Embed Size (px)
Citation preview
October 2015 Issue No: 1.1
Security Procedures
Cisco ASA 5500 v9.1(2)
Product Family
Page 2
Security Procedures
Cisco ASA 5500 v9.1(2) Product Family
Issue No: 1.1 October 2015
This document describes the manner in which this product should be implemented to ensure it complies with the requirements of the CPA Security Characterisitcs that it was assessed against. The intended audience for this document is HMG implementers, and as such they should have access to the documents referenced within. If you do not have access to these documents but believe that you have an HMG focused business need, please contact CESG Enquiries.
Document History
Version Date Comment
1.0 June 2014 First issue
1.1 October 2015 First public release
Page 3
Cisco ASA 5500 v9.1(2) Product Family
About this document These Security Procedures provide guidance in the secure operation of the Cisco ASA 5500 v9.1(2) product family (in relation to acting as IPsec security gateways). This document is intended for System Designers, Risk Managers and Accreditors. CESG recommends you establish whether any departmental or local standards, which may be more rigorous than national policy, should be followed in preference to those given in these Security Procedures. The Security Procedures come from a detailed technical assessment carried out under the CPA scheme. They do not replace the need for tailored technical or
legal advice on specific systems or issues. CESG and its advisors accept no liability whatsoever for any expense, liability, loss, claim or proceedings arising from reliance placed on this guidance.
Related documents The documents listed in the References section are also relevant to the secure deployment of this product. For detailed information about device operation, refer to the Cisco ASA 5500 v9.1(2) product family documentation.
Points of contact For additional hard copies of this document and general queries, please contact CESG using the following details. CESG Enquiries
Hubble Road Cheltenham GL51 0EX United Kingdom
[email protected] Tel: 01242-709141
CESG welcomes feedback and encourages readers to inform CESG of their experiences, good or bad in this document. Please email [email protected]
Page 4
Cisco ASA 5500 v9.1(2) Product Family
Contents:
Chapter 1 - Outline Description ................................................................................ 5
Product Summary ..................................................................................................... 5 Certification ............................................................................................................... 5 Components ............................................................................................................. 6 Document Scope ...................................................................................................... 6
Document Terminology and Audience ...................................................................... 6
Chapter 2 - Security Functionality ........................................................................... 8
ASA 5500 ................................................................................................................. 8 Administration and Other Products ........................................................................... 8
Chapter 3 - Secure Operation ................................................................................... 9
Introduction ............................................................................................................... 9
Pre-installation .......................................................................................................... 9 Installation .............................................................................................................. 10
Cryptographic Configuration and Operation ........................................................... 10 User Authentication ................................................................................................ 11 Interface Configuration ........................................................................................... 12
Maintenance and Updates ...................................................................................... 12
System Logs ........................................................................................................... 12
Chapter 4 - Security Incidents ................................................................................ 14
Incident Management ............................................................................................. 14
Chapter 5 - Disposal and Destruction .................................................................... 15
Erasure of Key Material .......................................................................................... 15 Routine Disposal of Equipment .............................................................................. 15
Emergency Destruction of Equipment .................................................................... 15
References ............................................................................................................... 16
Glossary ................................................................................................................... 17
Page 5
Cisco ASA 5500 v9.1(2) Product Family
Chapter 1 - Outline Description
Product Summary
1. Each member of the ASA 5500 product family is a network security appliance that provides a number of functions, in particular an IPsec-based VPN security gateway capability.
2. The product family covers Cisco ASA hardware models as listed on the CESG website www.cesg.gov.uk/servicecatalogue/Product-Assurance/CPA.
3. The family is divided into two ranges of hardware models: the latest (or new) range (models with an id suffixed with -X) and the initial (or old) range (ids without -X). Models vary in capacity and processing speed but are identical as far as implementing the security characteristic requirements is concerned; that implementation is mainly provided by the ASA software v9.1(2), which runs on each hardware model.
4. The new range supports the PSN IPsec profiles (also referred to as PRIME). This is due to the different cryptographic hardware modules that are used; the profiles are specified in the CPA Security Characteristic IPsec Security Gateway (reference [a]) Section 1.6. A hybrid profile is defined in Cisco guidance (reference [b]). This hybrid profile is sufficiently secure to allow a connection to be made between an old range ASA gateway and a Cisco AnyConnect client.
5. The product is typically used as a security gateway at the boundary of an organisation’s enterprise network. The gateway is accessed through an IPsec VPN tunnel established across an untrusted network between the gateway and either another security gateway or a client product installed on a remote device (such as a laptop computer). This is illustrated in reference [a] Section 1.3.
Certification
6. The product family has undergone a CPA evaluation and has been certified as meeting the Foundation Grade requirements as described in reference ([a]). Later versions are automatically covered by this certification until the certificate expires or is revoked, as stated on the product family’s certificate and on the CPA website, www.cesg.gov.uk/servicecatalogue/CPA.
7. The evaluation was performed in conjunction with the CPA evaluation of the Cisco AnyConnect Secure Mobility Client (AnyCSMC) v3.0 and v3.1 product, see that product’s Security Procedures (reference [c]). However, the ASA 5500 product family will operate with any client endpoint product that has been certified as meeting the relevant CPA Foundation Grade requirements (see the CPA Security Characteristic IPsec VPN for Remote Working – Software Client (reference [d])).
8. The product family will also operate (for a gateway-gateway VPN tunnel) with any other gateway product that has been certified as meeting the CPA Foundation Grade requirements specified in reference [a].
Page 6
Cisco ASA 5500 v9.1(2) Product Family
Components
9. Each member of the product family consists of hardware which runs ASA software v9.1(2); there are no dependencies on any other platform(s). The software incorporates a Cisco proprietary Unix-like operating system; this is fully integrated into the delivered product, so any mitigation references in [a] to the (separate and distinct) “underlying” operating system are not applicable to this product. Also, irrespective of whether a mitigation is met by the product’s hardware or software, the family members are classed as Hardware Gateways (i.e. they are dedicated network devices, as opposed to solely software products designed to be installed on to standard server hardware running a general purpose operating system).
Document Scope
10. This document provides high-level outline guidance only. It defines security procedures in terms of what should be done (e.g. “configure the product to support an IPsec profile specified in reference [a] Section 1.6”), but not in terms of how to actually carry out the procedure. (The procedures do not include instructions such as “enter the following commands at the console: ...”.)
11. For details of how to configure the product in accordance with this document, the reader is referred to Cisco ASA user guidance documentation, collectively listed under reference [b].
12. Reference is also made in this document to following the guidance given in relevant HMG publications; no attempt is made to summarise the content of such publications.
13. Cisco can be consulted for further advice and guidance on all of the recommendations, references and terminology contained in this document.
Document Terminology and Audience
14. For convenience, “the product” may be used as shorthand for “one or more members of the product family” or (depending on the context) “each member of the product family”.
15. It is assumed that readers (System Designers, Risk Managers and Accreditors) have access to all the references, and that:
The product is to be deployed as part of an IT system (the “relevant” IT system) which is, or will be, accredited against security requirements that are specified in a RMADS (Risk Management and Accreditation Documentation Set)
This RMADS (the “relevant” RMADS) has been, or will be, produced in accordance with HMG IA Standard No. 1 & 2 (IS1 & 2), Information Risk Management (reference [e]), and it does, or will, take account of both the HMG Security Policy Framework (reference [f]) and any applicable departmental or local security standards (which may be more rigorous than those defined by the UK national policy)
Page 7
Cisco ASA 5500 v9.1(2) Product Family
The relevant RMADS will include a specification of the highest protective marking of data that the product is permitted to handle (when deployed as part of the relevant IT system)
16. Throughout this Security Procedures document:
The “relevant RMADS” and the “relevant IT system” are as defined above
A reference to, for example, “[a] Section 1.6”, may be written as “[a, 1.6]”
Another security gateway or a client endpoint device that is connected to the product may be referred to as a “peer” or an “actual peer”; another security gateway or a client endpoint device that could be involved in attempting to establish a connection with the product may be referred to as a “potential peer”.
Page 8
Cisco ASA 5500 v9.1(2) Product Family
Chapter 2 - Security Functionality
ASA 5500
17. Reference [a, 1.8] provides a generic high level breakdown of a security gateway’s components. In essence, the gateway provides a “Black interface” to the untrusted network and a “Red interface” to the enterprise network. Any traffic received at the Black interface that is not encrypted and authenticated under a (previously established) IPsec session is dropped; other traffic received at the Black interface is decrypted and passed to the Red interface for onward transmission to the enterprise network. Conversely, traffic received at the Red interface for onward transmission to the untrusted network is encrypted and transmitted through the relevant IPsec tunnel.
18. In addition to implementing the above cryptographic functions, the product implements a number of general and administrative security functions, see [a, 3.1]. The product is administered by a user logging in to the product with the appropriate username and password(s) to adopt the “authorised administrator” role.
19. The product is also capable of acting as a firewall (whilst simultaneously acting as an IPsec VPN gateway), but that functionality is outside the scope of the CPA evaluation and of this document.
Administration and Other Products
20. For the purposes of this document, a “local administrator” means an authorised administrator attempting a “local login” to the product using a computer connected directly to the product’s console port. A “remote administrator” means an authorised administrator attempting a “remote login” to the product using a computer connected via a network to one of the product’s other ports. In either case authentication checks may be done either locally (i.e. wholly by the product) or remotely (i.e. by the product communicating with a RADIUS or TACACS+ authentication server; however any recommendations for the secure operation of such a server is outside the scope of this document).
21. Remote administration of an ASA device is generally done by using the GUI provided by the Cisco Adaptive Security Device Manager (ASDM) software product (installed on e.g. a laptop running Windows).
22. The authorised administrator role can be adopted by any user who knows the appropriate username and password(s). This role can, in effect, be sub-divided into different levels of (permitted access to groups of) administrative facilities, with each level protected by its own password. There is no concept of a “standard user” who is authorised to use the product but who is not, at least to some extent, an authorised administrator.
23. As well as a remote authentication server, the product can be configured to export its log messages to a remote syslog server; but again any recommendations for the secure operation of such a server is outside the scope of this document.
Page 9
Cisco ASA 5500 v9.1(2) Product Family
Chapter 3 - Secure Operation
Introduction
24. The rest of this document contains recommendations that outline the configuration of, and security operating procedures for, the product.
25. These recommendations should be followed unless there is a strong business requirement not to do so. Any such deviations (and associated risks) should be discussed with the relevant Accreditor.
Pre-installation
26. This section deals with topics that should be addressed during the relevant IT system design stage, including requirements placed on the operational environment.
27. The product must be installed in a secure facility when it is processing operational data. A secure facility is an appropriate location that:
Is accredited for the protective marking of the operational data that the product will be handling
Implements appropriate physical security measures such that only authorised personnel can gain physical access to the product
28. These physical security measures may (if it is considered to be necessary) include tamper evident seals obtained from Cisco, or from a CESG-recommended supplier, that can be placed over the product’s access points (i.e. points at which an attacker could remove the product’s outer case and gain access to the product’s internal electronic components). Each seal should preferably be uniquely identifiable to prevent an attacker successfully replacing it with a new, undamaged seal.
29. Preparations should be made to provide each authorised administrator with advice on the tamper threat. This advice should cover at least the following points:
Administrators should regularly inspect each installed product for signs of tampering, e.g. damage to any tamper evident seals (if fitted)
In the event of tampering being detected, an administrator should report the fact as soon as possible (in accordance with the relevant Syops), and must ensure that the product is removed from use immediately and not be returned to service
30. In respect of its implementing (one end of) an IPsec VPN tunnel, preparations must be made to use the product only with other IPsec VPN security gateways and clients that have been certified to CPA Foundation Grade.
Page 10
Cisco ASA 5500 v9.1(2) Product Family
31. Preparations must be made to operate the product in conjunction with a HMG PKI system. The product - and its associated “other VPN security gateways and clients” must be operated with X.509 certificates that are chained to a trusted, non-public, certificate authority which enables revocation of certificates and prevents the issue of fraudulent certificates. All IPsec VPN client certificates used in the relevant IT system should be re-issued every two years and the previous certificates revoked. Re-issuing and revoking security gateway certificates used in the relevant IT system should be covered in the relevant Syops.
32. Preparations must be made to securely provision the above X.509 certificates to the product and to the VPN Clients (and any other VPN Security Gateways) that are part of the relevant IT system.
Installation
33. The product must be installed (and initially configured) in accordance with the contents of this document. The product’s hardware must have been procured through a Cisco authorised reseller and delivered by a reputable carrier. Before installing the hardware, any signs of tampering (with either the hardware or its packaging) must be investigated; if it is concluded that the hardware has been tampered with then it must not be installed but should be returned to the supplier. Instructions for installing the hardware are given in [d]; once installed the tamper evident seals must be fitted if necessary (see para 28).
34. Any software pre-installed in the hardware must be ASA software v9.1(2); this must be verified as authentic (see the “Maintenance and Updates” section below). If the product has not been shipped with ASA software v9.1(2) then the software must be acquired and verified as described in the “Maintenance and Updates” section below.
35. If the finally installed software includes a startup configuration file then it (and any accompanying documentation) must be inspected to ascertain whether it contains any default passphrases or passwords; if it does then these must be changed. Such changes should preferably be done via a physically local connection; if changes are done via a remote connection then they must be done from a trusted computer over a cryptographically secure connection to the product (see also para 48).
36. Subsequent configuration of the product can be done using either the product’s CLI or the ASDM configuration tool (see para 21). In neither case is the (initial) configuration a fully automated process, but comprehensive installation and configuration instructions are provided in [d].
Cryptographic Configuration and Operation
37. The product must be configured to use X.509 certificates to mutually authenticate all IPsec VPN connection attempts on its Black interface. Certificate verification must include full certificate chain verification and processing of the current Certificate Revocation List (CRL).
Page 11
Cisco ASA 5500 v9.1(2) Product Family
38. All IPsec VPN client certificates used in the relevant IT system should be re-issued every two years and the previous certificates revoked. Re-issuing and revoking security gateway certificates used in the relevant IT system should be covered in the relevant RMADS.
39. The product must be configured to use an approved IPsec profile defined in [a,1.6] for all IPsec VPN connections; the product must be configured to limit (IKEv1 and IKEv2) SA lifetimes to no more than 24 hours.
40. In addition, the product’s group-policy (session timeout) facility should be configured to automatically terminate any VPN connection using either the end state or hybrid profile that has been open for 24 hours, in order to ensure that the current CRL is used when that connection is re-established.
41. For all ASA models, procedural controls can be used to terminate connections manually. Details of such measures are given in [d].
42. Comprehensive cryptographic configuration instructions are provided in [d]. See also para 31 above re the need to operate the product in conjunction with a suitable PKI system.
User Authentication
43. The product must be configured so that any user attempting a local login to the product (see para 20) must supply a valid username and password.
44. The product must be configured so that any user attempting a remote login to the product must supply a valid username and password. Prior to the username/password data being transmitted to the product from a remote computer, the product and the remote computer must have negotiated a mutually acceptable cryptographic-based secure communications protocol (e.g. such as IPsec, SNMPv3, TLS or SSHv2) which will protect the confidentiality and integrity of data subsequently transmitted between the product and the remote computer.
45. If a local or a remote login involves the use of a remote RADIUS or TACACS+ server, then communications between the product and that server must be protected against any threat of traffic being intercepted by an attacker and usernames/passwords being compromised. Any such protection could involve the use of a secure protocol (e.g. as outlined in para 44 regarding communications between the product and an administrator’s computer).
46. The product must be configured to enforce separate accounts for device management, account administration and user access. In other words, it must be possible to identify each user who logs on to the product, and each user account should be associated with either the authorised administrator role or a sub-division of that role (see para 22).
47. Comprehensive instructions covering the above topics are provided in [c], and further general guidance on user authentication is given in CESG IA Implementation Guide No. 3, User Authentication Systems (reference [f]).
Page 12
Cisco ASA 5500 v9.1(2) Product Family
Interface Configuration
48. The product must be configured to disable management interfaces on the Black network. The product must be configured so that the only means of managing (i.e. administering) the product via the Black interface, is by an authorised administrator successfully logging in to the product through an IPsec VPN tunnel that has been established between the product and a trusted remote computer that they are using.
49. The product must be configured to restrict which network interfaces can be used for device management (i.e. product administration). With the exception of the case covered in para 48, administration should be done via the Red interface, e.g. using the product’s local console port, and as far as possible it should be done so that management traffic is carried “out of band”, i.e. not “in band” with subscriber (non-management) traffic.
50. Finally, all ports (logical and physical), protocols and services that could potentially be provided by the product should be disabled if they are not needed in the relevant IT system.
51. Comprehensive instructions covering the above topics are provided in [b].
Maintenance and Updates
52. Patches must be applied as soon as possible.
53. The product must be updated to the latest version of the ASA software - i.e. v9.1(2) or later - as soon as possible after an updated version is made available. (An updated version is a whole new image file, as opposed to one or more patches to be applied to the currently installed image file.)
54. The authenticity of an updated version of the software must be confirmed cryptographically prior to the software being installed on the product.
55. Comprehensive instructions covering maintenance and updates, including how to confirm the authenticity of an updated version of the software, are provided in [b].
System Logs
56. The product must be configured to log details of all actions deemed to be of interest, as specified in the relevant RMADS. The details to be included in the log messages, as specified in the relevant RMADS, must be detailed enough to facilitate forensic operations during any security incident investigation, but must not include sensitive data such as passwords and keys.
57. If a remote syslog server is available (see para 23), the product should be configured to automatically export all its log messages to this syslog server.
Page 13
Cisco ASA 5500 v9.1(2) Product Family
58. Sufficient storage space must be allocated on the product and on the syslog server (if used) to ensure that log messages are not dropped or overwritten before they have been backed up to auxiliary storage, or they have been inspected and removed by an authorised administrator (who has judged that the messages need not be retained).
59. An authorised administrator must regularly monitor the free storage space available for new log messages (on both the product and the syslog server, if used) and take action (as indicated in the previous paragraph) if the free space drops below the value(s) specified in the relevant Syops.
60. An authorised administrator must also regularly inspect the log file(s) for unexpected messages. If any such messages are found then this should be treated as a security incident (see Chapter 4).
61. The inspection of log file(s) is a manually instigated operation, and is normally done on the syslog server (if used), in which case any automated inspection tools available on the syslog server could be used. Log messages held on the product are normally inspected in exceptional circumstances only (unless a syslog server is not being used).
62. Comprehensive instructions covering the above topics are provided in [b], general guidance on protective monitoring is given in CESG Good Practice Guide No. 13 (GPG 13), Protective Monitoring for HMG ICT Systems [h], and general guidance on forensic readiness is given in CESG Good Practice Guide No. 18 (GPG 18), Forensic Readiness (reference [i]).
Page 14
Cisco ASA 5500 v9.1(2) Product Family
Chapter 4 - Security Incidents
Incident Management
63. In the event of a security incident that does or could result in the compromise of information protected by the product (e.g. evidence of tampering, see para 29, or unexpected log messages, see para 60), the local IT security incident management policy should:
Ensure that the Department Security Officer (DSO) is informed
State whether the product should be immediately withdrawn from service (pending further investigation of the incident)
State whether the product’s certificate should be revoked
State - if the incident indicates that an IPsec VPN client device currently connected to the product has been compromised - whether a product administrator should manually terminate that open connection and revoke the client’s certificate
64. Any security incident should be managed in accordance with the local accredited security incident management procedures and policies.
65. CESG should be contacted if a compromise occurs that is suspected to have resulted from a failure of the product. General guidance on managing security incidents is given in CESG Good Practice Guide No. 24 (GPG 24), Security Incident Management (reference [j]).
Page 15
Cisco ASA 5500 v9.1(2) Product Family
Chapter 5 - Disposal and Destruction
Erasure of Key Material
66. Specific procedures for the handling of long-term secrets held in the product (i.e. all private and symmetric cryptographic keys held in its persistent storage) should be specified, and should be in accordance with the highest protective marking of data to be handled by the product.
67. These procedures should cover the erasure of long-term secrets, which can be achieved by using the command “crypto key zeroize”.
68. Any certificate related to an erased key must be revoked within the relevant PKI to ensure that other cryptographic devices are prevented from communicating with the product.
Routine Disposal of Equipment
69. Prior to routine disposal of the product, all private and symmetric cryptographic keys held in its persistent storage must be erased, and certificates stored in the product must be revoked, as described above.
70. Once that has been done, the product can be reset to factory defaults, and the running configuration flushed.
71. Final disposal and possible destruction of the product must be done in accordance with the relevant Syops.
72. Comprehensive instructions covering the above topics are provided in [c], and general guidance on the disposal and destruction of IT equipment (including erasure of data) is given in HMG IA Standard No. 5 (IS5), Secure Sanitisation (reference [k]).
Emergency Destruction of Equipment
73. The product is not expected to be deployed in locations that warrant emergency destruction procedures; however, if it is so deployed, then such procedures should be specified.
Page 16
Cisco ASA 5500 v9.1(2) Product Family
References
Unless stated otherwise, these documents are available from the CESG website. Users who do not have access should contact CESG Enquiries to enquire about obtaining documents. [a] CPA Security Characteristic, IPsec Security Gateway, CESG, 27467650,
Version 2.3, April 2013 (available from www.cesg.gov.uk/servicecatalogue/CPA)
[b] Cisco ASA documentation (available from www.cisco.com), including: Cisco ASA 9.1(2) Preparative Procedures & Operational User Guide for the Common Criteria Certified Configuration, Cisco, Version 1.0, July 2013; Cisco ASA Series General Operations CLI Configuration Guide, Software Version 9.1, Cisco, 18 September 2013; Cisco ASA Series VPN CLI Configuration Guide, Software Version 9.1, Cisco, 18 September 2013
[c] Security Procedures for Cisco AnyConnect Secure Mobility Client v3.0 and v3.1 – latest issue available from the CESG website.
[d] CPA Security Characteristic, IPsec VPN for Remote Working – Software Client, CESG, 27479741, Version 2.3, April 2013 (available from www.cesg.gov.uk/servicecatalogue/CPA).
[e] HMG IA Standard Nos. 1 & 2, Information Risk Management – latest issue available from the CESG website.
[f] HMG Security Policy Framework, available from http://www.cabinetoffice.gov.uk/spf.aspx)
[g] CESG IA Implementation Guide No. 3, User Authentication Systems – latest issue available from the CESG website.
[h] CESG Good Practice Guide No. 13, Protective Monitoring for HMG ICT Systems – latest issue available from the CESG website.
[i] CESG Good Practice Guide No. 18, Forensic Readiness – latest issue available from the CESG website.
[j] CESG Good Practice Guide No. 24, Security Incident Management – latest issue available from the CESG website.
[k] HMG IA Standard No.5, Secure Sanitisation – latest issue available from the CESG website.
Page 17
Cisco ASA 5500 v9.1(2) Product Family
Glossary
AnyCSMC AnyConnect Secure Mobility Client (Cisco)
ASA Adaptive Security Appliances (Cisco)
ASDM Adaptive Security Device Manager (Cisco)
CLI Command Line Interface
CPA Commercial Product Assurance
CRL Certificate Revocation List
DSO Department Security Officer
GPG Good Practice Guide (CESG)
HMG Her Majesty’s Government
IA Information Assurance
IKE Internet Key Exchange
IPsec Internet Protocol Security
IT Information Technology
PKI Public Key Infrastructure
PRIME PSN end-state IPsec profile
PSN Public Services Network (UK)
RADIUS Remote Authentication Dial In User Service
SA Security Association (IPsec)
SNMP Simple Network Management Protocol
SSH Secure Shell
TACACS+ Terminal Access Controller Access Control System (enhanced)
TLS Transport Layer Security
UK United Kingdom
VPN Virtual Private Network
X.509 A standard that covers the components of a PKI. An X.509 certificate is a digital item of data that binds (the value of) a public key to (the name of) an entity such as an individual person or an organisation.
CESG Provides advice and assistance on information security in support of UK Government. Unless otherwise stated, all material published on this website has been produced by CESG and is considered general guidance only. It is not intended to cover all scenarios or to be tailored to particular organisations or individuals. It is not a substitute for seeking appropriate tailored advice.
CESG Enquiries Hubble Road Cheltenham Gloucestershire GL51 0EX Tel: +44 (0)1242 709141 Email: [email protected] © Crown Copyright 2015.
