To avoid vulnerability in network security configuring firewall is critical, following best practices will enforce firewalls.
- Device Access
- Networks and Hosts definition
- Access Control list
- System Update’s
First step security for an asset hardware is access. Securing access to ASA is a basic standard configuration parameter. This can be achieved through adding users manual into local AAA server on firewall or using external Radius/TACACS+ servers, these provide accountability. It is not about just providing access(authenticating) to firewall, it also means providing integrity and adding accountability (CIA).
Networks and Hosts definition:
The way how Networks and Hosts on firewall are defined will provide easy understanding of Access policies or NAT configuration. Best way to define hosts/Networks is through objects, these objects could written as objects or object-groups. I prefer object-groups in most cases. Object-groups can be used to define small group of networks/hosts/port numbers and these object-groups can also be called in other object-groups, also object-groups are best way to configure ACL entry.
object-group network UBUNTU-1 network-object host 10.10.1.5 object-group network UBUNTU-1-1 network-object host 10.10.1.6 object-group network UBUNTU-2 network-object host 10.10.2.5 object-group network UBUNTU-SVRS group-object UBUNTU-1 group-object UBUNTU-1-1 object-group service tcpSSH tcp port-object eq ssh object-group service tcpTelnet tcp port-object eq telnet object-group service tcpCONN tcp group-object tcpSSH group-object tcpTelnet
access-list DMZ extended permit tcp object-group UBUNTU-2 object-group UBUNTU-SVRS object-group tcpCONN log
Since we are maintaining devices which are operated with Operating system, which comes with security risks. To protect device from Operating system risks we have to update it as vendor suggestions, we may call it Patching and even upgrading OS versions is necessary as per vendor suggestion. Preferred security derisory suggestions will be found vendor website. A Security Engineer who is responsible to firewalls should always be stay on top about this, If we fail to patch or upgrade firewalls as per standards we may have compliance issues. Cisco software download center provide list of versions, recommended version is highlighted with star *.