Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
872
Views
0
Helpful
2
Replies

ASA best practices

ciscors
Level 1
Level 1

‎12-10-2006 05:06 PM - edited ‎03-11-2019 02:06 AM

(I) Apart from the default configuration on ASA, what features do you guys usually enable for extra protection? I already have another IPS hence not doing any 'ip audits'. Any suggestions would be appreciated

(II) I use these parameters for logging. Do they look okay?

logging enable

logging buffer-size 1048576

logging monitor alerts

logging buffered debugging

logging trap warnings

logging asdm warnings

logging host inside x.x.x.x

Labels:
0 Helpful
2 Replies 2

a.kiprawih
Level 7
Level 7

‎12-10-2006 06:19 PM

(I) You can enable the anti-spoofing feature - ip verify reverse-path (Unicast RPF)

This is to guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.

Normally applied on Outside interface facing internet/external network.

Command: ip verify reverse-path interface interface_name

ASA(config)#ip verify reverse-path interface outside

But as per Cisco SAFE Blueprint suggestions, network security has to be in a form of multilayer of security, involving security-specific devices such as firewalls, IDS/IPS, secure remote access devices (IPSec VPN), identity authentication devices and non-security-specific devices such as routers and switches. It will be a good idea to incorporate them all, if possible.

(II) Looks fine, but you can also trim down the buffer logging level to 1 step lower to 'informational' or 'notification'level. This can help you to zoom to useful log information. Debugging is useful when perform troubleshooting. But no exact rules what level must be enabled/used. Without debugging level, you can save buffer space - no unwanted log info unless if needed.

HTH

AK

0 Helpful

sachinraja
Level 9
Level 9

‎12-10-2006 08:34 PM

Refer this URL.. really good one..

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci838230,00.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card