Cisco ASA/ASAv Hardening Guide

Version 0.1

Prepared by Logicalis for NATS

/18
Contents

Section 1. Document Control 4

Section 2. Cisco ASA Hardening 5

2.1.. .Introduction.............................................................................................................5

Section 3. Management Plane Hardening 6

3.1.. .Security Levels........................................................................................................6

3.2.. .Secure Device Access............................................................................................6

3.2.1. Restrict SSH Access 6

3.2.2. Set Suitable SSH Timeout 7

3.2.3. Set Suitable Console Timeout 7

3.2.4. Warning Banners 7

3.2.5. HTTPS 8

3.3.. .Secure Interactive Access Using AAA....................................................................8

3.3.1. Define AAA Server and Key 8

3.3.2. Configure AAA Authentication: 8

3.3.3. Configure AAA Authorization: 8

3.3.4. Configure AAA Accounting: 9

3.3.5. Authentication Fallback 9

3.4.. .Secure Management Protocols..............................................................................9

3.4.1. Configure NTP 9

3.5.. .Disable DHCP Server Service (If not being used)..................................................10

3.6.. .DNS Guard..............................................................................................................10

3.7.. .Configure Fragment Chain Fragmentation Checks................................................10

3.8.. .ARP cache additions for non-connected subnets...................................................11

3.9.. .Check if Failover is used.........................................................................................11

Page 1
Cisco ASA/ASAv Hardening Guide
Section 4. Securing Configuration 12

4.1.. .Securing Configuration...........................................................................................12

4.2.. .ASA Image Signing and Verification.......................................................................12

4.3.. .Disable Service password recovery........................................................................12

4.4.. .Password Encryption..............................................................................................12

Section 5. Logging & Monitoring 13

5.1.. .Configure SNMP.....................................................................................................13

5.2.. .SNMP Traps............................................................................................................14

5.3.. .Log Messages to a Syslog Server..........................................................................14

5.4.. .Configure Logging Console Severity......................................................................14

5.5.. .Enable Syslog.........................................................................................................15

5.6.. .Enable Logging Timestamp....................................................................................15

5.7.. .Enable logging buffer..............................................................................................15

5.8.. .Configure Logging to be sent to ASDM..................................................................15

Section 6. Control Plane Hardening 16

6.1.. .Disable Proxy ARPs................................................................................................16

6.2.. .Limit ICMP responses on interfaces.......................................................................16

6.3.. .Control-Plane ACL to restrict access from Bastion host........................................16

6.4.. .Configuring the Fragment Size...............................................................................16

6.5.. .BGP TTL-based Security Protections.....................................................................17

6.6.. .BGP Peer Authentication with MD5........................................................................17

6.7.. .BGP Configure Maximum Prefixes.........................................................................17

6.8.. .Filter BGP Prefixes with Prefix Lists.......................................................................17

6.9.. .Filter BGP Prefixes with Autonomous System Path Access Lists..........................17

6.10. OSPF Authentication..............................................................................................17

6.11.. OSPF route filtering................................................................................................18

Page 2
559241912.docx
Section 7. Data Plane Hardening 19

7.1.. .Unicast Reverse-Path Forwarding..........................................................................19

7.2.. .TCP Sequence Number Randomization................................................................19

Page 3
559241912.docx
Section 1. Document Control
Document Information

Title Cisco ASA/ASAv Hardening Guide

Filename Cisco ASA/ASAv Hardening Guide.docx

Revision 0.1

Publish Date

Prepared By Muhammad Ali Khan

Contributors

Audience Internal

Document
Classification

The contents of this document are Confidential Information outside of

Confidentiality
the Logicalis and NATS project teams.

Revision History

Version Date Review Details

0.1 30/05/2018 Initial Draft

Related Documentation

Page 4
Cisco ASA/ASAv Hardening Guide
Section 2. Cisco ASA Hardening
Section 3.Introduction
The functions of network devices are structured around three planes: management, control,
and data. The three functional planes of a network each provide different functionality that
needs to be protected.
 Management plane: The management plane manages traffic that is sent to the Cisco
firewall device and is composed of applications and protocols such as SSH and
Simple Network Management Protocol (SNMP).

 Control plane: The control plane of a network device processes the traffic that is
paramount to maintaining the functionality of the network infrastructure. The control
plane consists of applications and protocols between network devices, which include
the interior gateway protocols (IGPs) such as the Enhanced Interior Gateway Routing
Protocol (EIGRP) and Open Shortest Path First (OSPF).

 Data plane: The data plane forwards data through a network device. The data plane
does not include traffic that is sent to the local Cisco firewall device.

Page 5
559241912.docx
Section 4. Management Plane Hardening
Section 5.Security Levels
A security-level value from 0 through 100 defines the trustworthiness of networks reachable
through an interface of ASA. A value of 0 indicates the least trusted, and a value of 100
indicates the most trusted. The following are the key points:
 By default, all outbound traffic from higher-security-level interfaces to lower-security-
level interfaces is allowed.
 By default, all inbound traffic from lower-security-level interfaces to higher-security-
level interfaces is denied; to pass, this traffic needs to be allowed in an ACL applied
inbound on the lower-security-level interface.
 Traffic between interfaces with the same security level is denied by default and can
be allowed to pass by enabling the same security-traffic permit inter-
interface command globally on the appliance.
 Traffic entering the appliance via one interface and exiting it via the same interface,
known as a "U-turn," is denied by default and can be allowed to pass by enabling
the same-security-traffic permit intra-interface command globally on the
appliance.

The following command configures the security level:

hostname(config)# interface <interface_name>
hostname(config-if)# security-level number

Section 6.Secure Device Access

6.1.1. Restrict SSH Access

Cisco recommends using SSH for more secure data communication to access the device
using CLI. It is not recommended to access the security appliance through an HTTP or
Telnet session because the authentication credential information is sent in clear text. The
following example configuration enables SSH on a Cisco ASA device:

hostname <device_hostname>
domain-name <domain-name>
crypto key generate rsa modulus 2048

The default modulus size is 1024. To restrict the version of SSH accepted by the ASA, use
the ssh version command in global configuration mode. To restrict ASA to only use version 2
can be done using below command.

Page 6
559241912.docx
ASA(config)#ssh version 2

Configure SSH for Remote Device Access. Ensure access is restricted to Bastion
Host/Subnet only:

ssh <remote_ip_address> <remote_subnet_mask> <interface_name>

6.1.2. Set Suitable SSH Timeout

For ssh connections the idle timeout must be configured to avoid undesirable and
unattended open ssh connections to the firewall.

ssh timeout <minutes>

6.1.3. Set Suitable Console Timeout

 For console connections the idle timeout must be configured to avoid undesirable open and
unattended console connection to the firewall.

console timeout <minutes>

6.1.4. Warning Banners

In some legal jurisdictions it may be improbable and/or illegal to monitor and prosecute
malicious users unless they have been notified that they are not permitted to use or access a
respective device or resource. One method to provide this notification is the banner message
configuration on the Cisco firewall using the banner login command. 

In cooperation with counsel, a banner can provide the following information:

 Notice that the system is to be logged into or used only by specifically authorized
personnel
 Notice that any unauthorized use of the system is unlawful and can be subject to civil
and criminal penalties
 Notice that any use of the system can be logged or monitored without further notice
and that the resulting logs can be used as evidence in court Specific notices required
by local laws

From a security point of view, a login banner should not contain any specific information
about the device name, model, software, or ownership because this information can be
abused by malicious users. 

There are four access banner types as following:

banner {asdm | exec | login | motd text}

asdm: The Firewall displays a banner after you successfully log in to ASDM.

Page 7
559241912.docx
exec: The Firewall displays a banner before displaying the enable prompt.

login: The Firewall displays a banner before the password login prompt when accessing
the security appliance using Telnet.

motd: This is the Message of the Day banner. It is displayed when you first connect.

Login banner can be configured as shown in following example:

banner login                ** W A R N I N G **
banner login Unauthorized access prohibited. All access is
banner login monitored, and trespassers shall be prosecuted
banner login to the fullest extent of the law.

6.1.5. HTTPS
To use ASDM, HTTPS server on ASA should be enabled, and HTTPS connections to the
ASA should be permitted via management interface:
http server enable <port>

Configure ASDM Access from Bastion Host IP subnet and interface:

http <mgmt_ip_address> <mgmt_subnet_mask> <mgmt_interface_name>

Section 7.Secure Interactive Access Using AAA

Use the Authentication, Authorization, and Accounting (AAA) framework is critical in order to
secure interactive access to network devices. The AAA framework provides a highly
configurable environment that can be tailored based on the needs of the network.

7.1.1. Define AAA Server and Key

aaa-server ISE1 protocol tacacs+

aaa-server ISE1 (inside) host 10.1.1.2
key cisco12345

7.1.2. Configure AAA Authentication:

aaa authentication ssh console ISE1 LOCAL

aaa authentication enable console ISE1 LOCAL
aaa authentication http console ISE1 LOCAL
aaa authentication secure-http-client

7.1.3. Configure AAA Authorization:

aaa authorization exec authentication-server auto-enable

Page 8
559241912.docx
aaa authorization http console ISE1
aaa authorization command ISE1 LOCAL

7.1.4. Configure AAA Accounting:

aaa accounting ssh console ISE1

aaa accounting serial console ISE1
aaa accounting command ISE1

7.1.5. Authentication Fallback

Configure Local User and Encrypted Password using following example. Ensure local
username and secret password is created - password must be 20 characters - see password
policy:

username <local_username> password <local_password> encrypted

enable password <enable_password> encrypted

Section 8.Secure Management Protocols

8.1.1. Configure NTP

It is important to explicitly configure a trusted time source and to use proper authentication.
Accurate and reliable time is required for syslog purposes, such as during forensic
investigations of potential attacks.

To obtain Date, time and Zone from NTP server, configure following command on ASA
  Command Purpose
Step 1  ntp authenticate Enables authentication with an NTP
Example: server.
hostname(config)# ntp authenticate
Step 2  ntp trusted-key key_id Specifies an authentication key ID
Example: to be a trusted key, which is
hostname(config)# ntp trusted-key required for authentication with an
1 NTP server.

The key_id argument is a value

between 1 and 4294967295. You
can enter multiple trusted keys for
use with multiple servers.
Step 3  ntp authentication-key key_id md5 Sets a key to authenticate with an
key NTP server.
Example:
hostname(config)# ntp The key_id argument is the ID you
authentication-key 1 md5 aNiceKey set in Step 2 using the ntp trusted-
Page 9
559241912.docx
 key command, and the key
argument is a string up to 32
characters long.
Step 4  ntp server ip_address [key key_id] Identifies an NTP server.
[source interface_name] [prefer]
Example: The key_id argument is the ID you
hostname(config)# ntp server set in Step 2 using the ntp trusted-
10.1.1.1 key 1 prefer key command.

The source interface_name

keyword-argument pair identifies
the outgoing interface for NTP
packets if you do not want to use
the default interface in the routing
table.

The prefer keyword sets this NTP

server as the preferred server if
multiple servers have similar
accuracy.

Section 9.Disable DHCP Server Service (If not being used)

Use following commands to disable the DHCP service if not required on the ASA:

clear configure dhcpd

no dhcpd enable <interface_name>

Section 10. DNS Guard

Enforces one DNS response per query. It Can be enabled using the command in global
configuration mode as following:

ASA(config)#dns-guard

Section 11. Configure Fragment Chain Fragmentation

Checks
To provide additional management of packet fragmentation and improve compatibility with
NFS, use the fragment command in global configuration mode.

fragment reassembly { full | virtual } { size | chain | timeout

limit } [ interface ]

Page 10
559241912.docx
Section 12. ARP cache additions for non-connected subnets
As a security device, Adaptive Security Appliance (ASA) will not populate its Address
Resolution Protocol (ARP) table with entries from non-directly-connected subnets.
Furthermore, the ASA will not issue ARP requests for hosts on such subnets. This secure
behavior may cause issues with suboptimal network configurations where a device is
expected to process ARP packets to and from non-directly-connected subnets (as configured
locally).

This enhancement request is filed to request a configuration command that would disable
this security check and allow the ASA to process ARP packets to and from non-directly-connected
subnets. This command should be used with caution as it reduces the level of protection that the ASA
provides.
arp permit-nonconnected

It is always recommended to have the correct routing on upstream and downstream devices
for NAT to work without enabling the above command.

Section 13. Check if Failover is used

This rule checks if failover is configured in the firewall and interfaces are correctly being
monitored:

failover 

Page 11
559241912.docx
Section 14. Securing Configuration
Section 15. Securing Configuration
Calculates and displays the MD5 value for the specified software image. Compare this value
with the value available on Cisco.com for this image.

verify [ /md5 path ] [ md5-value ]

Section 16. ASA Image Signing and Verification

Starting from software version 9.3.1 ASA images are now signed using a digital signature.
The digital signature is verified after the ASA is booted.

ASA-1/act(config)# verify flash:/asa941-smp-k8.bin

ASA(config)# verify /signature running

Section 17. Disable Service password recovery

Disabling this will disable password recovery mechanism and disable access to ROMMON.
The only means of recovering from lost or forgotten passwords will be for ROMMON to erase
all file systems including configuration files and images. You should make a backup of your
configuration and have a mechanism to restore images from the ROMMON command line.

no service password-recovery

Section 18. Password Encryption

The service password-encryption global configuration command will encrypt all non-
encrypted passwords (enable password, line console, line vty, ect) with a basic encryption
algorithm.

service password-encryption

Page 12
559241912.docx
Section 19. Logging & Monitoring
Section 20. Configure SNMP
The ASA provides support for network monitoring using SNMP Versions 1, 2c, and 3, and
supports the use of all three versions simultaneously. SNMP Version 3 provides security
enhancements that are not available in SNMP Version 1 or SNMP Version 2c. SNMP
Versions 1 and 2c transmit data between the SNMP server and SNMP agent in clear text.
SNMP Version 3 adds authentication and privacy options to secure protocol operations. The
ASA also support the creation of SNMP groups and users, as well as hosts, which is
required to enable transport authentication and encryption for secure SNMP
communications. SNMPv3 supports three primary configurations:
 no auth: This mode does not require authentication or encryption of SNMP packets.
 auth: This mode requires authentication of the SNMP packet without encryption.
 priv: This mode requires both authentication and encryption (privacy) of each SNMP
packet.
Following command configures a Cisco ASA device for SNMPv3:
Step 1 snmp-server group group-name v3 [auth | noauth | priv]
Example:
hostname(config)# snmp-server group testgroup1 v3 priv

Step 2
snmp-server user username group-name {v3 [encrypted]] [auth {md5 | sha]} auth-password
[priv [des | 3des | aes] [128 | 192 | 256] priv-password
Example:
hostname(config)# snmp-server user testuser1 testgroup1 v3 auth md5
testpassword priv aes 128 mypassword

Step 3
snmp-server host interface {hostname | ip_address} [trap | poll] [community community-
string] [version {1 |2c | 3 username}] [udp-port port]
Example:
hostname(config)# snmp-server host mgmt 10.7.14.90 version 3
testuser1!

Step 5 (optional)
snmp-server {location | Contact}
Example:
snmp-server location NOC
snmp-server contact admin@NOC

Page 13
559241912.docx
Section 21. SNMP Traps

A recommended minimum list of MIBs and traps to monitor that focus on device health,
resources, and normal operation includes:

MIB OIDs Related Trap Explanation

cpmCPURisingThresholdValu
CISCO-PROCESS-MIB cpmCPURisingThreshold CPU threshold
e

Memory
DISMAN-EVENT-MIB mteHotValue mteTriggerFired
threshold

Power supply
ceSensorExtThresholdValue, failure,
CISCO-ENTITY- ceSensorExtThresholdNotificatio
entPhySensorValue, fan failure,
SENSOR-EXT-MIB n
entPhySensorType CPU
temperature

CISCO-L4L7MODULE- crlResourceLimitValueType, Connection

clrResourceLimitReached
RESOURCE-LIMIT-MIB crlResourceLimitMax limit

Interface
IF-MIB ifIndex, ifOperStatus linkup, linkdown
up/down

To enable all recommended traps including above, add following command in the
configuration:

snmp-server enable traps all

Section 22. Log Messages to a Syslog Server

It is highly recommended that networks implement a logging structure based on a Syslog

infrastructure. If logging is enabled, ensure the logging messages are sent to only trusted
hosts on a protected network so the logs cannot be compromised and cannot be viewed by
anyone who is not authorized to view them. 

logging host interface_name syslog_ip [ tcp/ port | [ secure ]

Section 23. Configure Logging Console Severity

Ensure console logging is disabled or set to critical. Although useful for troubleshooting from
the console port, it is possible that excessive log messages on the console could make it
impossible to manage the device, even from the console. 

logging console critical

Page 14
559241912.docx
Section 24. Enable Syslog

Check if state of event logging on the firewall is enabled. Logging a firewall's activities and
status offers several benefits. Using the information in a log, the administrator can tell
whether the firewall is working properly or whether it has been compromised. If the logging is
disabled, the events that happen on the firewall are not logged anywhere. This may make it
harder to troubleshoot any network issues. This may also cause some of the problems,
including attempted attacks, to go unnoticed, as well as prevent collection of evidence about
any unauthorized activity.

logging enable

Section 25. Enable Logging Timestamp

Timestamps should be enabled for log messages, which will facilitate interpretation of the
messages for troubleshooting and investigating network attacks. Ensure that the date/time is
correctly set (if NTP is not configured) so that the timestamps provide the proper day/time of
the log messages. If the timestamps are not shown in the log messages, it may not be
possible to sense the order of events occurring in the network. 

logging timestamp

Section 26. Enable logging buffer

Cisco devices can store log messages in memory. The buffered data is available only from
an exec or enabled exec session, and it is cleared when the device reboots. This form of
logging is useful, even though it does not offer enough long-term protection for the logs.

logging buffered <level>

Section 27. Configure Logging to be sent to ASDM

Use following command to enable logging to be send to the ASDM:

ASA(config)# logging asdm informational

Page 15
559241912.docx
Section 28. Control Plane Hardening
Section 29. Disable Proxy ARPs
Proxy ARP allows the security appliance to reply to an ARP request on behalf of hosts
behind it. It does this by replying to ARP requests for the static NAT/mapped addresses of
those hosts. The security appliance responds to the request with its own MAC address, then
forwards the IP packets to the appropriate inside host. Disable this feature on interfaces
where it is not required by adding following command.

sysopt noproxyarp <interface>

Section 30. Limit ICMP responses on interfaces

ICMP responses are often used for troubleshooting and monitoring services. Because of the
secure nature and operations of Cisco firewall platforms, ICMP responses from the firewall
should be limited by filtering traffic to permit only what is necessary or expected. ICMP
responses can also be limited by disabling ICMP responses on interfaces, specifically the
outside or "untrusted" interface(s) at a minimum. By default Cisco firewalls permit ICMP
traffic destined to an interface. 

The following command syntax limits ICMP responses on interfaces:

icmp {permit|deny} ip_address net_mask [icmp_type] if_name

Section 31. Control-Plane ACL to restrict access from

Bastion host
Access control rules for to-the-box management traffic (defined by such commands as http,
ssh, or telnet)

access-list <name> in interface <Interface_name> control-plane

Section 32. Configuring the Fragment Size

By default, the ASA allows up to 24 fragments per IP packet, and up to 200 fragments
awaiting reassembly. You might need to let fragments on your network if you have an
application that routinely fragments packets, such as NFS over UDP. However, if you do not
have an application that fragments traffic, we recommend that you do not allow fragments
through the ASA. Fragmented packets are often used as DoS attacks.
To set disallow fragments, enter the following command:

ciscoasa(config)# fragment chain 1 [interface_name]

 
Enter an interface name if you want to prevent fragmentation on a specific interface. By
default, this command applies to all interfaces.

Page 16
559241912.docx
Section 33. BGP TTL-based Security Protections
router bgp <asn>
neighbor <ip-address> remote-as <remote-asn>
neighbor <ip-address> ttl-security hops <hop-count>

Section 34. BGP Peer Authentication with MD5

BGP Peer Authentication with MD5
router bgp <asn>
neighbor <ip-address> remote-as <remote-asn>
neighbor <ip-address> ttl-security hops <hop-count>

Section 35. BGP Configure Maximum Prefixes

router bgp <asn>
neighbor <ip-address> remote-as <remote-asn>
neighbor <ip-address> maximum-prefix <shutdown-threshold> <log-
percent>

Section 36. Filter BGP Prefixes with Prefix Lists

ip prefix-list BGP-PL-INBOUND seq 5 permit 0.0.0.0/0

ip prefix-list BGP-PL-OUTBOUND seq 5 permit 192.168.2.0/24

router bgp <asn>

neighbor <ip-address> prefix-list BGP-PL-INBOUND in
neighbor <ip-address> prefix-list BGP-PL-OUTBOUND out

Section 37. Filter BGP Prefixes with Autonomous System

Path Access Lists

ip as-path access-list 1 permit ^65501$

ip as-path access-list 2 permit ^$

router bgp <asn>

neighbor <ip-address> remote-as 65501
neighbor <ip-address> filter-list 1 in
neighbor <ip-address> filter-list 2 out"

Section 38. OSPF Authentication

interface <interface>
ip ospf message-digest-key <key-id> md5 <password>

Page 17
559241912.docx
router ospf <process-id>
network 10.0.0.0 0.255.255.255 area 0
area 0 authentication message-digest

Section 39.OSPF route filtering

router ospf <process-id>
area <area-id> filter-list prefix <list-name> in

Page 18
559241912.docx
Section 40. Data Plane Hardening
Section 41. Unicast Reverse-Path Forwarding
uRPF guards against IP spoofing by ensuring that all packets have a source IP address that
matches the correct source interface according to the routing table.

Normally, the security appliance examines only the destination address when determining
where to forward the packet. uRPF instructs the security appliance to look also at the source
address. For any traffic to be allowed through the security appliance, the security appliance
routing table must include a route back to the source address

ip verify reverse-path interface <interface_name>

Section 42. TCP Sequence Number Randomization

This feature is enable by default so no further action is required.

Page 19
559241912.docx