Cisco Asa Firewall Audit Checklist

Firewall configuration audits are an integral component of an overall security posture validation process, but their time and resource requirements often outstrip those allocated by IT staff.

An automated solution should be deployed to automate error-prone manual tasks and provide real-time alerts. Furthermore, such a solution should have the capability of analyzing and documenting firewall objects so organizations can optimize their rulesets based on actual policy usage.

Configuration

Firewall configurations contain sensitive information, including access control lists, authentication credentials and device management settings. Maintaining the integrity of this data is integral to ongoing security; any changes to firewall settings should be carefully recorded and documented with regard to internal policy requirements and tracked.

Configuration changes should be approved through an internal risk evaluation process that assesses their potential effects on the network. Approval processes should provide information such as what the change entails, its effect, who approved it and any further action needed.

Make sure that administrative ports are limited to trusted interfaces and IP addresses to reduce the attack surface of the Cisco ASA and prevent unauthorised access. Analyze actual policy usage against firewall logs to identify excessively permissive rules that might need adjusting according to policies or real usage scenarios, then delete covered rules or identify duplicate or similar ones that can be combined into one rule to reduce firewall clutter.

Logging

Firewall logs allow users to keep tabs on activity within their firewall including access, policy, management and connection records as well as identify any security incidents through these logs.

As it’s crucial that both primary and failover units log correctly, it is also crucial that their logging systems are active and configured appropriately. Being able to compare logs on both devices will give an indication of any changes impacting configuration settings and their significance.

Change management must be documented and the appropriate process followed when requesting firewall changes. This should include risk analysis, workflow approvals and exception handling; risk evaluation must include considering all network components affected by the change as well as how this might impact performance for an ASA; risks should then be prioritized accordingly.

Policy Management

Firewall security policies must meet both external regulations and internal security policies, outlining how information travels across interconnected networks while setting access boundaries and preventing hostile activities from entering or exiting them.

Review procedures for requesting firewall changes, such as VPN and subnet configuration changes, to make sure that they’re documented and implemented appropriately. Assess any security impacts caused by each change as well as collecting all required approval signatures for future reference.

Utilising an intelligent automated tool such as AlgoSec for security-policy change workflows can dramatically shorten the time required to process firewall changes, improve accuracy and accountability, enforce compliance and mitigate risk. You’ll also discover and remove unused rules, objects and configurations as well as rearrange rules to optimize performance based on actual policy usage patterns, helping lower IT costs while prolonging firewall life and preparing for IT audits.

Access Control Lists (ACLs)

Firewall access control is an integral component of an effective firewall system. Do procedures exist to verify and monitor access by authorized personnel? Are security tools utilized to assist in trend analysis of firewall activity and detect unintended changes to its configuration?

Secure administrative ports to trusted interfaces and IP addresses to reduce the attack surface of ASA devices and limit their ability to gain privileged access.

The ASA inspects packets against an ACL in ascending line number order until reaching the end of its list, at which time it stops checking. A new entry may be created using ASDM’s add command with these parameters:

Engineers often make the mistake of adding permits or rules solely for troubleshooting purposes, which defeats the purpose of ACLs altogether. Network insights from NCM allow you to view all ACLs configured on the ASA and determine whether they are being utilized optimally.