topic Re: securit level for Asa Management interface ? in Network Security

securit level for Asa Management interface ?

cyberops123 — Wed, 09 Sep 2020 21:16:52 GMT

I am trying to figure out what would be the best security level for management0/0 interface on my ASA firewall ? Currently I configured it with security level 100 but I am not sure if this is the best security practice so if anyone can help me on this that would be great .

thank you

Re: securit level for Asa Management interface ?

Ruben Cocheno — Wed, 09 Sep 2020 21:37:56 GMT

@cyberops123

Yes, 100 for the management interface is the way forward. Also if that interface is to be purely management and not for "transit traffic" i do also recommend the command management-only which fits that purpose.

Re: securit level for Asa Management interface ?

balaji.bandi — Fri, 11 Sep 2020 08:57:18 GMT

we are not sure how your network designed, so in general Cisco's recommendation as best practice - management interface should be out-of-band if that is possible in your environment?

Using Management Interfaces

The management plane of a device is accessed via in-band and out-of-band methods through physical and logical means. Ideally, both in-band and out-of-band management access exists for each network device so that the management plane can be accessed during network outages.

Cisco firewalls define a specific interface as being the Management interface. This designation is defined by configuring the management-only command on the specific interface. By default the physically defined Management interface has this command defined. This interface is used for in-band access to a Cisco firewall. The Management interface can also be used for regular traffic when removing the management-only interface configuration command. It is recommended to use the Management interface of the ASA device exclusively as a management interface. This allows administrators and engineers to apply management traffic-based policies throughout the network. After the Management interface is configured on a Cisco firewall, it can be used by management plane protocols, such as SSH, SNMP, and syslog.

Re: securit level for Asa Management interface ?

cyberops123 — Thu, 10 Sep 2020 16:42:10 GMT

thanks balaji and Ruben

yeah currently we use management interface0/0 with "management only " command dedicated remote access and its configured with security level 100 .and I was doing some research if 100 is the best practice for mngt interface when it comes to hardening the ASA .

Re: securit level for Asa Management interface ?

Marvin Rhoads — Fri, 11 Sep 2020 08:32:13 GMT

@balaji.bandi what source are you quoting? There's been a separate management routing table available on ASAs for several years now.

Re: securit level for Asa Management interface ?

balaji.bandi — Fri, 11 Sep 2020 08:56:49 GMT

@Marvin Rhoads at this moment i do not have cisco URL in place, this is one of the notes i made for my reference from cisco document, when i was doing some hardening process of network, some time back. let me re-read that statement, yes this may have changed, my document might have been outdated.

Agreed ASA has new - below my document that was missed in this post. ( edited orginal post) - thanks.

As a standard security practice, it is often necessary to segregate and isolate Management traffic from data traffic. To achieve this isolation, the ASA uses a separate routing table for management-only traffic vs. data traffic. Separate routing tables means that you can create separate default routes for data and management as well.

Management table from-the-device traffic includes features that open a remote file using HTTP, SCP, TFTP, the copy command, Smart Call Home, trustpoint , trustpool , and so on