PIX/ASA Checklist

As with configuring any firewall, administrators should develop a checklist that they can use during the installation and implementation of the PIX/ASA firewall in the network
Nội dung trích xuất từ tài liệu:
PIX/ASA ChecklistPIX/ASA ChecklistAs with configuring any firewall, administrators should develop a checklist that they canuse during the installation and implementation of the PIX/ASA firewall in the network.There are really two components to this checklist. First, you want to define theimplementation requirements and determine how the firewall should be configured andwhat options will be enabled. In essence, design and plan your firewall implementationbefore you configure and implement the firewall. To help with the planning of yourPIX/ASA firewall implementation, consider the following items (although not anexhaustive list, it is a good basic checklist for many environments): • Determine how many interfaces will be required. • Determine how the interfaces will need to be configured (for example, interface speed and duplex). • Determine the IP addresses that will be assigned to the firewall interfaces and how the addresses will be assigned (for example, static IP addresses or DHCP configuration). • Determine what type of routing will be used (dynamic or static) and define any static and default routes. • Determine how NAT will be used (for example, static, dynamic, no NAT at all, or any combination of the three). • Define which internal hosts will need to be accessed from the outside, and whether that access will be handled by static NAT or without NAT. • Define which ACLs (both inbound and outbound) will be required. • Define how authentication and command authorization on the PIX will be handled (for example, will a AAA server be required?). • Define the firewall administrator roles and the corresponding access levels that will be required. • Will remote-access or LAN-to-LAN VPNs be configured on the PIX/ASA? If so, define the VPN configuration settings. • Define the passwords that will be used on the firewall. • Define how the PIX will be managed (for example, using Telnet, SSH, ASDM) and from what networks or hosts remote access will be permitted. • Define how logging will be handled (for example, will the PIX/ASA log to a remote syslog server?).After you have completed your planning and defined the requirements and determinedhow the firewall should be configured and what options will be enabled, the second stepof the PIX/ASA checklist is to list out the specific configuration steps required toconfigure the firewall. Whereas the preceding checklist focused on the planning anddesign, this checklist uses that information to define what actually needs to be done forthe actual firewall configuration. A good configuration checklist for the PIX/ASAfirewall consists of the following:1. Configure the firewall interfaces.2. Configure the firewall passwords.3. Configure the firewall name and domain name.4. Assign addresses to the firewall interfaces.5. Configure the appropriate routing.6. Configure the appropriate remote management settings.7. Configure AAA as required.8. Configure the firewall time settings9. Configure the appropriate logging settings.10. If required, configure NAT and any other translations.11. Build and implement the appropriate ACLs and apply them to the appropriate interfaces in the appropriate direction.12. Configure application inspection.13. Configure advanced features such as failover, VPN, or IPS.14. If the firewall is an ASA, configure the advanced antivirus, antispyware, and antiphishing settings.