Security Basics mailing list archives
Cisco ASA interface security levels and the state table
From: swim_or_die () hotmail com
Date: Fri, 29 May 2009 11:54:42 -0600
Greetings; our client has several ASA firewalls installed that are configured with the outside interface set to a higher security level (80) than the inside interface (20); their reasoning was at the time that the backbone was to be more trusted than the stub networks, which is curious because there are no resources on the backbone. In any case, it's not an issue right now because there is no NAT taking place, and the rules in all directions are allow IP any. The client is resistant to changing the security levels to those defined by best practices; their logic is that as they begin to add rules for ingress and egress filtering on the interfaces, as long as the access lists are all ended with an explicit deny statement, then they are OK. Can anyone tell me if there are any issues that will arise with this bass-ackwards configuration pertaining to the relationship between the interface security levels and the connections in the state table? If so, any documentation to that effect would be helpful. ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Cisco ASA interface security levels and the state table swim_or_die (Jun 01)
- Re: Cisco ASA interface security levels and the state table Laurens Vets (Jun 01)
- Re: Cisco ASA interface security levels and the state table Soumen Paul (Jun 02)
- <Possible follow-ups>
- Re: Re: Cisco ASA interface security levels and the state table swim_or_die (Jun 02)
- Re: Cisco ASA interface security levels and the state table aaa (Jun 02)
- Re: Cisco ASA interface security levels and the state table Laurens Vets (Jun 01)