Solved: Risk Assessment: Managing FTD over Internet facing interface via FMC

ssan239 · ‎01-24-2023

Hi All,

We are planning to manage the FTD over internet facing interface via FMC. May i know the risks involved in managing the FTD over internet facing interface please.

Interface will carry both Internet traffic and management traffic.

Regards,

Sanjay S

Marius Gunnerud · ‎01-24-2023

You need to be more detailed with what you are trying to say.

Managing the FTD from FMC over internet is OK as the connection is encrypted.
If you decide that you want SSH connectivity to the same interface, internet facing interface, you need to be very specific with which IPs you allow. configured via platform settings in FMC.
When using SSH, the local user account / admin account needs a very strong password. This is also true for any other user account that has administrative access to the FTD so it is not easily guessed and is very difficult to decrypt.
When managing remote sites it is a good practice to manage the FTD via an internet facing interface as you will continually have management access to the device as long as the device is not completely down.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

khorram1998 · ‎01-24-2023

Managing Firepower Threat Defense (FTD) devices over an Internet-facing interface via the Firepower Management Center (FMC) can pose several risks. Here are a few potential risks to consider:

Security risks: By exposing the management interface to the Internet, the FTD devices become vulnerable to attacks from external sources, such as unauthorized access, unauthorized configuration changes, and malware injection.
Network disruption: If the management interface is compromised, it can be used to launch attacks on other parts of the network, causing disruption to business operations.
Data leakage: If the management interface is compromised, sensitive data, such as login credentials, configuration settings, and system logs, may be exposed.
Compliance risks: Some compliance regulations require that management interfaces are only accessible from secure internal networks and not exposed to the Internet.
Limited visibility: Internet facing interfaces may have limited visibility to the internal network, which can limit the ability of the FMC to monitor and detect internal threats.

To mitigate these risks, it is recommended to use secure remote access methods, such as VPN or SSH, to access the management interface. Additionally, you should use strong authentication and access controls to limit access to the management interface to authorized personnel only.

You should also keep the software and firmware of FTD devices up-to-date and regularly monitor the logs and alert for any suspicious activity.

You may also want to consider implementing a DMZ architecture, which isolates the management interface from the rest of the network, providing an additional layer of security.

Finally, it is recommended to regularly perform security assessment and penetration testing to identify any vulnerabilities in the management interface and take appropriate action.

Please rate this and mark as solution/answer, if this resolved your issue
All the best,
AK

Marius Gunnerud · ‎01-24-2023

Now, I am assuming you mean to manage the FTD device via a data interface?

This all depends on how management of the FTD device is implemented. A lot of Engineers throw a fit when you manage the device over the internet, but they do not take into account that the connection is encrypted, much like with a VPN. Once a management tunnel is setup between the FMC and FTD device this connection is encrypted and a third party will not be able to interfere with it (i.e MiTM attack). So if this is a remote site it is actually a good practice to setup management on an interface that is reachable from the FMC. If this is set up over a VPN tunnel, though some people might argue this is more secure, if that tunnel goes down for whatever reason, you will have lost management of the remote FTD.

So let's say that you are managing the FTD over a s2s VPN and you push a configuration that unexpectedly brings that VPN down. You are now in a tight spot as you have lost management of the device and cannot correct the mistake.

Another thing to consider is that SSH to data interfaces on the FTD is disabled by default. If you enable SSH on the outside interface be sure that you limit this connection to specific IPs of your company and not open for any connection. SSH is more risky that the management connection between FMC and FTD as this can be misconfigured and allow for unintended access.

--
Please remember to select a correct answer and rate helpful posts

ssan239 · ‎01-24-2023

Thank you Marius for the valuable inputs, this really helps.

So as per the recommendation if the site has only internet connectivity then we are good to go ahead with managing it over the FMC(Unless FMC has the internet connectivity and reachablility to the device). But we have to make sure we are following few additional steps of Security such as SSH access and allowing access from the internet to the device. Am I right with my understanding?

Regards,

Sanjay S

Marius Gunnerud · ‎01-24-2023

You need to be more detailed with what you are trying to say.

Managing the FTD from FMC over internet is OK as the connection is encrypted.
If you decide that you want SSH connectivity to the same interface, internet facing interface, you need to be very specific with which IPs you allow. configured via platform settings in FMC.
When using SSH, the local user account / admin account needs a very strong password. This is also true for any other user account that has administrative access to the FTD so it is not easily guessed and is very difficult to decrypt.
When managing remote sites it is a good practice to manage the FTD via an internet facing interface as you will continually have management access to the device as long as the device is not completely down.

--
Please remember to select a correct answer and rate helpful posts