topic ASDM vulnerability concern in Network Security

ASDM vulnerability concern

jkrawczyk — Mon, 11 Mar 2019 09:49:28 GMT

Hello;

I'm contimplating on using ASDM as a tool to monitor my PIX 525 in terms of VPN trhoughput, interface stats and perform the security check, all of which the asdm program offers.

Currently I prefer to use the CLI to implement change, and I will continue this practive.

My question is "Should I be concerned if I enable http inside 192.168.1.0 255.255.255.0 so that I can access the installed asdm application?" Are there any security concerns? I'm thinking as long as I specify the host that will be used to access the PIX, I should be okay.

Your feedback is apreciated.

Regards

Jeff

Re: ASDM vulnerability concern

abinjola — Tue, 20 Mar 2007 17:35:50 GMT

rather than making it for the entire subnet why dont you make it specific to few hosts..till the time you have your enable credentials safe..you are safe as well..:-)

Re: ASDM vulnerability concern

jkrawczyk — Tue, 20 Mar 2007 17:43:48 GMT

Hi, yes good idea.

Now I'm thinking will asdm use my tacacs service. If not, I need to find out how to configure.

Regards

Jeff

Re: ASDM vulnerability concern

abinjola — Tue, 20 Mar 2007 17:48:41 GMT

you mean you have a TACACS Server configured ?..if yes then you can get ASDM authenticated via TACACS as well

Re: ASDM vulnerability concern

jkrawczyk — Tue, 20 Mar 2007 17:52:46 GMT

Hi,

Yes I currently use tacacs server. Changed config is below:

I need to fond out if this config will use tacacs without any additional commands. I would think I would need to specify the authentication such as https. still digging on this issue. Thanks for the feedback,

aaa-server RADIUS protocol radius

aaa-server ABCACS protocol tacacs+

aaa-server ABCACS host 192.168.100.1

key guessme

aaa authentication ssh console ABCACS

aaa authentication enable console ABCACS

Re: ASDM vulnerability concern

abinjola — Tue, 20 Mar 2007 18:16:03 GMT

add one more command for ASDM auth

aaa authentication http console ABACS

In this case you are not using the fall back mechanism that means if TACACS server is down ..then you would be completely locked

Re: ASDM vulnerability concern

jkrawczyk — Tue, 20 Mar 2007 19:13:08 GMT

Hi;

Currently if tacacs is down, my local account can be accessed via ssh or console by using the default ?pix? local account.

Are you saying if I include ?aaa authentication http console ABCACS?, I will not be able ssh into my PIX not even bby using the local ?pix? account? I?m a little confused. All configuration changes will be made from either my console or ssh session. ASDM will be used only for monitoring, but I want to authenticate with my tacacs server when I access my PIX via http as well as ssh and console.

Best Regards

Jeff

Re: ASDM vulnerability concern

abinjola — Tue, 20 Mar 2007 22:39:10 GMT

yes you dont have a fallback configured that means that if your TACACS server is unreachable then you would not be able to access the firewall using ssh or console

to configure fallback to the local database try this :-

aaa authentication ssh console ABACS local

Re: ASDM vulnerability concern

abinjola — Tue, 20 Mar 2007 22:49:43 GMT

hope this helps

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/a1_711.htm#wp1437931