To avoid vulnerability in network security configuring firewall is critical, following best practices will enforce firewalls.

  • Device Access
  • Networks and Hosts definition
  • Access Control list
  • System Update’s

Device Access:

First step security for an asset hardware is access. Securing access to ASA is a basic standard configuration parameter. This can be achieved through adding users manual into local AAA server on firewall or using external Radius/TACACS+ servers, these provide accountability. It is not about just providing access(authenticating) to firewall, it also means providing integrity and adding accountability (CIA).

Networks and Hosts definition:

The way how Networks and Hosts on firewall are defined will provide easy understanding of Access policies or NAT configuration. Best way to define hosts/Networks is through objects, these objects could written as objects or object-groups. I prefer object-groups in most cases. Object-groups can be used to define small group of networks/hosts/port numbers and these object-groups can also be called in other object-groups, also object-groups are best way to configure ACL entry.

object-group network UBUNTU-1
 network-object host 10.10.1.5
 object-group network UBUNTU-1-1
 network-object host 10.10.1.6
object-group network UBUNTU-2
 network-object host 10.10.2.5
object-group network UBUNTU-SVRS
 group-object UBUNTU-1
 group-object UBUNTU-1-1 
object-group service tcpSSH tcp
 port-object eq ssh
object-group service tcpTelnet tcp
 port-object eq telnet
object-group service tcpCONN tcp
 group-object tcpSSH
 group-object tcpTelnet
access-list DMZ extended permit tcp object-group UBUNTU-2 object-group UBUNTU-SVRS object-group tcpCONN log

System Update’s:

Since we are maintaining devices which are operated with Operating system, which comes with security risks. To protect device from Operating system risks we have to update it as vendor suggestions, we may call it Patching and even upgrading OS versions is necessary as per vendor suggestion. Preferred security derisory suggestions will be found vendor website. A Security Engineer who is responsible to firewalls should always be stay on top about this, If we fail to patch or upgrade firewalls as per standards we may have compliance issues. Cisco software download center provide list of versions, recommended version is highlighted with star *.

Login

Welcome to Typer

Brief and amiable onboarding is the first thing a new user sees in the theme.
Join Typer
Registration is closed.