts to go out of the network for the common services e.g.

Access-list permitonlyappliances extended permit ip host 1.1.1.1 eq http
Access-list permitonlyappliances extended permit ip host 1.1.1.2 eq dns

Access-list permitonlyappliances extended permit ip host 1.1.1.1 eq smtp
Access-list permitonlyappliances extended deny ip any any

The reason why appliance should perform these functions is as there are better equipped to do so.
They will provide better service faster and at more securely and at a higher uptime rate than non-dedicated appliances

Some respected DHCP ,DNS,NTP product
http://www.infoblox.com/en/products.html
Some respected Mail Server appliance
www.mirapoint.com
Some respected Proxy server
www.bluecoat.com

DMZ to inside restrict

suppliers must access data on public Web or FTP servers in the DMZ that’s only allowed minimal interaction with internal resources

This is an example of least access granted access list

Grant the third party access only to the required resource from the outside

access-list outside extended permit tcp any host 196.34.43.1 eq http

then from the dmz inward permit only ftp access or whatever access is required to the inside so by segment this kind of traffic you won’t expose your inside network to an attack in case the dmz server is compromised

access-list dmz extended permit tcp host 1.1.1.1 host 192.168.1.1 eq ftp

Unicast RPF rules  (use with caution)

Proceed with extreme caution unless you aim to break you network.

As mentioned please make sure you understand that particular feature before applying that configuration as it has potentially disastrous consequences.

interface FastEthernet 0/0
ip verify reverse-path

Detect problems on the network  using Security Event Management tools

Cisco mars or Cisco Ips manager express are excellent products that can provide vital info to prevent DoS attacks or to report and alert upon network emergencies

Using the above configured SNMP traps and Syslog hosts you need obtain an intelligent device that will analyze the terabytes of logs and produce some meaningful alert to the appropriate personnel
An example of that kind of alert would be a triggered correlation rule producing an email alert sms alert or snmp alert in the CS MARS for some of the bellow critical situations .

!The bellow rule on mars triggers when configuration changes are !performed on any monitored device
Configuration changes
System Rule: Modify Network Config

!The bellow rule on mars triggers when cpu or memory is exceeding specified parameters

Resource utilizations threshold
System Rule: DoS: Network - Success Likely
System Rule: DoS: Network Device - Success Likely
System Rule: Resource Issue: Network Device

!The bellow rule on mars triggers when a device fails over to its !partner usually indicating some problem on the device on network

Failover messages
System Rule: Operational Issue: Firewall
System Rule: State Change: Network Device

If you are using a cisco AIP module in your ASA strongly consider downloading and using the Cisco IME tool .Unparalleled in its usefulness in typical Cisco Fashion

http://www.cisco.com/cisco/software/type.html?mdfid=282052550&catid=null

routing table protection

Use authentication or static routes

rip authentication mode md5
rip authentication key test key_id 1

or static routes usually a pain in the neck to configure but considered more secure
route outside 169.2.2.2 255.255.255.255 172.16.1.1

Business Continuity

Consider creating a DR site or Critical servers and device back up by third party solutions

If your business is critical and it does not tolerate down consider protecting it against the adversities of life and make use of some business continuity service or build your own Disaster Recovery site
Some links for that respectively

www.continuitysa.co.za/
http://www.cisco.com/warp/public/63/disrec.pdf

Physical Security

Make sure all the servers are locked in securely and access to them is restricted usually by biometric etc.

Make sure you use latest technologies in order to protect your data center from physical breaches

http://www.thirdfactor.com/2011/01/27/biometric-solutions-for-physical-access-control

Logical User Access controls

Make sure you follow some sort of security policy to restrict control and monitor the access of user to the resources

Make sure you control the users access to the resource adequately
After all 90% of all attacks known are caused by social engineering attacks.

http://www.security-solutions.co.za/cisco-acs-best-practices.html

ROOT or Local console device passwords

local passwords  from viewing and copying. Procedure must be in place to obtain console or root access to the firewalls and password must be changed after the emergency is resolved

Dual factor authentication and one time only access to

RSA or Active Card dual factor authentication vendors provide some extra security.

Consider using a Dual factor authentication mechanism for your most critical assets and entries into the network .RSA is my choice of vendor for the job even after recent negative publicity

www.rsa.com
below is document describing a typical deployment scenario using a Cisco ASA and RSA server to implement dual factor authentication from cisco .It can get pretty hairy if you haven’t attempted it before but the principles are sound and logical any reasonable person should be able to follow that example  from RSA and from Cisco

www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ASA_AuthMan61.pdf

www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ASA_AuthMan7.1.pdf

Remote Access to management network via vpn

The benefits of DACLS or downloadable access lists are universally great. Used properly they can be a powerful tool to restrict access to mobile users to only a few resources regardless the entry point into the network .Bellow screen is from Cisco ACS server 4.2 but that DACL syntax hasnt changed even for the latest Cisco ACS 5.2 .

Configure a VPN idle timeout to ensure VPN tunnels do not stay up indefinitely