Perimeter Traffic Filtering

Previous page
Table of content
Next page

The original function of a security appliance was to filter traffic originating from a less-secure network, such as the Internet, and destined to the private inside network of a device. The ASA/PIX implements this default behavior in the following way, presenting a strong security posture:

  • Blocks all inbound traffic

  • Lets all stateful traffic pass from a secure interface to a less-secure interface (inside to outside) and then allows the traffic to return back to the secure interface

  • Enables customers to create their own traffic rules, depending on their requirements

This default behavior ensures that when an ASA/PIX is first installed, the private secure network is fully protected from attacks that might originate from the Internet (outside network).

One of the only possible attacks that could be launched from the Internet against an inside host is a TCP hijack attack.

However, this is unlikely because it would mean that an attacker randomly found a TCP stream and decided to pose as the target device. The most damage that a hacker could probably do in this scenario is to send a Trojan back to a host as a web response (which is essentially the same thing that websites do to inject spyware and adware). The defense for this isn't actually in the security appliance; the defense is in host intrusion prevention (CSA) and antivirus software.

Because of the work already completed in Chapter 5, "Deploying Secure Internet Connectivity," Chapter 6, "Deploying Web and Mail Services," and Chapter 7, "Deploying Authentication," there is very little if anything you need to do as far as setting up additional filters on your security appliance. To gain an understanding of how to set up access rules, in this chapter, you will go into the appropriate panels but not make any additional changes to access rules.

You will now step through an exercise on how to create a new access rule on your ASA/PIX Security Appliance using ASDM. Just to be clear, access rules are known by several different names, depending on the vendors with whom you are working or the books and articles that you read. Don't be confused, because all of these terms are used interchangeably:

  • Access control lists

  • Filters

  • Security appliance filters

  • Access rules

  • Policy rules

  • Policy filters

All these terms mean essentially the same thing. The term most commonly used in the past has been access lists, but the terminology used in ASA/PIX version 7 with ASDM is access rules.

This step-by-step procedure instructs you on how to open a port to allow Secure Sockets Layer (SSL) traffic from the Internet to the web server on your security appliance's demilitarized zone (DMZ) interface.

CAUTION

As a matter of security best practice, if you are not using HTTPS on your web server, delete this rule when you have completed the exercise or take care that you don't click Apply when you have finished the steps.


Step 1.

Click the Configuration Navigation button.

Step 2.

Choose the security policy feature. The default panel will be Access Rules. Click Add. Complete the following steps to fill in the panel as illustrated in Figure 8-8.

Figure 8-8. Add Access Policy HTTPS


Step 3.

Click the Interface pull-down in the Host/Source Network section and choose Outside.

Step 4.

Click the Interface pull-down in the host/Source Network section and choose DMZ. Enter the IP address 192.168.2.2. You can do this either manually or by using the pop-up button to the right of the text box. Make sure the mask is set to 255.255.255.255.

Step 5.

Check the TCP option in the Protocol and Service section.

Step 6.

Click the pop-up button next to the text box in the Destination Port Service section. Choose HTTPS.

Step 7.

Click OK.

When you are redirected back to the main access rules panel, and if you are planning to allow HTTPS, click Apply to save and initiate the rule. It is not good practice to add a rule that you don't need. Doing so just gives hackers a small opening where they might be able to exploit your web server. If you are not planning to run HTTPS on your web server, do not click Apply to enable this rule.

The procedures that you have just stepped through are the same for adding or deleting any access rules on your ASA/PIX Security Appliance. Be very careful to make sure that you have chosen the proper interfaces and IP addresses for the source and destination of the access rules. The best-case scenario is if a rule is misconfigured, no traffic will pass through the security appliance. The worst case, however, is that you will have opened a security hole that can be exploited and your inside hosts or services might be compromised.


Previous page
Table of content
Next page
Securing Your Business with Cisco ASA and PIX Firewalls
Securing Your Business with Cisco ASA and PIX Firewalls
ISBN: 1587052148
EAN: 2147483647
Year: 2006
Pages: 120
Authors: Greg Abelar
BUY ON AMAZON
MySQL Stored Procedure Programming
The Java Tutorial: A Short Course on the Basics, 4th Edition
Ruby Cookbook (Cookbooks (OReilly))
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy