Turn
on logging and audit trail to provide a record of network access
through the firewall, including illegitimate access attempts, and
inbound and outbound services. To configure logging and audit trail
functions, enter the following commands in global configuration mode
in Figure .
Other Guidelines for Configuring a Firewall
As with all networking devices, you should always protect access
into the firewall by configuring passwords. You should also consider
configuring user AAA.
You should also consider the following recommendations:
- When setting passwords for privileged access to the firewall,
use the
enable secret
command rather than the
enable
password
command, which does not have as strong an
encryption algorithm.
- Put a password on the console port. In AAA environments, use
the same authentication for the console as for elsewhere. In a
non-AAA environment, at a minimum configure the
login
and
password
commands.
- Think about access control before you connect a console
port to the network in any way, including attaching a modem to
the port. Be aware that a break on the console port might
give total control of the firewall, even with access control
configured.
- Apply access lists and password protection to all virtual
terminal ports. Use access lists to limit who can Telnet into
your router.
- Do not enable any local service (such as SNMP or Network
Timing Protocol [NTP]) that you do not use. Cisco Discovery
Protocol (CDP) and NTP are on by default, and you should turn
these off if you do not need them.
To turn off CDP, enter the
no cdp run
global
configuration command. To turn off NTP, enter the
ntp disable
interface configuration command on each interface not using NTP.
If you must run NTP, configure NTP only on required interfaces,
and configure NTP to listen only to certain peers.
Any enabled service could present a potential security risk. A
determined, hostile party might be able to find creative ways to
misuse the enabled services to access the firewall or the network.
For local services that are enabled, protect against misuse by
configuring the services to communicate only with specific peers,
and protect by configuring access lists to deny packets for the
services at specific interfaces.
-
Protect against spoofing: protect the networks on both sides
of the firewall from being spoofed from the other side. You
could protect against spoofing by configuring input access lists
at all interfaces to pass only traffic from expected source
addresses, and to deny all other traffic.
You should also disable source routing. For IP, enter the
no
ip source-route
global configuration command. Disabling source
routing at all routers can also help prevent spoofing.
You should also disable minor services. For IP, enter the
no
service tcp-small-servers
and
no service udp-small-servers
global configuration commands. In Cisco IOS Release 12.0 and
later, these services are disabled by default.
-
Prevent the firewall from being used as a relay by configuring
access lists on any asynchronous Telnet ports.
-
Normally, you should disable directed broadcasts for all
applicable protocols on your firewall and on all your other
routers. For IP, use the
no ip directed-broadcast
command. Rarely, some IP networks do require directed
broadcasts; if this is the case, do not disable directed
broadcasts.
Directed broadcasts can be misused to multiply the power of DoS
attacks, because every denial-of-service packet sent is broadcast
to every host on a subnet. Furthermore, some hosts have other
intrinsic security risks present when handling broadcasts.
-
Configure the
no proxy-arp
command to prevent internal
addresses from being revealed. (This is important to do if you
do not already have NAT configured to prevent internal addresses
from being revealed).
- Keep the firewall in a secured (locked) room.
Verifying CBAC
You can verify CBAC information by using one or more of the
following EXEC commands in Figure .
|