Created
January 26, 2020 17:30
-
-
Save acheremisov/8a8fd33bad6268473f2f33cf851bd34d to your computer and use it in GitHub Desktop.
Cisco ASA Hardening Best Practices
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
! Set hostname, domain-name and enable pass. | |
hostname ACME-ASA5545 | |
domain-name ACME.COM | |
enable password $sha512$5000$0VRh3f2no2Na/HtZXqIc9g==$5ua3NRhS4AFbjCDQGbU9Aw== pbkdf2 | |
! Configure login and ASDM banners | |
! Login banner should not contain any specific information about the device name, model, software, or ownership because this information can be used by hackers. | |
banner login ========================================================================= | |
banner login THIS IS A ACME CORPORATION COMPUTER SYSTEM. THIS COMPUTER | |
banner login SYSTEM, INCLUDING ALL RELATED EQUIPMENT, NETWORKS AND NETWORK DEVICES | |
banner login (SPECIFICALLY INCLUDING INTERNET ACCESS), ARE PROVIDED ONLY FOR | |
banner login AUTHORIZED USE. ACME CORPORATION SYSTEMS MAY BE MONITORED | |
banner login FOR ALL LAWFUL PURPOSES, INCLUDING TO ENSURE THAT THEIR USE IS | |
banner login AUTHORIZED, FOR MANAGEMENT OF THE SYSTEM, TO FACILITATE PROTECTION | |
banner login AGAINST UNAUTHORIZED ACCESS, AND TO VERIFY SECURITY PROCEDURES, | |
banner login SURVIVABILITY AND OPERATIONAL SECURITY. MONITORING INCLUDES ACTIVE | |
banner login ATTACKS BY AUTHORIZED COMPANY ENTITIES TO TEST OR VERIFY THE SECURITY OF | |
banner login THIS SYSTEM. DURING MONITORING, INFORMATION MAY BE EXAMINED, | |
banner login RECORDED, COPIED AND USED FOR AUTHORIZED PURPOSES. ALL INFORMATION, | |
banner login INCLUDING PERSONAL INFORMATION, PLACED ON OR SENT OVER THIS SYSTEM MAY | |
banner login BE MONITORED. | |
banner login | |
banner login USE OF THIS ACME CORPORATION SYSTEM, AUTHORIZED OR UNAUTHORIZED, | |
banner login CONSTITUTES CONSENT TO MONITORING OF THIS SYSTEM. UNAUTHORIZED USE | |
banner login MAY SUBJECT YOU TO CRIMINAL PROSECUTION. EVIDENCE OF UNAUTHORIZED USE | |
banner login COLLECTED DURING MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL | |
banner login OR OTHER ADVERSE ACTION. USE OF THIS SYSTEM CONSTITUTES CONSENT TO | |
banner login MONITORING FOR THESE PURPOSES | |
banner login ========================================================================= | |
banner asdm ========================================================================= | |
banner asdm THIS IS A ACME CORPORATION COMPUTER SYSTEM. THIS COMPUTER | |
banner asdm SYSTEM, INCLUDING ALL RELATED EQUIPMENT, NETWORKS AND NETWORK DEVICES | |
banner asdm (SPECIFICALLY INCLUDING INTERNET ACCESS), ARE PROVIDED ONLY FOR | |
banner asdm AUTHORIZED USE. ACME CORPORATION SYSTEMS MAY BE MONITORED | |
banner asdm FOR ALL LAWFUL PURPOSES, INCLUDING TO ENSURE THAT THEIR USE IS | |
banner asdm AUTHORIZED, FOR MANAGEMENT OF THE SYSTEM, TO FACILITATE PROTECTION | |
banner asdm AGAINST UNAUTHORIZED ACCESS, AND TO VERIFY SECURITY PROCEDURES, | |
banner asdm SURVIVABILITY AND OPERATIONAL SECURITY. MONITORING INCLUDES ACTIVE | |
banner asdm ATTACKS BY AUTHORIZED COMPANY ENTITIES TO TEST OR VERIFY THE SECURITY OF | |
banner asdm THIS SYSTEM. DURING MONITORING, INFORMATION MAY BE EXAMINED, | |
banner asdm RECORDED, COPIED AND USED FOR AUTHORIZED PURPOSES. ALL INFORMATION, | |
banner asdm INCLUDING PERSONAL INFORMATION, PLACED ON OR SENT OVER THIS SYSTEM MAY | |
banner asdm BE MONITORED. | |
banner asdm | |
banner asdm USE OF THIS ACME CORPORATION SYSTEM, AUTHORIZED OR UNAUTHORIZED, | |
banner asdm CONSTITUTES CONSENT TO MONITORING OF THIS SYSTEM. UNAUTHORIZED USE | |
banner asdm MAY SUBJECT YOU TO CRIMINAL PROSECUTION. EVIDENCE OF UNAUTHORIZED USE | |
banner asdm COLLECTED DURING MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL | |
banner asdm OR OTHER ADVERSE ACTION. USE OF THIS SYSTEM CONSTITUTES CONSENT TO | |
banner asdm MONITORING FOR THESE PURPOSES | |
banner asdm ========================================================================= | |
! Set proper timezone | |
clock timezone EST -5 | |
clock daytime recurring | |
! Set timestamps and syslog servers | |
logging timestamp | |
logging buffer-size 20000 | |
logging buffered informational | |
logging trap informational | |
logging host INSIDE 10.100.10.12 | |
logging host INSIDE 192.168.100.10 | |
! Avoid logging to console and monitor sessions. | |
no logging console | |
no logging monitor | |
! Allow ICMP only from the management hosts | |
icmp permit host 10.95.99.0 echo-reply OUTSIDE | |
icmp permit host 10.95.99.123 echo OUTSIDE | |
icmp deny any OUTSIDE | |
! Set authentication and authorization | |
aaa authentication telnet console LOCAL | |
aaa authentication ssh console LOCAL | |
aaa local authentication attempts max-fail 5 | |
username cisco password $sha512$5000$bVvOSpQ7rmN7WVLa+PUBiw==$vfMm+Yuk16BwylqYRjpXtw== pbkdf2 | |
aaa authentication login-history | |
! Turn on HTTP server if you need ASDM access and limit it only for management IP addresses | |
http server enable | |
http 192.168.100.100 255.255.255.255 INSIDE | |
! Configure SNMPv3 | |
snmp-server group ACME_SNMP v3 priv | |
snmp-server user snmpv3user2 ACME_SNMP v3 engineID 80000009fefd723c123f64e8811b1d082dde352bc399ab0397 encrypted auth sha af:a4:b4:4a:84:f5:48:6a:a2:9d:7a:c1:90:c1:9b:73:f5:41:dc:8a priv aes 256 e4:17:ae:3e:6d:83:0c:46:b4:fe:64:e0:6b:84:2a:c3:05:2e:17:fd:47:e6:66:f1:2f:c8:fc:cf:51:19:1a:ab | |
snmp-server RACK 3, DC1 | |
snmp-server John Smith | |
! Disable service password recovery. This feature revents anyone with console access from insecurely accessing the device configuration and clearing the password. keep in mind that if you forget the password you need to clear the box and start from your backup. | |
no service password-recovery | |
! Set explicit timeouts for SSH, telnet and console | |
telnet timeout 3 | |
ssh timeout 10 | |
console timeout 3 | |
! Configure SSH with Diffie-Hellman negotiation using Group 14 (2048 bits) to avoid Logjam attack (https://weakdh.org/) | |
ssh version 2 | |
ssh 10.X.X.X 255.255.255.255 OUTSIDE | |
! Encrypt only using aes256-cbc, aes256-ctr | |
ssh cipher encryption high | |
ssh key-exchange group dh-group14-sha1 | |
! Configure at least two NTP servers with NTP association | |
! You can find list of public NTP servers (no authentication needed) at: | |
! http://support.ntp.org/bin/view/Servers/NTPPoolServers | |
! http://tf.nist.gov/tf-cgi/servers.cgi | |
ntp authentication-key 1 md5 ***** | |
ntp authentication-key 2 md5 ***** | |
ntp authenticate | |
ntp server 10.0.0.1 key 1 prefer | |
ntp server 10.0.0.2 key 2 | |
! Limit server and client TLS version to only TLS 1.2 | |
! Set TLS cipher negotiation only for "high" security ciphers. | |
! The list of ciphers will be limited only to the following: | |
!tlsv1.2 (high): | |
! ECDHE-ECDSA-AES256-GCM-SHA384 | |
! ECDHE-RSA-AES256-GCM-SHA384 | |
! DHE-RSA-AES256-GCM-SHA384 | |
! AES256-GCM-SHA384 | |
! ECDHE-ECDSA-AES256-SHA384 | |
! ECDHE-RSA-AES256-SHA384 | |
! DHE-RSA-AES256-SHA256 | |
! AES256-SHA256 | |
! Keep in mind that after you set SSL cipher to "high" you won't be able to connect using ASDM. | |
! You need to install "Unlimited Strength" JAVA profile from http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html | |
! Unpack and copy downloaded file to your Java security folder (in my case it's C:\Program Files (x86)\Java\jre1.8.0_151\lib\security) | |
ssl server-version tlsv1.2 | |
ssl client-version tlsv1.2 | |
ssl cipher tlsv1.2 high | |
! Configure URPF | |
! Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) | |
! by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table. | |
ip verify reverse-path interface *interface_name* |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment