- Secure Access Starts With (Zero) Trust
- Installing the Cisco ASA 5500
- Cisco Security
- Cisco ASA SSL VPN for AnyConnect
- ASA Lab Camp 9.5
- Walkthrough Video
- How to Upgrade/Activate a License on a Cisco ASA (Adaptive Security Appliance)
- Two factor authentication cisco asa 5505 manual
- Cisco ASA 5550 Series Getting Started Manual
- Start Your Journey to Trusted Access
This document provides administrators and engineers guidance on securing Cisco firewall appliances, which increases the overall security of an end-to end architecture. The functions of network devices are structured around three planes: management, control, and data.
This document is structured around security operations best practices and the three functional planes of a network. In addition, this document provides an overview of each included feature and references to related documentation. For the purposes of this document, all mentions of "Cisco firewall" refer explicitly to the Cisco ASA Adaptive Security Appliances, though the concepts may apply to other firewall and security devices.
Secure Access Starts With (Zero) Trust
The three functional planes of a network each provide different functionality that needs to be protected. In addition to providing configuration details, this document serves primarily as a best practices guide. Therefore, security concepts will be recommended, although the exact configuration details may not be provided. The feature will be explained in a manner that allows the security practitioner and decision makers to determine whether the feature is required in a certain environment.
Engineers and administrators should possess a conceptual understanding of Cisco firewall product software and the basic configuration options available. This document addresses the capabilities of Cisco ASA versions 8. Security practitioners who are using any Cisco firewall devices or ASA versions other than 8.
Not all encryption algorithms may be available in all releases of Cisco firewall device software in all countries because of U.
Installing the Cisco ASA 5500
Some command line examples in this document are wrapped to enhance readability. Secure network operations are a substantial topic.
Although most of this document is devoted to the secure configuration of a Cisco firewall device, configurations alone do not completely secure a network.
The operational procedures in use on the network contribute as much to security as the configuration of the underlying devices. These topics contain operational recommendations that administrators and engineers are advised to implement. These topics highlight specific critical areas of network operations and are not comprehensive. Cisco firewalls provide advanced stateful firewall and VPN concentrator functionality in one device.
In addition, some models offer an integrated intrusion prevention system IPS module or an integrated content security and control CSC module.
Cisco firewalls protect network segments from unauthorized access by users or miscreants while also enforcing security policies and posture. There are key details that establish a firewall as a firewall and not a Layer 3 forwarding device. The Cisco firewall performs numerous intrinsic functions to ensure the security of an environment. These functions include, but are not limited to, the following:.
Security policies are the top tier of formalized security documents. These high-level documents take into account a risk assessment, and subsequently offer general statements regarding the organization's assets and resources and the level of protection they should have. Furthermore, security policies do not provide detailed specifics on how to accomplish the stated goals. Those details are captured in the subsequent security standards, baselines, and procedure documents.
This policy also dictates which architecture solutions should be adopted for a given environment. The policy should be used as a high-level guide when pursuing firewall configuration details, including which traffic should be permitted to pass through the firewall to access another network and which traffic should not be permitted to pass.
Cisco ASA leverages the construct of "Security Levels" to allow or deny the flow of traffic from one interface to another.
Each interface must have a security level assigned from 0 lowest to highest. For example, you should assign your most secure network, such as the inside host network, to level While the outside network connected to the Internet can be level 0.
Other networks, such as DMZs can be in between.
Cisco ASA SSL VPN for AnyConnect
You can assign interfaces to the same security level. By default, Cisco ASA allows traffic to flow freely from a higher security level interface to a lower security level interface. The security of a device should begin with a progression up the Open Systems Interconnection OSI reference model, beginning with the physical layer.
Though obvious, the details surrounding the physical security of a device are often overlooked. Physical security, as it applies to a firewall, refers to ensuring the device is placed in a physical location that is restricted to authorized personnel.
Most often firewalls are installed in a restricted-access room; however, many levels of personnel have access to the room.
Therefore, consider establishing and using role-based access control RBAC.
ASA Lab Camp 9.5
Furthermore, environmental factors should also be verified because most Cisco firewalls have an operating temperature of 32 to degrees F 0 to 40 degrees C. The method for communication of less-severe issues is the Cisco Security Response. To maintain a secure network, one must be aware of the Cisco advisories and responses that have been released.
Moreover, one must have knowledge of a vulnerability before evaluating the threat it can pose to a network. The authentication, authorization, and accounting AAA framework is vital to securing network devices. The AAA framework provides authentication of management sessions and can also limit users to specific, administrator-defined commands in addition to logging all commands entered by all users. To understand existing, emerging, and historic events related to security incidents, an organization needs a unified strategy for event logging and correlation.
This strategy must employ logging from all network devices and use prepackaged and customizable correlation capabilities. After centralized logging is implemented, one must develop a structured approach to log analysis and incident tracking. Based on the needs of the organization, this approach can range from a simple, diligent review of log data to advanced rule-based analysis.
See the Logging Best Practices section of this document for more information about implementing logging on Cisco firewall devices. Many protocols are used to carry sensitive network management data. One must use secure protocols whenever possible.
A secure protocol choice includes using SSH instead of Telnet so that both authentication data and management information are encrypted.
In addition, one must use secure file transfer protocols when copying configuration data. See the Securing Interactive Management Sessions section of this document for more information about the secure management of Cisco firewall devices.
Cisco firewalls support NetFlow version 9 services. In stateful flow tracking, tracked flows go through a series of state changes.
NSEL events are used to export data about flow status and are triggered by the event that caused the state change. The significant events that are tracked include flow-create, flow-teardown, and flow-denied excluding flows that are denied by EtherType access control lists [ACLs]. Configuration management, also known as change management, is a process by which configuration changes are proposed, reviewed, approved, and deployed.
How to Upgrade/Activate a License on a Cisco ASA (Adaptive Security Appliance)
In the context of a Cisco firewall device configuration, two additional aspects of configuration management are critical: configuration archiving and security. One can use configuration archives to roll back changes that are made to network devices. In a security context, configuration archives can also be used to determine which security changes were made and when these changes occurred.
In conjunction with AAA log data, this information can assist in the security auditing of network devices.
The configuration of a Cisco firewall device contains many sensitive details. Usernames, passwords, and the contents of ACLs are examples of this type of information. The repository used to archive Cisco firewall device configurations needs to be secured. Insecure access to this information can undermine the security of the entire network. The management plane consists of functions that achieve the management goals of the network. When considering the security of a network device, it is critical that the management plane be protected.
Two factor authentication cisco asa 5505 manual
If a security incident can undermine the functions of the management plane, the administrator may not be able to "recover" stabilize the network.
The Management Plane sections of this document provide the security features and configurations available in Cisco ASA Software that help fortify the management plane. The purpose of the management plane is to provide the capability to access, configure, and manage a device and to monitor its operations and the network on which it is deployed. The management plane receives and sends traffic for these functions.
One must secure both the management plane and control plane of a device because operations of the control plane directly affect operations of the management plane. The following is a list of common protocols and tools used by the management plane:.
Cisco ASA 5550 Series Getting Started Manual
Steps must be taken to ensure the survival of the management and control planes during security incidents. If one of these planes is successfully exploited, all planes can be compromised. Moreover, exploitation can heavily impact the incident handling process, specifically regarding postmortem and lessons learned.
Passwords control access to resources and devices when they are required for request authentication. When a request for access to a resource or device is received, the request is challenged for verification of the password and identity.
Access can be granted, denied, or limited based on the result. A device may also have other password information present in its configuration. This command uses Message Digest 5 MD5 for password hashing. This algorithm has had considerable public review and is not known to be reversible. However, the algorithm is subject to dictionary attacks, in which an attacker attempts various dictionary words in addition to other lists of candidate passwords to search for a match.
Start Your Journey to Trusted Access
For resilience against dictionary attacks, a salt value is added to the password before it is hashed and stored. As a general precaution, configuration files must be securely stored and shared only with trusted individuals.
User passwords are also hashed using the MD5 algorithm after they have been concatenated with a salt value that provides resilience against dictionary attacks.
Any Cisco firewall configuration file that contains passwords must be treated with care. Beginning with Cisco ASA version 8. Keys that can be encrypted include keys for routing protocol authentication, VPN, failover, AAA servers, logging, shared licenses, and more. The ASA allows an administrator to lock out a local user account after a configured number of unsuccessful login attempts.
Once a user is locked out, the account is locked until the administrator unlocks it. An authorized user who is configured with privilege level 15 cannot be locked out with this feature.