Security Basics mailing list archives
Re: Cisco ASA interface security levels and the state table
From: Laurens Vets <laurens () daemon be>
Date: Mon, 01 Jun 2009 22:32:22 +0200
Hey there, swim_or_die () hotmail com wrote: > Greetings; our client has several ASA firewalls installed that are > configured with the outside interface set to a higher security level > (80) than the inside interface (20); their reasoning was at the time > that the backbone was to be more trusted than the stub networks, which > is curious because there are no resources on the backbone.If by backbone you mean their internal company wide WAN/LAN backbone, I can understand their reasoning a little bit: Traffic from the stub networks (behind the 'inside' interface I presume?) should not get on the backbone unless specifically permitted. However, this can easily be achieved with a normal setup (outside=20, inside=80:))
What is this backbone used for at the moment? > In any case, it's not an issue right now because there is no NAT > taking place, and the rules in all directions are allow IP any.There's always NAT taking place; even not NATting traffic ("nat 0") is 'NATting' unless they've disabled nat-control on their ASAs. Is this the case?
> The client is resistant to changing the security levels to those > defined by best practices; their logic is that as they begin to add > rules for ingress and egress filtering on the interfaces, as long as > the access lists are all ended with an explicit deny statement, then > they are OK. > > Can anyone tell me if there are any issues that will arise with this > bass-ackwards configuration pertaining to the relationship between the > interface security levels and the connections in the state table? > If so, any documentation to that effect would be helpful.I don't think any issues will arise even though their logic is a bit 'different' :)
You might want to check the "nat-control" command in the Cisco documentation. This might be what you are looking for to make this all easier...
Kind regards, L. ------------------------------------------------------------------------ This list is sponsored by: InfoSec InstituteNeed to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!
http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Cisco ASA interface security levels and the state table swim_or_die (Jun 01)
- Re: Cisco ASA interface security levels and the state table Laurens Vets (Jun 01)
- Re: Cisco ASA interface security levels and the state table Soumen Paul (Jun 02)
- <Possible follow-ups>
- Re: Re: Cisco ASA interface security levels and the state table swim_or_die (Jun 02)
- Re: Cisco ASA interface security levels and the state table aaa (Jun 02)
- Re: Cisco ASA interface security levels and the state table Laurens Vets (Jun 01)