acheremisov/blogCyberSec_asaHardening.txt

## blogCyberSec_asaHardening.txt
! Set hostname, domain-name and enable pass.
hostname ACME-ASA5545
domain-name ACME.COM
enable password $sha512$5000$0VRh3f2no2Na/HtZXqIc9g==$5ua3NRhS4AFbjCDQGbU9Aw== pbkdf2

! Configure login and ASDM banners
! Login banner should not contain any specific information about the device name, model, software, or ownership because this information can be used by hackers.

banner login =========================================================================
banner login  THIS IS A ACME CORPORATION COMPUTER SYSTEM. THIS COMPUTER
banner login SYSTEM, INCLUDING ALL RELATED EQUIPMENT, NETWORKS AND NETWORK DEVICES
banner login (SPECIFICALLY INCLUDING INTERNET ACCESS), ARE PROVIDED ONLY FOR
banner login AUTHORIZED USE. ACME CORPORATION SYSTEMS MAY BE MONITORED
banner login FOR ALL LAWFUL PURPOSES, INCLUDING TO ENSURE THAT THEIR USE IS
banner login AUTHORIZED, FOR MANAGEMENT OF THE SYSTEM, TO FACILITATE PROTECTION
banner login AGAINST UNAUTHORIZED ACCESS, AND TO VERIFY SECURITY PROCEDURES,
banner login SURVIVABILITY AND OPERATIONAL SECURITY. MONITORING INCLUDES ACTIVE
banner login ATTACKS BY AUTHORIZED COMPANY ENTITIES TO TEST OR VERIFY THE SECURITY OF
banner login THIS SYSTEM. DURING MONITORING, INFORMATION MAY BE EXAMINED,
banner login RECORDED, COPIED AND USED FOR AUTHORIZED PURPOSES. ALL INFORMATION,
banner login INCLUDING PERSONAL INFORMATION, PLACED ON OR SENT OVER THIS SYSTEM MAY
banner login BE MONITORED.
banner login
banner login USE OF THIS ACME CORPORATION SYSTEM, AUTHORIZED OR UNAUTHORIZED,
banner login CONSTITUTES CONSENT TO MONITORING OF THIS SYSTEM. UNAUTHORIZED USE
banner login MAY SUBJECT YOU TO CRIMINAL PROSECUTION. EVIDENCE OF UNAUTHORIZED USE
banner login COLLECTED DURING MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL
banner login OR OTHER ADVERSE ACTION. USE OF THIS SYSTEM CONSTITUTES CONSENT TO
banner login MONITORING FOR THESE PURPOSES
banner login =========================================================================

banner asdm =========================================================================
banner asdm  THIS IS A ACME CORPORATION COMPUTER SYSTEM. THIS COMPUTER
banner asdm SYSTEM, INCLUDING ALL RELATED EQUIPMENT, NETWORKS AND NETWORK DEVICES
banner asdm (SPECIFICALLY INCLUDING INTERNET ACCESS), ARE PROVIDED ONLY FOR
banner asdm AUTHORIZED USE. ACME CORPORATION SYSTEMS MAY BE MONITORED
banner asdm FOR ALL LAWFUL PURPOSES, INCLUDING TO ENSURE THAT THEIR USE IS
banner asdm AUTHORIZED, FOR MANAGEMENT OF THE SYSTEM, TO FACILITATE PROTECTION
banner asdm AGAINST UNAUTHORIZED ACCESS, AND TO VERIFY SECURITY PROCEDURES,
banner asdm SURVIVABILITY AND OPERATIONAL SECURITY. MONITORING INCLUDES ACTIVE
banner asdm ATTACKS BY AUTHORIZED COMPANY ENTITIES TO TEST OR VERIFY THE SECURITY OF
banner asdm THIS SYSTEM. DURING MONITORING, INFORMATION MAY BE EXAMINED,
banner asdm RECORDED, COPIED AND USED FOR AUTHORIZED PURPOSES. ALL INFORMATION,
banner asdm INCLUDING PERSONAL INFORMATION, PLACED ON OR SENT OVER THIS SYSTEM MAY
banner asdm BE MONITORED.
banner asdm
banner asdm USE OF THIS ACME CORPORATION SYSTEM, AUTHORIZED OR UNAUTHORIZED,
banner asdm CONSTITUTES CONSENT TO MONITORING OF THIS SYSTEM. UNAUTHORIZED USE
banner asdm MAY SUBJECT YOU TO CRIMINAL PROSECUTION. EVIDENCE OF UNAUTHORIZED USE
banner asdm COLLECTED DURING MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL
banner asdm OR OTHER ADVERSE ACTION. USE OF THIS SYSTEM CONSTITUTES CONSENT TO
banner asdm MONITORING FOR THESE PURPOSES
banner asdm =========================================================================

! Set proper timezone
clock timezone EST -5
clock daytime recurring

! Set timestamps and syslog servers
logging timestamp
logging buffer-size 20000
logging buffered informational
logging trap informational
logging host INSIDE 10.100.10.12
logging host INSIDE 192.168.100.10
! Avoid logging to console and monitor sessions.
no logging console
no logging monitor


! Allow ICMP only from the management hosts
icmp permit host 10.95.99.0 echo-reply OUTSIDE
icmp permit host 10.95.99.123 echo OUTSIDE
icmp deny any OUTSIDE

! Set authentication and authorization
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
username cisco password $sha512$5000$bVvOSpQ7rmN7WVLa+PUBiw==$vfMm+Yuk16BwylqYRjpXtw== pbkdf2
aaa authentication login-history

! Turn on HTTP server if you need ASDM access and limit it only for management IP addresses
http server enable
http 192.168.100.100 255.255.255.255 INSIDE

! Configure SNMPv3
snmp-server group ACME_SNMP v3 priv
snmp-server user snmpv3user2 ACME_SNMP v3 engineID 80000009fefd723c123f64e8811b1d082dde352bc399ab0397 encrypted auth sha af:a4:b4:4a:84:f5:48:6a:a2:9d:7a:c1:90:c1:9b:73:f5:41:dc:8a priv aes 256 e4:17:ae:3e:6d:83:0c:46:b4:fe:64:e0:6b:84:2a:c3:05:2e:17:fd:47:e6:66:f1:2f:c8:fc:cf:51:19:1a:ab
snmp-server RACK 3, DC1
snmp-server John Smith

! Disable service password recovery. This feature revents anyone with console access from insecurely accessing the device configuration and clearing the password. keep in mind that if you forget the password you need to clear the box and start from your backup.
no service password-recovery

! Set explicit timeouts for SSH, telnet and console
telnet timeout 3
ssh timeout 10
console timeout 3

! Configure SSH with Diffie-Hellman negotiation using Group 14 (2048 bits) to avoid Logjam attack (https://weakdh.org/)
ssh version 2
ssh 10.X.X.X 255.255.255.255 OUTSIDE
! Encrypt only using aes256-cbc, aes256-ctr
ssh cipher encryption high
ssh key-exchange group dh-group14-sha1

! Configure at least two NTP servers with NTP association
! You can find list of public NTP servers (no authentication needed) at:
! http://support.ntp.org/bin/view/Servers/NTPPoolServers
! http://tf.nist.gov/tf-cgi/servers.cgi

ntp authentication-key 1 md5 *****
ntp authentication-key 2 md5 *****
ntp authenticate
ntp server 10.0.0.1 key 1 prefer
ntp server 10.0.0.2 key 2

! Limit server and client TLS version to only TLS 1.2
! Set TLS cipher negotiation only for "high" security ciphers.
! The list of ciphers will be limited only to the following:
!tlsv1.2 (high):
!  ECDHE-ECDSA-AES256-GCM-SHA384
!  ECDHE-RSA-AES256-GCM-SHA384
!  DHE-RSA-AES256-GCM-SHA384
!  AES256-GCM-SHA384
!  ECDHE-ECDSA-AES256-SHA384
!  ECDHE-RSA-AES256-SHA384
!  DHE-RSA-AES256-SHA256
!  AES256-SHA256
! Keep in mind that after you set SSL cipher to "high" you won't be able to connect using ASDM.
! You need to install "Unlimited Strength" JAVA profile from http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
! Unpack and copy downloaded file to your Java security folder (in my case it's C:\Program Files (x86)\Java\jre1.8.0_151\lib\security)
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher tlsv1.2 high

! Configure URPF
! Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source)
! by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.
ip verify reverse-path interface *interface_name*
	! Set hostname, domain-name and enable pass.
	hostname ACME-ASA5545
	domain-name ACME.COM
	enable password $sha512$5000$0VRh3f2no2Na/HtZXqIc9g==$5ua3NRhS4AFbjCDQGbU9Aw== pbkdf2

	! Configure login and ASDM banners
	! Login banner should not contain any specific information about the device name, model, software, or ownership because this information can be used by hackers.

	banner login =========================================================================
	banner login THIS IS A ACME CORPORATION COMPUTER SYSTEM. THIS COMPUTER
	banner login SYSTEM, INCLUDING ALL RELATED EQUIPMENT, NETWORKS AND NETWORK DEVICES
	banner login (SPECIFICALLY INCLUDING INTERNET ACCESS), ARE PROVIDED ONLY FOR
	banner login AUTHORIZED USE. ACME CORPORATION SYSTEMS MAY BE MONITORED
	banner login FOR ALL LAWFUL PURPOSES, INCLUDING TO ENSURE THAT THEIR USE IS
	banner login AUTHORIZED, FOR MANAGEMENT OF THE SYSTEM, TO FACILITATE PROTECTION
	banner login AGAINST UNAUTHORIZED ACCESS, AND TO VERIFY SECURITY PROCEDURES,
	banner login SURVIVABILITY AND OPERATIONAL SECURITY. MONITORING INCLUDES ACTIVE
	banner login ATTACKS BY AUTHORIZED COMPANY ENTITIES TO TEST OR VERIFY THE SECURITY OF
	banner login THIS SYSTEM. DURING MONITORING, INFORMATION MAY BE EXAMINED,
	banner login RECORDED, COPIED AND USED FOR AUTHORIZED PURPOSES. ALL INFORMATION,
	banner login INCLUDING PERSONAL INFORMATION, PLACED ON OR SENT OVER THIS SYSTEM MAY
	banner login BE MONITORED.
	banner login
	banner login USE OF THIS ACME CORPORATION SYSTEM, AUTHORIZED OR UNAUTHORIZED,
	banner login CONSTITUTES CONSENT TO MONITORING OF THIS SYSTEM. UNAUTHORIZED USE
	banner login MAY SUBJECT YOU TO CRIMINAL PROSECUTION. EVIDENCE OF UNAUTHORIZED USE
	banner login COLLECTED DURING MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL
	banner login OR OTHER ADVERSE ACTION. USE OF THIS SYSTEM CONSTITUTES CONSENT TO
	banner login MONITORING FOR THESE PURPOSES
	banner login =========================================================================

	banner asdm =========================================================================
	banner asdm THIS IS A ACME CORPORATION COMPUTER SYSTEM. THIS COMPUTER
	banner asdm SYSTEM, INCLUDING ALL RELATED EQUIPMENT, NETWORKS AND NETWORK DEVICES
	banner asdm (SPECIFICALLY INCLUDING INTERNET ACCESS), ARE PROVIDED ONLY FOR
	banner asdm AUTHORIZED USE. ACME CORPORATION SYSTEMS MAY BE MONITORED
	banner asdm FOR ALL LAWFUL PURPOSES, INCLUDING TO ENSURE THAT THEIR USE IS
	banner asdm AUTHORIZED, FOR MANAGEMENT OF THE SYSTEM, TO FACILITATE PROTECTION
	banner asdm AGAINST UNAUTHORIZED ACCESS, AND TO VERIFY SECURITY PROCEDURES,
	banner asdm SURVIVABILITY AND OPERATIONAL SECURITY. MONITORING INCLUDES ACTIVE
	banner asdm ATTACKS BY AUTHORIZED COMPANY ENTITIES TO TEST OR VERIFY THE SECURITY OF
	banner asdm THIS SYSTEM. DURING MONITORING, INFORMATION MAY BE EXAMINED,
	banner asdm RECORDED, COPIED AND USED FOR AUTHORIZED PURPOSES. ALL INFORMATION,
	banner asdm INCLUDING PERSONAL INFORMATION, PLACED ON OR SENT OVER THIS SYSTEM MAY
	banner asdm BE MONITORED.
	banner asdm
	banner asdm USE OF THIS ACME CORPORATION SYSTEM, AUTHORIZED OR UNAUTHORIZED,
	banner asdm CONSTITUTES CONSENT TO MONITORING OF THIS SYSTEM. UNAUTHORIZED USE
	banner asdm MAY SUBJECT YOU TO CRIMINAL PROSECUTION. EVIDENCE OF UNAUTHORIZED USE
	banner asdm COLLECTED DURING MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL
	banner asdm OR OTHER ADVERSE ACTION. USE OF THIS SYSTEM CONSTITUTES CONSENT TO
	banner asdm MONITORING FOR THESE PURPOSES
	banner asdm =========================================================================

	! Set proper timezone
	clock timezone EST -5
	clock daytime recurring

	! Set timestamps and syslog servers
	logging timestamp
	logging buffer-size 20000
	logging buffered informational
	logging trap informational
	logging host INSIDE 10.100.10.12
	logging host INSIDE 192.168.100.10
	! Avoid logging to console and monitor sessions.
	no logging console
	no logging monitor


	! Allow ICMP only from the management hosts
	icmp permit host 10.95.99.0 echo-reply OUTSIDE
	icmp permit host 10.95.99.123 echo OUTSIDE
	icmp deny any OUTSIDE

	! Set authentication and authorization
	aaa authentication telnet console LOCAL
	aaa authentication ssh console LOCAL
	aaa local authentication attempts max-fail 5
	username cisco password $sha512$5000$bVvOSpQ7rmN7WVLa+PUBiw==$vfMm+Yuk16BwylqYRjpXtw== pbkdf2
	aaa authentication login-history

	! Turn on HTTP server if you need ASDM access and limit it only for management IP addresses
	http server enable
	http 192.168.100.100 255.255.255.255 INSIDE

	! Configure SNMPv3
	snmp-server group ACME_SNMP v3 priv
	snmp-server user snmpv3user2 ACME_SNMP v3 engineID 80000009fefd723c123f64e8811b1d082dde352bc399ab0397 encrypted auth sha af:a4:b4:4a:84:f5:48:6a:a2:9d:7a:c1:90:c1:9b:73:f5:41:dc:8a priv aes 256 e4:17:ae:3e:6d:83:0c:46:b4:fe:64:e0:6b:84:2a:c3:05:2e:17:fd:47:e6:66:f1:2f:c8:fc:cf:51:19:1a:ab
	snmp-server RACK 3, DC1
	snmp-server John Smith

	! Disable service password recovery. This feature revents anyone with console access from insecurely accessing the device configuration and clearing the password. keep in mind that if you forget the password you need to clear the box and start from your backup.
	no service password-recovery

	! Set explicit timeouts for SSH, telnet and console
	telnet timeout 3
	ssh timeout 10
	console timeout 3

	! Configure SSH with Diffie-Hellman negotiation using Group 14 (2048 bits) to avoid Logjam attack (https://weakdh.org/)
	ssh version 2
	ssh 10.X.X.X 255.255.255.255 OUTSIDE
	! Encrypt only using aes256-cbc, aes256-ctr
	ssh cipher encryption high
	ssh key-exchange group dh-group14-sha1

	! Configure at least two NTP servers with NTP association
	! You can find list of public NTP servers (no authentication needed) at:
	! http://support.ntp.org/bin/view/Servers/NTPPoolServers
	! http://tf.nist.gov/tf-cgi/servers.cgi

	ntp authentication-key 1 md5 *****
	ntp authentication-key 2 md5 *****
	ntp authenticate
	ntp server 10.0.0.1 key 1 prefer
	ntp server 10.0.0.2 key 2

	! Limit server and client TLS version to only TLS 1.2
	! Set TLS cipher negotiation only for "high" security ciphers.
	! The list of ciphers will be limited only to the following:
	!tlsv1.2 (high):
	! ECDHE-ECDSA-AES256-GCM-SHA384
	! ECDHE-RSA-AES256-GCM-SHA384
	! DHE-RSA-AES256-GCM-SHA384
	! AES256-GCM-SHA384
	! ECDHE-ECDSA-AES256-SHA384
	! ECDHE-RSA-AES256-SHA384
	! DHE-RSA-AES256-SHA256
	! AES256-SHA256
	! Keep in mind that after you set SSL cipher to "high" you won't be able to connect using ASDM.
	! You need to install "Unlimited Strength" JAVA profile from http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
	! Unpack and copy downloaded file to your Java security folder (in my case it's C:\Program Files (x86)\Java\jre1.8.0_151\lib\security)
	ssl server-version tlsv1.2
	ssl client-version tlsv1.2
	ssl cipher tlsv1.2 high

	! Configure URPF
	! Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source)
	! by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.
	ip verify reverse-path interface interface_name