Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1224
Views
12
Helpful
5
Replies

protecting a web server

Amos Kafwembe
Level 1
Level 1

‎11-12-2013 12:37 AM - edited ‎03-11-2019 08:03 PM

i have set up my ASA 5505 with a DMZ, in the DMZ i have my web server. Is it possible for my server to be attacked by hackers? what do i need to do to "harden" the config and make sure i avoid ANY attacks on my server. Most of my users access this server via FTP and this is a vulnerability, i ned to harden my ASA 5505 in this place.         

Labels:
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎11-12-2013 01:52 AM

First: You will never make your server 100% secure, but with some effort you can rise the bar that mach, that a casual attacker won't have much luck in that.

Some things to do:

1) Host-security / patch-management. That depends on the OS and the application you use.

2) Application-Inspection on the ASA. The ASA can inspect many protocols for protocol-conformance and application-layer attacks. That are the layer5-7 policy-maps. These are available both for your used protocols FTP and also HTTP. For that you first have to understand the applications and the protocol they are using.

3) Use IPS. The build-in IPS of the ASA is completely outdated to a module is needed. Fot the 5505 the module is EOL announced and so it's probably not an option.

So you are left with hardening the server and then look into the Layer7-policies.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Amos Kafwembe
Level 1
Level 1
In response to Karsten Iwen

‎11-12-2013 02:02 AM

Hi Karsten,

thanks for the response. please see below, are those the application inspections you are refering to? i didnt configure them though, they were there by default. do i need to changeanything?

thanks.

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

0 Helpful

Karsten Iwen
VIP
VIP
In response to Amos Kafwembe

‎11-12-2013 02:08 AM

no, that's the Layer3-4 inspection. Here is the link to the L7-inspection in the config-guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_basic.html#wp2161256

Before you can start on configuring that you have to know exactly how you want to protect the protocol.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Amos Kafwembe
Level 1
Level 1
In response to Karsten Iwen

‎11-12-2013 07:29 AM

Hi Karsten,

is there an easy way to do this like through ASDM? i have tried to go throgh the link you pasted but eesh i dont get it. am not the best of ASA admins. Thanks for the link too!

0 Helpful

Karsten Iwen
VIP
VIP
In response to Amos Kafwembe

‎11-12-2013 07:42 AM

Yes, you can configure that also through ASDM, but it's still complex:

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/inspect_basic.html#wp2161256

Perhaps you should first focus on the host-security of your server.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card