Perimeter Best Practices

The three golden rules for defining access rules on your firewall are as follows: Enforce a restrictive policy, only allow traffic "required" for your company to run, and deny all other traffic. If you are being asked to allow new traffic through your firewall, err on the side of caution. Deny the request until you do research and understand the potential security impact of allowing the request.

This rule is enforced by default in the ASA/PIX Security Appliance. It comes configured to not let any traffic in from the outside, except as a response to traffic that has been requested from the inside. When you generate access lists, if the requirement is to have web traffic to a web server, make sure you write your access list that way. In other words, only allow traffic to the IP address of the web server and don't allow HTTP traffic in to your entire network.

Look closely at customer access service policy rules that you can deploy. The functionality given to you by ASDM and the ASA/PIX Security Appliance to deploy your own service policies rules is powerful. Look at them often and get an understanding for how they might be able to increase the security posture of your network. For example, you might notice that an Internet vulnerability has just come out that exploits your FTP server but a patch is not ready. The vulnerability uses the FTP command APPE to append a Trojan to a system file. You could easily go into the ASDM Service Policy panel and write a policy that drops packets that contain the FTP APPE command. If you ever need help or advice on deploying policies such as these, contact the Cisco Technical Assistance Center or your local Cisco sales team. They have security engineers available 24/7 to help with any type of question.

There was no discussion in this book about using the ASA/PIX Security Appliance without network address translation (NAT). This is possible now with ASA/PIX version 7, but it is not generally recommended. NAT keeps hackers from seeing real inside addresses on your network, and the less a hacker knows about your network, the higher security posture you maintain.

Vulnerability scanning is another good way to help ensure that you have the strongest possible security posture. A vulnerability scan is easily accomplished for free by running a program such as Nessus (http://www.nessus.org) to scan the outside of your firewall. It will report to you all the ports that are open in your firewall and all the possible vulnerabilities associated with those ports. From the output of this report, you can make sure that you have all application patches and hot fixes current on your systems. It can also tell you whether you have ports open on your firewall that you didn't know about.

You should run vulnerability scans at least once a month on your network. However, on top of that, you should also have a professional security organization come in at least once every year or once every two years and do what's called a security posture analysis on your system. This is an in-depth scan that you can't actually do with off-the-shelf products. The Cisco Security Posture Assessment (SPA) team has found that upward of 60 percent of all networks have vulnerabilities that can be exploited from the Internet and more than 90 percent of networks can be exploited if a hacker makes his way to the inside.