Additional Security Best Practices

Along with defense in depth, you need to put some additional best practices into practice to ensure that network security is achieved in your business.

Specific issues that you need to address include the following:

• VPN users are at higher risk of software infection because their environment isn't controlled by a corporate security policy.

• Security management functions such as logging, reading, and responding to syslog messages and events need to be deployed.

The bulk of the best practices described throughout the book are summarized in Appendix A, "Deploying Effective Security Management."

Remote-Access Defense

Remote access is a staple of many businesses in today's Internet environment. Increasingly, companies are finding that by allowing employees to telecommute from home or remote offices that productivity increases and expenses and overhead decrease. From a business perspective, it's a win-win situation; from a network security perspective, however, it has its challenges.

Telecommuters often connect to different Internet security providers (ISPs) that don't provide a secure environment and from wireless hotspots that are inherently insecure. Because of that, telecommuter hosts often have a higher exposure to viruses, worms, Trojans, adware, spyware, and direct attacks. This exposure becomes a problem when the telecommuter connects to the main business network. If proper security isn't in place, those hosts can spread viruses and worms to other devices inside the network. Another problem associated with telecommuting is the threat of proprietary data being sent over the Internet. Fortunately, you can mitigate both of these problems with a virtual private network (VPN) and the principles of defense in depth in the ASA/PIX Security Appliance.

The ASA/PIX Security Appliance allows businesses to set up private encrypted tunnels for people who need access to the inside network from the Internet. This group might include employees, partners, and even customers. This solution is called virtual private networking, and the ASA/PIX Security Appliance uses technology called IPSec to achieve the secure and encrypted communication. If you use IPSec/VPN, users who connect to your security appliance from the Internet essentially become part of a virtual network and have access to network services just as if they were inside the network.

VPN tunnels require authentication to allow only valid users access to the network. To mitigate the malicious software that can spread from these remote machines, you can use the VPN client "are you there" function to ensure that these users are running firewalls or CSA before they are allowed to connect to your network. After the VPN tunnel is terminated on the ASA/PIX Security Appliance, the security appliance then applies all its security functions to ensure that an attack isn't embedded within the VPN tunnel.

Security Management of the ASA/PIX Security Appliance

You should look at security management as a serious issue. The bottom line is that the security of your network is only as good as the management policies that have been deployed.

NOTE

For an in-depth discussion of security management, refer to the "Cisco SAFE Enterprise" white paper at http://www.cisco.com/go/safe.

Ensure at minimum that you enforce the following from a security management perspective:

• Use username and password best practices.

• Use syslog to recognize possible security appliance or attack issues.

• Perform attack forensics, follow up on attacks, and take any required action if you think an attack has been successful on one of your network devices.

• Use CSA logs to recognize possible day-zero attacks and modify your perimeter rules to help mitigate those attacks.

Securing ASA/PIX Security Appliance Usernames and Passwords

You should develop a password policy that helps to ensure that attackers cannot obtain access to your security appliance. In this book, the ASA/PIX Security Appliance is the most critical device in the network, and password protection is stressed in many different parts of this book.

Passwords should be at least eight characters and should have upper- and lowercase characters as well as special characters (numerals and +_)(*&^%$#@!). The password should never be a word that can be found in a dictionary. Many password-cracking programs available on the Internet assist hackers in breaking into password-protected devices or parsing and decrypting password files or password hashes. Because an eight-character password is difficult to remember, you might want to match your password to an easy-to-remember phrase. For example, the password Slatfatf42 could be matched to the phrase "so long and thanks for all the fish 42." Many administrators take it a step further and use obscure usernames as well as passwords. Instead of using admin or root, they use the same guidelines as passwords a minimum of eight characters that should have upper- and lowercase characters as well as special characters (numerals and +_)(*&^%$#@!). The downside, of course, is that these names and passwords might be hard to remember. The upside is that it becomes exponentially difficult for a hacker to break into the security appliance with a brute-force password attack.

NOTE

Unless it's absolutely necessary, you would never allow management access to your security appliance from the outside. This would open the door for one of the oldest attacks on record, a brute-force password attack from the Internet. Not allowing management access from the outside also ensures that if a hacker wants to break into your security appliance, the hacker must first compromise a system on the inside. With defense in depth applied, this is a difficult, if not impossible, task. If you must allow management from the outside, you should use IPSec/VPN as the secure management connection.

Using the ASA/PIX Security Appliance Reporting System

The ASA/PIX Security Appliance uses the syslog protocol for reporting error messages and alerts. Syslog data can be sent to the device running the ASDM software for troubleshooting purposes, but normally, the security appliance is configured to write syslog data to a remote machine.

Syslog will contain messages that will help you to troubleshoot your environment. For example, if customers can't get to a web server and you know the web server is up and running, check the syslog; you will likely have an error message that will help you to solve the problem. Cisco.com has all the ASA/PIX Security Appliance syslog messages documented at http://www.cisco.com/go/pix in the Technical Documentation section. If you need help analyzing a message, the Cisco Technical Assistance Center is there to help every day of the year on a 24/7 schedule.

Syslog might also contain messages if you are under attack. Those message will be indicated by an intrusion detection system (IDS) prefix. If you are dropping attack packets, this indicates that the security appliance blocked a potential attack. If you are not dropping packets, you will want to go to the machine that the attack was destined for and ensure that CSA caught the attack before it was successful.

If you find that you have hundreds of IDS messages and you don't have a security manager or engineer within your business, you might want to call Cisco Technical Assistance Center to discuss what steps you should take next.

One of the most important usages of syslog is that it will tell you when someone logs on to the ASA/PIX Security Appliance, and it will show any changes made. Therefore, you should view the syslog frequently to ensure that only administrators have access to the security appliance and that there are not commands being issued that might disrupt or cause security concerns for your network.