ASA5505 DMZ Security Hardening

TL;DR

This guide shows you how to secure your ASA5505’s Demilitarised Zone (DMZ). We’ll cover limiting access, checking configurations, and setting up basic monitoring. It assumes you already have a working DMZ setup.

Securing Your ASA5505 DMZ

1. Understand the DMZ’s Purpose
   • The DMZ should *only* host services directly accessible from the internet. Everything else stays on your internal network.
   • Identify exactly what services are running in the DMZ (web server, mail server, etc.). This is crucial for defining access rules.
2. Restrict Access with ACLs

   Access Control Lists (ACLs) are your first line of defence. We’ll create rules to allow only necessary traffic.

   • Inbound Rules: Allow *only* the ports required for your DMZ services from the internet. For example, if you have a web server on port 80 and 443:

     access-list outside_in extended permit tcp any host  eq 80

     access-list outside_in extended permit tcp any host  eq 443

   • Outbound Rules: Restrict what the DMZ servers can access on your internal network. Ideally, they should only be able to reach specific resources (e.g., a database server).

     access-list inside_out extended permit tcp  host  eq 3306

   • Apply ACLs to Interfaces: Make sure the ACLs are applied correctly.

     interface GigabitEthernet0/1

     nameif outside security-level 0 access-group outside_in in

     interface GigabitEthernet0/2

     nameif inside security-level 100 access-group inside_out out

3. Object Groups for Easier Management

   Using object groups makes your configuration easier to read and update.

   • Create an object group for your DMZ servers:

     object network DMZ_Servers

     host 

     host 

   • Use the object group in your ACLs:

     access-list outside_in extended permit tcp any object DMZ_Servers eq 80

4. Inspect Your Configuration
   • Show running config: Review the entire configuration for errors or unexpected rules.

     show running-config

   • Show access-lists: Verify your ACLs are as expected.

     show access-list outside_in

   • Check NAT rules: Ensure that traffic is being translated correctly to the DMZ servers.

     show nat detail

5. Disable Unnecessary Services
   • Turn off any services on the ASA5505 that aren’t required. This reduces the attack surface.

     configure terminal

     no http 

     no telnet 

6. Basic Logging and Monitoring
   • Enable logging of dropped packets on the outside interface to identify potential attacks.

     logging enable

     logging buffered debugging

     logging trap debugging

   • Regularly review logs for suspicious activity. Consider using a Syslog server for centralised logging.
7. Keep Software Updated
   • Regularly update the ASA5505 software to patch security vulnerabilities.

     show version

     upgrade firmware