Cisco security guides

Working on security aspects for the moment. I am looking for security improvements on the datacenter network. I actually found very interesting guides. Here are some that I recommend:

Cisco IOS Security Configuration Guide, covers general security with cisco devices. It includes explanation and configuration for AAA (authentication, authorization, accounting), security servers (radius and TACACS+), filtering (ACLs, TCP intercept, CBAC, IDS), IP security (IPsec, IKE) and various advices on password, privileges levels and SSH.

Cisco Guide to Harden Cisco IOS Devices, a very comprehensive guide, which gives advices point per point, separating management, control and data planes. It goes over: AAA, logging, ACLs, securing SNMP, securing sessions (console and remote), protecting CPU, securing BGP and IGPs, anti-spoofing techniques (uRPF) and much more.

SANS Policy Primer, which gives you hints on writing a security policy.

NSA Router security configuration guide, contains good guide, but somewhat outdated.

Cisco FWSM config guide

Just got another project, I started working in a bank.  I am waiting for the usual authorizations, laptop and other paperworks to be ready but I didn’t waste my time lately. I’ve been reading the Cisco 6500 Firewall service module configuration guide since I am going to use FWSM on Cisco 6500.

The guide covers all functionalities for the firewall blade: security contexts, interfaces parameters, ACL, NAT, fail-over, advanced filtering and so on.

Here is a quick sketch of FWSM’s architecture:

FWSM is actually a virtualized system with different contexts (Admin, A, B, …). The admin context is the default from which you can administer all others. This can be used for service providers for instance, where customers share a firewall module.

L2 interfaces (VLANs) can be attached to each context, either in bridge or routed mode. Don’t forget that the FWSM itself has not real physical interface and uses only virtual L2 interfaces.

ACLs are used to filter L3 (IP packets) or L2 (ethertype) frames. ACLs can be easily managed with the help of groups and objects to define services, network ranges, hosts to filter on.

Besides the usual ACLs, there is also the advanced L4+ filtering, including: url, java and activex.

Notice that you can have two FWSM acting together to provide failover in active/passive or active/active configuration.

The configuration is done through the Modular Policy Framework.

First define a service policy to be attached to an interface. Then the class map is used to select the traffic you want to filter. Finally, the policy map is used to take action: max number of connections, timeout, inspection.