Security Basics mailing list archives

Re: Cisco ASA interface security levels and the state table

From: Laurens Vets <laurens () daemon be>
Date: Mon, 01 Jun 2009 22:32:22 +0200

Hey there,

swim_or_die () hotmail com wrote:
> Greetings; our client has several ASA firewalls installed that are
> configured with the outside interface set to a higher security level
> (80) than the inside interface (20); their reasoning was at the time
> that the backbone was to be more trusted than the stub networks, which
> is curious because there are no resources on the backbone.

If by backbone you mean their internal company wide WAN/LAN backbone, Ican understand their reasoning a little bit: Traffic from the stubnetworks (behind the 'inside' interface I presume?) should not get onthe backbone unless specifically permitted. However, this can easily beachieved with a normal setup (outside=20, inside=80:))


What is this backbone used for at the moment?

> In any case, it's not an issue right now because there is no NAT
> taking place, and the rules in all directions are allow IP any.

There's always NAT taking place; even not NATting traffic ("nat 0") is'NATting' unless they've disabled nat-control on their ASAs. Is thisthe case?


> The client is resistant to changing the security levels to those
> defined by best practices; their logic is that as they begin to add
> rules for ingress and egress filtering on the interfaces, as long as
> the access lists are all ended with an explicit deny statement, then
> they are OK.
>
> Can anyone tell me if there are any issues that will arise with this
> bass-ackwards configuration pertaining to the relationship between the
> interface security levels and the connections in the state table?
> If so, any documentation to that effect would be helpful.

I don't think any issues will arise even though their logic is a bit'different' :)

You might want to check the "nat-control" command in the Ciscodocumentation. This might be what you are looking for to make this alleasier...


Kind regards,
L.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------

Current thread:

Cisco ASA interface security levels and the state table swim_or_die (Jun 01)
- Re: Cisco ASA interface security levels and the state table Laurens Vets (Jun 01)
  - Re: Cisco ASA interface security levels and the state table Soumen Paul (Jun 02)
- <Possible follow-ups>
- Re: Re: Cisco ASA interface security levels and the state table swim_or_die (Jun 02)
- Re: Cisco ASA interface security levels and the state table aaa (Jun 02)