12-10-2006 05:06 PM - edited 03-11-2019 02:06 AM
(I) Apart from the default configuration on ASA, what features do you guys usually enable for extra protection? I already have another IPS hence not doing any 'ip audits'. Any suggestions would be appreciated
(II) I use these parameters for logging. Do they look okay?
logging enable
logging buffer-size 1048576
logging monitor alerts
logging buffered debugging
logging trap warnings
logging asdm warnings
logging host inside x.x.x.x
12-10-2006 06:19 PM
(I) You can enable the anti-spoofing feature - ip verify reverse-path (Unicast RPF)
This is to guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.
Normally applied on Outside interface facing internet/external network.
Command: ip verify reverse-path interface interface_name
ASA(config)#ip verify reverse-path interface outside
But as per Cisco SAFE Blueprint suggestions, network security has to be in a form of multilayer of security, involving security-specific devices such as firewalls, IDS/IPS, secure remote access devices (IPSec VPN), identity authentication devices and non-security-specific devices such as routers and switches. It will be a good idea to incorporate them all, if possible.
(II) Looks fine, but you can also trim down the buffer logging level to 1 step lower to 'informational' or 'notification'level. This can help you to zoom to useful log information. Debugging is useful when perform troubleshooting. But no exact rules what level must be enabled/used. Without debugging level, you can save buffer space - no unwanted log info unless if needed.
HTH
AK
12-10-2006 08:34 PM
Refer this URL.. really good one..
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci838230,00.html
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: