Firewall Audit

The firewall is the first line of defense for protecting corporate data. Installing the firewall requires enabling interfaces, defining zones, access rules and device management. The security engineer should deploy firewall configuration and design best practices for optimized security. The default settings cause security problems that leave company data vulnerable to hacker attacks. The following is a survey of firewall security best practices from Cisco and industry standards groups. They include specific recommendations for firewall configuration, management and security policies.

Run Cisco Active Advisor regularly for life cycle alerts (PSIRT etc.)

Configure granular Access Control Lists (ACL’s) and application ports

Log all transactions including user sign-on and configuration changes

Configure security alerts from NMS and vendor notifications to email.

Log denied traffic with ACL

Configure complex passwords with minimum length 12 characters

Change password every 60 days

Encrypt firewall management passwords

Configure AAA server keys and timeout

Deploy SNMPv3 for encryption

Configure complex SNMP community strings

Configure Failover keys between firewalls

Manage firewalls from ASDM or Cisco Security Manager

Manage the CLI from LAN interface or dedicated management interface

Turn off Telnet, SSH and SSL services

Define VTY access list with permitted source addresses

Define SNMP access list with permitted source traffic

Disable SNMP on firewall public interfaces

Turn off all unused or vulnerable network services

Disable CDP protocol on all router public interfaces

Enable DNS snooping

Configure static routing between internet routers and DMZ switches

Deploy private RFC 1918 IP addressing

Configure Network Address Translation (NAT)

Define granular outside, DMZ and inside security zones

Configure network and service objects for creating rules

Test firewall rules and ACLs from outside network

Test firewall failover

Add script descriptions to optimize support and troubleshooting

Run vulnerability assessment testing every 30 days

Enable firepower malware filter, Cisco CWS and IPS

Use the most specific ACL’s possible for rules

Avoid rules that allow any source/destination to any server port.

Delete rules that are redundant and have no effect

Add comment descriptions for ACLs. access-list 100 remark [text]

Run show log to examine firewall errors

Match security zones to network interfaces

Do not configure direct connectivity internet zone and server farm zone. Instead configure

a DMZ zone between them for traffic filtering control.

Configure UDP for zone transfers instead of TCP that has known vulnerabilities.

Lab test firewall changes with VIRL or lab setup

Promote a policy to send email to firewall group when server removed

Add deny ip any any log command at end of each access-list to deny all traffic with

explicit deny packet rule not matching any rule and note with log file

firewall# show access-list [number] and note hit count. Unused ACL’s will have no hits

so not required. Server IP addresses are often reassigned without alerting security group.

Cisco IOS Commands (CLI)

Show ASA Code, License, Serial Number, Memory, Uptime:# show version

Show Running Configuration: # show running-config

Show Syslog Settings and Messages Log: # show logging

Show Configured VLANs: # show vlan

Show All Interface Details: # show interface detail

Show ARP Table: # show arp

Show Connection Information: # show conn [detail]

Show Start-Up Configuration: # show configuration

Show IKE Connectivity: # show crypto isakmp sa

Show IPsec Connectivity: # show crypto ipsec sa

Show IKEv1 SA Details: # show crypto ikev1 sa detail

Show IKEv2 SA Details: # show crypto ikev2 sa detail

Show Power, Fan, Temperature: # show environment

Show Firewall Mode: # show firewall

Show IPS Information: # show ips

Show All Interfaces: # show interface

Show Redundancy Status and Configuration: # show failover

Show Chassis Serial Number and PID: # show inventory

Show Security Context: # show mode

Show Modules, MAC Address, ASA Code: # show module

Show NAT Policies and Counters: # show nat [detail]

Show Password Encryption Settings:# show password encryption

Show Various Performance Metrics: # show perfmon

Show CPU Utilization: # show proc cpu-usage [cpu-hog]

Show Memory Utilization Detail: # show processes memory

Show Firewall Route Table: # show route

Show Packet Rate and Drops Per Interface: # show traffic

Show Configured VLANs: # show vlan

Show NAT Translation Table: # show xlate

Security Audit Tools

1. Nipper Studio

This is a configuration auditing tool designed to harden switches, routers and firewalls through examining and listing current security vulnerabilities.

2. Firemon Security Manager

This is a firewall management solution that provides automated change management, policy optimization and risk assessment.

3. Checkpoint CPDB2HTML

This security tool exports the checkpoint firewall security configuration to a readable html or xml format for easier analysis. It enables analysis of current firewall configuration and rules.

4. Nmap

This is an open source scanner used for detecting hosts, services enabled, operating systems and firewalls. It is typically used for multi-platform network discovery and vulnerability testing.

5. Firewalk

This is a firewall configuration audit tool that verifies all layer 4 protocols permitted to pass through the current firewall to internal servers.

6. Nessus Cloud Scan

This provides external and internal detection, scanning and auditing of enterprise infrastructure along with support for verifying PCI DSS compliance.

7. Skybox Audit

This is a firewall security management solution that provides vulnerability assessment, policy compliance monitoring and rule life cycle management.

Available at Amazon.com

CCNA v3 Routing Cisco Design Cloud Design and Switching Fundamentals Fundamentals

Copyright © 2016 CiscoNet Solutions All Rights Reserved