10.8 Context-Based Access Control
10.8.8 Configuring logging and audit trail
Turn on logging and audit trail to provide a record of network access through the firewall, including illegitimate access attempts, and inbound and outbound services. To configure logging and audit trail functions, enter the following commands in global configuration mode in Figure .

Other Guidelines for Configuring a Firewall

As with all networking devices, you should always protect access into the firewall by configuring passwords. You should also consider configuring user AAA.

You should also consider the following recommendations:

  • When setting passwords for privileged access to the firewall, use the enable secret command rather than the enable password command, which does not have as strong an encryption algorithm.
  • Put a password on the console port. In AAA environments, use the same authentication for the console as for elsewhere. In a non-AAA environment, at a minimum configure the login and password commands.
  • Think about access control before you connect a console port to the network in any way, including attaching a modem to the port. Be aware that a break on the console port might give total control of the firewall, even with access control configured.
  • Apply access lists and password protection to all virtual terminal ports. Use access lists to limit who can Telnet into your router.
  • Do not enable any local service (such as SNMP or Network Timing Protocol [NTP]) that you do not use. Cisco Discovery Protocol (CDP) and NTP are on by default, and you should turn these off if you do not need them.

To turn off CDP, enter the no cdp run global configuration command. To turn off NTP, enter the ntp disable interface configuration command on each interface not using NTP.

If you must run NTP, configure NTP only on required interfaces, and configure NTP to listen only to certain peers.

Any enabled service could present a potential security risk. A determined, hostile party might be able to find creative ways to misuse the enabled services to access the firewall or the network.

For local services that are enabled, protect against misuse by configuring the services to communicate only with specific peers, and protect by configuring access lists to deny packets for the services at specific interfaces.

  • Protect against spoofing: protect the networks on both sides of the firewall from being spoofed from the other side. You could protect against spoofing by configuring input access lists at all interfaces to pass only traffic from expected source addresses, and to deny all other traffic.

You should also disable source routing. For IP, enter the no ip source-route global configuration command. Disabling source routing at all routers can also help prevent spoofing.

You should also disable minor services. For IP, enter the no service tcp-small-servers and no service udp-small-servers global configuration commands. In Cisco IOS Release 12.0 and later, these services are disabled by default.

  • Prevent the firewall from being used as a relay by configuring access lists on any asynchronous Telnet ports.
  • Normally, you should disable directed broadcasts for all applicable protocols on your firewall and on all your other routers. For IP, use the no ip directed-broadcast command. Rarely, some IP networks do require directed broadcasts; if this is the case, do not disable directed broadcasts.

Directed broadcasts can be misused to multiply the power of DoS attacks, because every denial-of-service packet sent is broadcast to every host on a subnet. Furthermore, some hosts have other intrinsic security risks present when handling broadcasts.

  • Configure the no proxy-arp command to prevent internal addresses from being revealed. (This is important to do if you do not already have NAT configured to prevent internal addresses from being revealed).
  • Keep the firewall in a secured (locked) room.

Verifying CBAC

You can verify CBAC information by using one or more of the following EXEC commands in Figure