http service

tsabsuavyaj · ‎11-29-2012

Hello,

I was informed by our security auditors that the http service on my asa outside interface is providing type details and is recommended to configure it to not disclose such detail. Not exactly sure what this means and the risk of having this on, but I'm in need of some assistance on accomplishing this task. Would someone shed some lights on this please using cli on IOS 7.2?

Many thanks in advance.

Jouni Forss · ‎11-29-2012

Hi,

I'm not sure if this is what they mean but perhaps you have configured the following configuration on the ASA CLI

"http 0.0.0.0 0.0.0.0 outside" (Provided your ASA interface facing Internet is named "outside")

This would atleast make it possible for anyone to reach your ASDM launch/install page I suppose on the ASA. The one you yourself have probably used at some point when installing ASDM on your computer.

Personally majority of the ASAs that I configure arent reachable with ASDM from any network on the outside network. And also I dont use ASDM for anything else then monitoring and perhaps some VPN configurations.

- Jouni

Jouni Forss · ‎11-29-2012

Here is an example of the Web page I get if I just connect to the ASA from LAN with Web browser

It shows the ASDM version on the ASA

It doesnt exactly tell the version of ASA you are using but it does give you some information with which a person will know if you are using a PIX or ASA (maybe FWSM also, I really havent tested) and can get some idea what your actual ASA software level is.

- Jouni

tsabsuavyaj · ‎11-29-2012

Let me see if I can get some additional information from them and will post back.

tsabsuavyaj · ‎11-30-2012

The service type they referred to is the Cisco Systems WebVPN Service type description that appears on the vpn clientless logon web portal. See screenshot for reference.