PIX/ASA Rule Analysis

harshavardhanhr-hr · ‎02-10-2011

As part of a Security audit project for a big firm we are doing a review of the rules on the firewalls.

During this exercise we came across many rules with keyword "any" in either source ip, destination ip or destination ports which per policy need to be locked down to specifics.

what would be the best way to find out whats flowing through ?

2 scenarios

a)for a small site - logging/capture packets ??any tool to simplify logs and packet capture data and put it into a more understandable format ?

b)for a datacenter firewall which receives close to a million hits a day for just a single rule any suggestions on what tool can be employed to capture destination port information ??

Again whole idea is to find out if there any tool/system to capture whats flowing through the firewall without reaching out to the it folks for documents:)

Also if logging is enabled would it increase the traffic flow/cpu utilization ?

Thanks,

Harsha

PAUL GILBERT ARIAS · ‎02-10-2011

in case you want to use the packet capture here is a document that shows how to use it:

http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Just in case. If you want to find the internal subnets you can check if there are routes on the ASA going to an inside router. You can replace the ANY on the ACLs for those subnets as the source address.