Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10285
Views
5
Helpful
3
Replies

How to best audit Cisco ASA

Go to solution
raza555
Level 3
Level 3

‎01-14-2014 09:04 AM - edited ‎03-11-2019 08:29 PM

I want to audit the 40 Cisco ASA (8.4), with best practices, but I don’t have any tools

•1)       Is there any good free or low cost tools available that I can use to ease the audit

•2)       What are the useful commands/ best practices to audit the asa, e.g.

show failover

show failover state

show monitor-interface

show failover interface

sh run user

sh ip add

etc….

•3)       I have notices that most of the ASA ACL allow ports ip or tcp, I want to use specific port like 22,23,69,154 etc. How I can achieve this.

•4)       Is there any best practices document that I can compare against our ASAs.

Thanks

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-23-2014 08:48 PM

Hello,

1) First thing is to keep up to date with the Cisco vulnerabilities announcements to check whether your box is not compliant, etc.

Use Scanning tools like NMAP,ZEN-MAP, Veracode, etc.

Use Dictionary attacks to determie whether you can hack into the Device.

Etc,etc.

2) To audit the ASA well

  • Check the ACLs (make sure they are as specific as possible) Show run access-list
  • Make sure a failover cluster is in place (show failover)
  • Make sure traffic not desired is denied (packet-tracer tool)
  • Make sure you are sending logs to a syslog server for further audit stuff.( show run logging)
  • Check the Authentication ,Authorization and Accounting variables (show run aaa)
  • Etc

3) Change the ACLs to satisfy your needs. Being more specific is always more secure.

access-list outside_inside permit tcp any host 4.2.2.2

to

access-list outside_inside permit tcp any host 4.2.2.2 eq 80 (In the case of a HTTP server)

4) Always check release-notes and Cisco vulnerabilities announcements

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-23-2014 08:48 PM

Hello,

1) First thing is to keep up to date with the Cisco vulnerabilities announcements to check whether your box is not compliant, etc.

Use Scanning tools like NMAP,ZEN-MAP, Veracode, etc.

Use Dictionary attacks to determie whether you can hack into the Device.

Etc,etc.

2) To audit the ASA well

  • Check the ACLs (make sure they are as specific as possible) Show run access-list
  • Make sure a failover cluster is in place (show failover)
  • Make sure traffic not desired is denied (packet-tracer tool)
  • Make sure you are sending logs to a syslog server for further audit stuff.( show run logging)
  • Check the Authentication ,Authorization and Accounting variables (show run aaa)
  • Etc

3) Change the ACLs to satisfy your needs. Being more specific is always more secure.

access-list outside_inside permit tcp any host 4.2.2.2

to

access-list outside_inside permit tcp any host 4.2.2.2 eq 80 (In the case of a HTTP server)

4) Always check release-notes and Cisco vulnerabilities announcements

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
raza555
Level 3
Level 3
In response to Julio Carvajal

‎01-23-2014 10:46 PM

Thanks for detailed reply, it very much appreciated.

In reply to my question 3) please advise that how I FINDOUT that Source and destination are using which specific ports as currently most rules are just using services as tcp & ip.

E.g ASA has 50 different rules & each rule has multiple source & destinations how I can findout that what ports these devices are using, as I need to be 100% sure before replacing the service ports of tcp/ip with specific ports of e.g 80,23,20 etc

I have to audit about 40 asa with this problem, is there any tool/ application/ command to resolve my this problem.

This is very very important part of my audit.

Thanks

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to raza555

‎01-24-2014 04:22 AM

Hello,

Hey my pleasure to help Just remember to rate all of the useful posts (let me know if you do not know how).

Now, regarding the last query well you will need to look for a security policy from the network admin (If there is one) otherwise you will need to build it from scratch.

There is no way you dinamically can determine this by using a tool. Each enviroment is different and has multiple needs.

Good luck with that.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card