5 Recommendations for Increasing Network Firewall Security in Response to April 2021 Cisco Security Advisory Notifications
On April 28th, Cisco released five high severity security advisories affecting its Cisco Adaptive Security Appliance (ASA), Firepower Management Center (FMC) and Firepower Threat Defense (FTD) products. Three of these vulnerabilities are particularly severe due to their relationship with default configuration on the products: SIP inspection, which is enabled by default on Cisco ASA and FTD appliances, and the commonly deployed Cisco AnyConnect VPN functionality. While AnyConnect technically isn’t enabled by default, it is frequently deployed, and once configured you are affected if running a vulnerable version of software.
Potential Adverse Impacts
The most common impact that could be experienced by customers running vulnerable firewalls because of these advisories is that a remote unauthenticated attacker could cause a denial of service (DoS) condition by triggering a firewall to reload. The impact is still critical even in instances where firewalls are deployed redundantly, either as an active/passive or active/active firewall cluster. Should an affected firewall reload, the redundant firewall could have the same condition triggered while the other firewall is still reloading. As firewalls are frequently placed at the perimeter of a network, where they are either exposed to the Internet or to an untrusted zone, network administrators should consider reviewing their firewalls for impact based on the steps that are outlined in each security advisory.
Specific Recommendations for Addressing Cisco Security Advisory
Optanix recommends mitigating the exposure of these vulnerabilities on affected devices as quickly as possible. In the instance of the SIP Denial of Service Vulnerability, there is the possibility of disabling SIP inspection. Additionally, for the Web Services Buffer Overflow and VPN DoS security advisories, if AnyConnect is no longer in use on your firewall, the service can be disabled. Because most of these security advisories do not have any reasonable workarounds, a software upgrade is the only available method of reducing exposure.
5 Universal Recommendations for Increasing Network Firewall Security
Optanix has several recommendations that can help mitigate some level of exposure on network devices. Keep in mind that a device is never 100% safe from a security breach, but these recommendations are some steps you can take to reduce your exposure and increase security for your network firewalls. Below we describe five recommendations that relate to the features found to be vulnerable in the latest firewall security advisories from Cisco.
Recommendation #1: Audit Your Firewall Security Policy on a Scheduled Basis
Auditing your firewall security policy on a scheduled basis (e.g., quarterly or semiannually) enables you to identify remove objects, object-groups and access control list (ACL) statements that are no longer in use. This may require stakeholders to be assigned to each object or entry in the ACL who can provide business justification for each entry, and who are responsible for identifying specifically what access their systems require. Explicit and specific firewall rules are more secure than using implicit entries (interface security levels or broad ACL entries).
Recommendation #2: Maintain a Regular and Frequent OS Patching Policy
Maintaining a regular and frequent OS patching policy is an effective proactive measure that you can take to secure your network devices. Once a security advisory is released to the public, hackers will quickly latch on to newly identified vulnerabilities and begin scanning for equipment that is affected. By having a well-defined patching policy and change management procedure in place, you can narrow the time between when the advisory announcement is made and when your devices are no longer affected. In the case of Cisco firewalls running AnyConnect, this also includes updating the minimum AnyConnect client version and packages associated with the web VPN feature.
Recommendation #3: Implement Remote Authentication and Authorization for Firewall Administration
Actions performed on a firewall, or any other network device, should be attributed to a specific user or system. By using TACACS+, RADIUS or LDAP, you can implement granular control over what tasks an ID can perform on your network device, as well as logging capabilities that enable you to audit those tasks. Although local administrator credentials are still required in situations where a network device can’t reach an AAA server, the network device should always enforce the use of an AAA ID for an administrator when the AAA server is available. Additionally, by configuring the use of multi-factor authentication (MFA) for administrative access to IT infrastructure, the risk of a compromised login credential is greatly reduced.
Recommendation #4: Audit Firewall Administrator Access and Access Levels on a Regular Basis
It is important to regularly audit which administrators have access to your firewall and what level of access they have. When IT staff move to new roles in the organization, their access should immediately be removed if it is no longer required. Additionally, the level of access they have should be controlled. The Command Injection Vulnerability involves an authenticated attacker elevating their access and executing commands with root privileges. By auditing which administrators have access to your firewalls, you reduce the attack vector to a select few IDs.
Recommendation #5: Review Default Services for Current Version of Software on Network Devices
Finally, any function/protocol that a network device is running is an attack vector for a hacker. Many devices have default functions that are enabled out of the box but which may not be necessary for you to run. If you do not send SIP traffic through a particular firewall, the default SIP inspection can be disabled, thus reducing your exposure to the SIP DoS vulnerability. It is important to note that each software version for your network device may have different default services enabled, so it is important to review those services when identifying which software version to run. Identifying which are necessary and which should be disabled will help secure your network device.
Optanix maintains a security-first culture which we extend to all of our customer engagements. If you would like assistance with reviewing security advisories or implementing best practices, our team of enterprise networking professionals can help you. Optanix customers can get in touch by contacting your customer success manager (CSM) or by opening a service request (ESR) in the Optanix Platform. For prospective clients, please click here to engage with Optanix.
This blog post was authored by Brian Yaklin, a senior member of Optanix’s route/switch engineering team. It is part of an ongoing series of posts by Optanix engineers focusing on the importance of security in the IT management space.