Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco ASA 5500 Series Adaptive Security Appliances

Installation and Configuration for Common Criteria EAL4+ Evaluated Cisco Adaptive Security Appliance, Version 7.0(6)

Downloads

Table Of Contents

Installation and Configuration for Common Criteria EAL4 Evaluated Cisco Adaptive Security Appliance, Version 7.0(6)

Contents

Introduction

Audience

Supported Hardware and Software Versions

Security Information

Organizational Security Policy

Security Implementation Considerations

Certified Configuration

Windows 2000 Documentation

Windows XP Documentation

Physical Security

Modes of Operation

Firewall

Routed Mode

Transparent Mode

Audit Trail Full Mode

Audit Server

PFSS Active Mode

Log Searching Mode

Potential Insecure Configurations (Misuse)

Uncommitted Changes

Default Flow Policy

Audit Configuration

Administration Access

Servers and Proxies

Logging and Messages

Access Lists

Trusted and Untrusted Networks

Public Access Servers

Using FTP

Monitoring and Maintenance

Administrative Roles

Auditing Component Requirements

Password Complexity

AAA Server and Authentication Policy per the IT Environment

Determining the Software Version

Installation Notes

Verification of Hardware and Software Image

Configuration Notes

Saving Your Configuration

Using the Established Command

Enabling Timestamps

Enabling Reliable Logging

Systems Logs

Server Settings

Configure Authentication on the Security Appliance

Configure Console Access on Firewall to use AAA (Optional)

Usernames on the Security Appliance

Configure AAA for Telnet and FTP

Configuring Failover

Inspect ICMP

Inspect ARP

Unicast RPF

STP and Transparent Mode

Same Security Traffic

Using the Security Appliance Syslog Server

Configuring Security Appliance Syslog Server

Changing the Syslog Server Parameters at the Windows System

Recovering from the Security Appliance Syslog Server Disk-Full

Configuring System Log Message Search Functions Using the Security Appliance System Log Message Search

Setting Up the Security Appliance System Log Message Search Display

Searching System Log Messages Based on Date and Time

Searching System Log Messages Based on System Log Message ID

Searching System Log Messages Based on IP Address

Searching Windows Audit Events

Searching System Log Messages with Advanced Option Feature

PIX Firewall Syslog Server (PFSS) Guidance

Installation Instructions

Usage Instructions

Buttons in Tool Bar

Fields in the Search Pane

Search Results

Search/Sort Menu

MD5 Hash Value for the Security Appliance

Obtaining Documentation, Obtaining Support, and Security Guidelines


Installation and Configuration for Common Criteria EAL4 Evaluated Cisco Adaptive Security Appliance, Version 7.0(6)

March 2007

Contents

This document describes how to install and configure the Cisco PIX Security Appliance Version 7.0(6) and the Cisco ASA 5500 Series Security Appliance 7.0(6) as certified by Common Criteria Evaluation Assurance Level 4 (EAL4).

In this guide, "security appliance" and "adaptive security appliance" apply to all models of the Cisco PIX Security Appliance Version 7.0(6) and the Cisco ASA 5500 Series Security Appliance 7.0(6), unless specifically noted otherwise.

Note Failure to follow the information provided in this document will result in the adaptive security appliance not being compliant with the evaluation and may make it insecure.

This document includes the following sections:

Introduction

Audience

Supported Hardware and Software Versions

Security Information

Installation Notes

Configuration Notes

Using the Security Appliance Syslog Server

Configuring System Log Message Search Functions Using the Security Appliance System Log Message Search

PIX Firewall Syslog Server (PFSS) Guidance

MD5 Hash Value for the Security Appliance

Obtaining Documentation, Obtaining Support, and Security Guidelines

Introduction

This document is an addendum to the Cisco PIX Security Appliance Version 7.0(6) and the Cisco ASA 5500 Series Security Appliance 7.0(6) documentation set, which should be read before configuring the security appliance.

Cisco product documentation includes:

Release Notes

Cisco PIX Security Appliance Release Notes

Cisco ASA 5500 Series Release Notes

Quick Start Guides

Cisco PIX 515E Security Appliance Quick Start Guide

Cisco ASA 5500 Quick Start Guide

Hardware Installation Guides

Cisco PIX Security Appliance Hardware Installation Guide

Cisco ASA 5500 Hardware Installation Guide

Regulatory Compliance and Safety Information Guides

Cisco PIX Security Appliance Regulatory Compliance and Safety Information

Regulatory Compliance and Safety Information for the Cisco ASA 5500 Series

Command Line Configuration Guide

Cisco Security Appliance Command Line Configuration Guide

Command Reference Guides

Cisco Security Appliance Command Reference

System Log Messages Guide

Cisco Security Appliance System Log Messages

The security appliance documentation is available on CD-ROM, in printed-paper form, and online (in both HTML and PDF formats). This document should be used in conjunction with the August 2005 edition of the CD-ROM based documentation.

Audience

This document is written for administrators configuring the Cisco PIX Security Appliance Version 7.0(6) and the Cisco ASA 5500 Series Security Appliance 7.0(6) software. This document assumes you are familiar with networks and network terminology, that you are a trusted individual, and that you are trained to use the Internet and its associated terms and applications.

Supported Hardware and Software Versions

Only the following combinations of hardware listed in Table 1 are compliant with the security appliance 7.0(6) EAL4 evaluation. Using hardware not specified invalidates the secure configuration. Likewise, using any software version other than the Cisco PIX Security Appliance Version 7.0(6) and the Cisco ASA 5500 Series Security Appliance 7.0(6) will invalidate the secure configuration.

Table 1 Supported Hardware for the Certified PIX Firewall 

Models
Optional Hardware Modules
Maximum Number of Interfaces

PIX 5151 /515E1

PIX-1FE

PIX-4FE

6

PIX 5251

PIX-1FE

PIX-4FE

PIX-1GE-66

8

PIX 5351

PIX-1FE

PIX-4FE

PIX-1GE-66

10

1 These models may have AC or DC power supplies.


Table 2 Supported Hardware for the Certified Cisco ASA 5500 Series Security Appliance

Models
Optional Hardware Modules
Maximum Number of Interfaces

ASA 5510

4GE SSM

9

ASA 5520

4GE SSM

9

ASA 5540

4GE SSM

9


The PIX Firewall Syslog Service (PFSS) version that is included in this evaluation is 5.1(3).

Security Information

In addition to the Regulatory Compliance and Safety Information documentation, the sections that follow provide additional security information for use with a Common Criteria Certified adaptive security appliance.

Organizational Security Policy

Security Implementation Considerations

Certified Configuration

Physical Security

Administration Access

Using SSH access

Servers and Proxies

Logging and Messages

Access Lists

Trusted and Untrusted Networks

Public Access Servers

Using FTP

Monitoring and Maintenance

Administrative Roles

Password Complexity

Organizational Security Policy

Ensure that your security appliance is delivered, installed, managed, and operated in a manner that maintains an organizational security policy. The Cisco Security Appliance Command Line Configuration Guide provides guidance on how to define a security policy.

Security Implementation Considerations

The sections that follow provide implementation considerations that need to be addressed to administer the security appliance in a secure manner.

Certified Configuration

Use only the security appliance software Version 7.0(6). Only the hardware version combinations listed in Table 1 and Table 2 can be used to implement an evaluated configuration. Changing the software to a different version invalidates the evaluated status of a particular hardware platform.

The Certified Common Criteria adaptive security appliance 7.0(6) does not support the following features:

Cut-through proxies

Routing Information Protocol (RIP)

Simple Network Management Protocol (SNMP)

Dynamic Host Configuration Protocol (DHCP) Server

Virtual Private Networks (VPNs)

All other hardware and software features and functions of the security appliance are included in the evaluated product configuration as long as they are configured, operated, and managed in accordance with this document.

The Cisco PIX Security Appliance Version 7.0(6) and the Cisco ASA 5500 Series Security Appliance 7.0(6) Target of Evaluation relies on a Windows 2000 or Windows XP computer to act as an audit server. Windows 2000 or Windows XP is configured in the EAL 4 evaluated configuration to support this evaluation. Microsoft Windows 2000 or Windows XP evaluated configuration documentation can be found at the following links:

Windows 2000 Documentation

Windows 2000 Common Criteria Evaluated Configuration User's Guide: http://www.microsoft.com/technet/security/prodtech/Windows2000/w2kccug/default.mspx

Windows 2000 Common Criteria Evaluated Configuration Administrator's Guide: http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/default.mspx

Windows 2000 Common Criteria Security Configuration Guide: http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccscg/default.mspx

Windows XP Documentation

Windows XP Common Criteria Evaluated Configuration User's Guide: http://download.microsoft.com/download/d/3/0/d304ab38-567c-4fad-a368-a3661ca1a16d/wxp_common_criteria_user_guide.zip

Windows XP Common Criteria Evaluated Configuration Administrator's Guide: http://download.microsoft.com/download/e/8/9/e897a1ee-0273-4694-b155-ad02f7b2b4d5/wxp_common_criteria_admin_guide.zip

Windows XP Common Criteria Security Configuration Guide: http://download.microsoft.com/download/5/3/b/53b53a3e-39d5-4d30-86f2-146aa2c7be45/wxp_common_criteria_configuration_guide.zip

The configuration of the security appliance should be reviewed on a regular basis to ensure that the configuration continues to meet the organizational security policy in the face of the following:

Changes in the security appliance configuration

Changes in the organizational security policy

Changes in the threats presented from the untrusted network(s)

Changes in the administration and operation staff or the physical environment of the security appliance

Physical Security

The security appliance must be located in a physically secure environment to which only a trusted administrator has access. The secure configuration of the security appliance can be compromised if an intruder gains physical access to the security appliance. Similarly, the audit server used to store and manage the security appliance system log messages must be protected physically and with suitable identification/authentication mechanisms to ensure that only trusted administrators have access.

Modes of Operation

Firewall

The firewall component of the product has three modes of operation: audit trail full, routed and transparent modes. The authorized administrator can configure the security appliance to run in routed or transparent mode. In either of these modes the security appliance can be configured to run as a single context or as multiple contexts. If multiple context is chosen, all the contexts have to run as either routed or transparent, a mixture of both is not allowed. For more information, see the "Security Context Overview" section in the Cisco Security Appliance Command Line Configuration Guide, Version 7.0.

Routed Mode

This is the default mode set on the security appliance. The IP address of the security appliance can be seen on the outside network. The product allows for Network Address Translation to be configured in this mode.

Transparent Mode

In transparent mode the IP address of the security appliance is not visible to the outside network. Traffic being sent has to be addressed to its end destination. Network Address Translation cannot be configured in this mode. When modes are changed the security appliance clears the previously configured mode as some commands are not usable in both modes. In either routed or transparent mode access lists have to be configured to allow traffic to flow.

Audit Trail Full Mode

As a default, when the Audit Server becomes full or unavailable, any traffic arriving at a network interface will not be allowed to pass through the security appliance. Should the authorized administrator discover that traffic is passed through the appliance when the Audit Server is full or unavailable the `logging no permit-hostdown' command must be used to reactivate Audit Trail Full Mode, otherwise auditable events may occur without being recorded in the audit trail.

Audit Server

The Audit Server has two modes of operation, PFSS Active and Log Searching. These two modes are separate from one another and can run concurrently or only one can be active at a time.

PFSS Active Mode

This mode is the PIX Firewall Syslog Server application running on the Audit Server and waiting for audit event details to be transferred from the firewall component. The application listens for TCP connections from the firewall component and records any transferred audit event details in files held by the Audit Server operating system. If the application is not running no audit event details are recorded and auditable events may occur without being noticed (see the Audit Trail Full Mode, above).

Log Searching Mode

This mode is the Search/Sort application running on the Audit Server and being used by an authorized administrator to view audit event details. The application is a standard executable that can be started and stopped by a user with the correct privileges, specifically an authorized Audit Server Administrator. If the application has not been started or has been stopped it cannot be used to view audit event details. The files held by the Audit Server operating system that contain the audit event details cannot be modified by the Search/Sort application.

Potential Insecure Configurations (Misuse)

Uncommitted Changes

The security appliance loads the saved startup configuration and automatically copies this configuration into the running configuration. As a user configures the running configuration to his specific needs he either saves the running configuration or saves the updated configuration to the startup configuration. The running configuration is held in volatile memory so if the security appliance is reloaded due to either operational reasons or operational error and any changes have not been saved these changes will be lost.

Default Flow Policy

When installed the security appliance, by default, is configured with a default DHCP address pool. The outbound interface disallows all external to internal data flows. The administrator needs to be aware of this, and ensure that the correct policy for the organization is installed and committed before users are permitted to use the security appliance. Access Lists are required to be set up to enable traffic to flow through the security appliance. Specific permit or deny rules are required to be applied to a protocol, a source and destination IP address or Network and optionally, the source and destination ports.

Audit Configuration

In order that Time-Stamping is enabled the following command must be entered by the firewall administrator: `logging timestamp'. Once this command is committed by the use of the command `write memory' this will remain the default.

By default, auditing events are transported to remote syslog servers over UDP. To ensure that audit events are reliably delivered to the remote syslog server the TCP option should be employed. The command `logging host <ip-address> tcp/<port-number>' is used to achieve this.

Administration Access

There are only two methods by which the administrator can manage the security appliance:

Using the serial interface directly connected to the security appliance

Using SSH access

Servers and Proxies

To ensure complete security when the security appliance is shipped, inbound access to all proxies and servers is initially disabled. After the installation, you must explicitly permit each service and enable the services necessary for your security policy. Use the show logging command or the Security Appliance Syslog Server to view log file messages. Refer to the Cisco Security Appliance Command Line Configuration Guide for information on how to configure the security appliance. Certification requires a completely controlled environment in which specified services are allowed and all others denied.

Logging and Messages

Monitoring activity in the log files is an important aspect of your network security and should be conducted regularly. Monitoring the log files lets you take appropriate and timely action when you detect security breaches or events that are likely to lead to a security breach in the future. Use the show logging command or the Security Appliance Syslog Server to view log files messages. Refer to the Cisco Security Appliance System Log Messages for information on sending messages, and archiving.

Access Lists

The access-list command operates on a first-match basis. Therefore, the last rule added to the access list is the last rule checked. Administrators must take note of this when entering the initial rules during the configuration, as it may impact the remainder of the rule parsing.

Trusted and Untrusted Networks

The security appliance can be used to isolate your network from the Internet or from another network. A trusted network is usually your internal network and an untrusted network may be the Internet or any other network. Therefore, the security appliance must be configured so that it acts as the only network connection between your internal network and any external networks. The security appliance will deny any information flows for which no rule is defined. Your security implementation is based on the control of traffic from one network to the other, and should support your security policy.

PFSS is the Windows Syslog service that provides the system audit store for the firewall. The PFSS shall be configured to communicate with the firewall dependent on the mode the firewall is operating in.

If the firewall is operating in single context mode, the PFSS server is required to have its own defined interface for communication. The `logging host' command in this instance is configured to log messages over Syslog TCP to the audit server on the interface.

Figure 1 Single Context

If the firewall is operating in multiple context mode each context shall be defined to communicate with the audit server and configuration settings to protect the audit server from receiving any other traffic other then that which is specifically allowed per policy.

When the firewall runs in transparent mode, the outgoing interface of a packet is determined by performing a MAC address lookup instead of a route lookup. Route statements can still be configured, but they only apply to security appliance-originated traffic. For example, if your syslog server is located on a remote network, you must use a static route so the security appliance can reach that subnet.

Figure 2 Multiple Context

Note To ensure proper protection of the audit server the PFSS server must be placed on a trusted network and must have access-control lists applied on the firewall to only allow TCP syslog data to the PFSS.

In this example, the PFSS server is configured with IP address 1.2.3.4 and the firewall is sending system logs from 3.4.5.6. If multiple contexts are being used, additional lines will need to be added to the access-list. 

hostname(config)# access-list INSIDE extended permit tcp host 3.4.5.6 

host 1.2.3.4 eq 1470

hostname(config)# access-group INSIDE in interface inside

Note Separate physical switches must be used between each network attached to the firewall to ensure that the firewall will not be bypassed by any Layer 2 attacks against directly connected switches.

Table 3 In Default Configuration, Traffic Types Observe The Default Policy For Inside To Outside Traffic 

Traffic Type
Single Routed Mode
Multiple Routed Mode
Single Transparent Mode
Multiple Transparent Mode

Spoofed Traffic

No (RPF enabled)

No (RPF enabled)

No (arp inspection enabled)

No (arp inspection enabled)

Ethernet

Yes

Yes

Yes

Yes

ARP

No(Router hop)

No(Router hop)

Yes

Yes

CTIQBE

Yes

Yes

Yes

Yes

DNS

Yes

Yes

Yes

Yes

Echo

Yes

Yes

Yes

Yes

Finger

Yes

Yes

Yes

Yes

H.323

Yes

Yes

Yes

Yes

IP

Yes

Yes

Yes

Yes

ICMP

Yes

Yes

Yes

Yes

TCP

Yes

Yes

Yes

Yes

UDP

Yes

Yes

Yes

Yes

FTP

Yes

Yes

Yes

Yes

GTP

Yes

Yes

Yes

Yes

HTTP

Yes

Yes

Yes

Yes

ILS

Yes

Yes

Yes

Yes

MGCP

Yes

Yes

Yes

Yes

POP3

Yes

Yes

Yes

Yes

RSH

Yes

Yes

Yes

Yes

RTSP

Yes

Yes

Yes

Yes

Skinny

Yes

Yes

Yes

Yes

SIP

Yes

Yes

Yes

Yes

ESMTP

Yes

Yes

Yes

Yes

SunRPC

Yes

Yes

Yes

Yes

Telnet

Yes

Yes

Yes

Yes

TFTP

Yes

Yes

Yes

Yes

XDMCP

Yes

Yes

Yes

Yes

traceroute

Yes

Yes

Yes

Yes

STP

No

No

Yes

Yes

All other Traffic

Yes

Yes

Yes

Yes


.

Table 4 In The Default Configuration, Traffic Types Observe The Default Policy For Outside To Inside Traffic 

Traffic Type
Single Routed Mode
Multiple Routed Mode
Single Transparent Mode
Multiple Transparent Mode

Spoofed Traffic

No (RPF enabled)

No (RPF enabled)

No (arp inspection enabled)

No (arp inspection enabled)

Ethernet

No

No

Yes

Yes

ARP

No (Router hop)

No (Router hop)

No

No

CTIQBE

No

No

No

No

DNS

No

No

No

No

Echo

No

No

No

No

Finger

No

No

No

No

H.323

No

No

No

No

IP

No

No

No

No

ICMP

No

No

No

No

TCP

No

No

No

No

UDP

No

No

No

No

FTP

No

No

No

No

GTP

No

No

No

No

HTTP

No

No

No

No

ILS

No

No

No

No

MGCP

No

No

No

No

POP3

No

No

No

No

RSH

No

No

No

No

RTSP

No

No

No

No

Skinny

No

No

No

No

SIP

No

No

No

No

ESMTP

No

No

No

No

SunRPC

No

No

No

No

Telnet

No

No

No

No

TFTP

No

No

No

No

XDMCP

No

No

No

No

traceroute

No

No

No

No

STP

No

No

Yes (can be denied by acl)

Yes (can be denied by acl)

All other Traffic

No

No

No

No


Public Access Servers

If you are planning to host public access servers, you must decide where they will be located in relation to the security appliance. Placing servers on the network outside the security appliance leaves them open to attack. Placing servers on the internal network means you must open up your security appliance to allow access.

Using FTP

File Transfer Protocol (FTP) is used to retrieve or deposit files on a remote system. Telnet is used to access a remote server using a console like connection over the network. The Common Criteria Security Target requires that Telnet and FTP traffic through the security appliance must be authenticated before traffic is allowed to pass through. For more information on how to properly configure the security appliance to authenticate Telnet and FTP see the, "Configuring Authentication for Network Access" section in the Cisco Security Appliance Command Line Configuration Guide.

Monitoring and Maintenance

The security appliance software provides several ways to monitor the security appliance, from logs to messages.

Ensure you know how you will monitor the security appliance, both for performance and for possible security issues.

Plan your backups. If there should be a hardware or software problem, you may need to restore the security appliance configuration.

The configuration of the security appliance should be reviewed on a regular basis to ensure that the configuration meets the security objectives of the organization in the face of the following:

Changes in the security appliance configuration

Changes in the security objectives

Changes in the threats presented by the external network

Administrative Roles

The certified configuration contains two administrative roles for use in the evaluated configuration:

Table 5 Administrative Roles in Evaluated Configuration

Role Name
Description

Authorized Firewall Administrator

Any administrator with knowledge of the `enable' password on the firewall. Privileged access is defined by any privilege level entering an enable password after their individual login.

Authorized Audit Administrator

The role assigned to a user that logs in and reviews the information recorded by the PFSS application.


Auditing Component Requirements

The security appliance interacts with the Windows server for the purpose of storing the audit data. The server should be running Windows 2000 with Service Pack 4 or Windows XP with Service Pack 2. The auditing machine will provide suitable audit records to the administrator, protect the stored audit records from unauthorized deletion, and will detect modifications to the audit records. It is the responsibility of the administrator to regularly review the audit records provided by the security appliance, and to take any relevant action as necessary to ensure the security of the adaptive security appliance. The location of the auditing machine and records should only be accessible to the administrator.

Password Complexity

Passwords have to be a minimum of 8 characters in length and a maximum of 16 characters in length. The minimum password lengths must be enforced by the administrator. The following is a list of characters that are allow to be used in the password:

26 Upper case letters (A - Z)

26 Lower case letter (a - z)

10 Numbers (0 - 9)

!"#$%&'()*+,-./:;<@[\`{|=>?]^_}~

This is a total of 94 characters that may be used to construct a password. The use of the space character is prohibited.

The password guidance included in this section applies to creation and management of user passwords. Users must ensure that when creating or changing a password, the following requirements are met:

1. Passwords must:

be a minimum of 8 characters and a maximum of 16 characters

include mixed-case alphabetic characters

include at least 1 numeric character

2. Passwords must not include:

birthdays

names (parents, family, spouse, pets, favorite sports player)

sports teams

towns, cities or countries

AAA Server and Authentication Policy per the IT Environment

The AAA server specified for this certified configuration is included within the environment. The administrator must ensure that during installation the AAA server is capable of the following:

Maintaining attributes for each user (identity, association of human user to with the administrator account, and password).

Firewall administrators shall authenticate using a Single-use authentication mechanism before being allowed to access the firewall remotely.

Human users shall authenticate using a Single-use authentication mechanism when using FTP or Telnet that passes through the firewall.

Reusable passwords are allowed for authorized administrators to access the firewall or router console directly using the local console.

Reusable passwords may be used for the console connection and "enable" on the security appliance.

The IT environment section from the Security Target requires the administrator to follow guidance concerning what authentication types are required for each request to administer the certified configuration.

Determining the Software Version

Use the show version command to verify the software version of your security appliance unit.

Installation Notes

Read the Cisco ASA 5500 Hardware Installation Guide before installing the security appliance.

Verification of Hardware and Software Image

Complete these steps to verify that the security appliance software and hardware was not tampered with during delivery:

Step 1 Before unpacking the security appliance, inspect the physical packaging the equipment was delivered in. Verify that the external cardboard packing is printed with the Cisco Systems logo and motifs. If it is not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).

Step 2 Verify that the packaging has not obviously been opened and resealed by examining the tape that seals the package. If the package appears to have been resealed, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).

Step 3 Verify that the box has a white tamper-resistant, tamper-evident Cisco Systems barcoded label applied to the external cardboard box. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). This label will include the Cisco product number, serial number, and other information regarding the contents of the box.

Step 4 Note the serial number of the security appliance on the shipping documentation. The serial number displayed on the white label affixed to the outer box will be that of the security appliance. Verify the serial number on the shipping documentation matches the serial number on the separately mailed invoice for the equipment. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).

Step 5 Verify that the box was indeed shipped from the expected supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). This can be done by verifying with the supplier that they shipped the box with the courier company that delivered the box and that the consignment note number for the shipment matches that used on the delivery. Also verify that the serial numbers of the items shipped match the serial numbers of the items delivered. This verification should be performed by some mechanism that was not involved in the actual equipment delivery, for example, phone/FAX or other online tracking service.

Step 6 Once the security appliance is unpacked, inspect the unit. Verify that the serial number displayed on the unit itself matches the serial number on the shipping documentation and the invoice. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).

Step 7 There are three alternatives for obtaining a Common Criteria evaluated software image:

Download a Common Criteria evaluated software image file from Cisco.com onto a trusted computer system. To access this site, you must be a registered user and you must be logged in. Software images are available from Cisco.com at the following URL: http://www.cisco.com/kobayashi/sw-center/

The security appliance ships with a CD containing all current software images. The Common Criteria evaluated software image Version 7.0(6) is available on this CD.

Customers can order a CD with all of the current software images from Cisco.com. There is a charge for this option.

Step 8 Download the 706-k8.bin or pix 706.bin file.

Step 9 Once the file is downloaded, verify that it was not tampered with by using an MD5 utility to compute an MD5 hash for the downloaded file and compare this with the MD5 hash for the image from this document. If the MD5 hashes do not match, contact Cisco TAC. MD5 for both files is 27164a0652cc4fe86fe35370f98fe733.

Step 10 To copy the image that was downloaded from the web to flash, enter the following commands:

a. copy tftp:/1.2.3.4/asa706-k8.bin disk0:

b. boot system disk0:/cdisk.bin

c. write memory

d. reload

Step 11 Start your security appliance as described in the "Getting Started" chapter in the Cisco Security Appliance Command Line Configuration Guide. Confirm that your security appliance loads the image correctly and completes internal self-checks. At the prompt, enter the show version command as follows. Verify that the version is 7.0(6). If the security appliance image fails to load, or if the security appliance version is not 7.0(6), contact Cisco TAC.

The following is a sample output from the "show version" command output, showing the security appliance version: 

hostname# show version

Cisco ASA Software Version 7.0(6) 

PIX (7.0.1.0) #28: Mon XXX 23 15:37:25 EDT 2005

ASA up 21 mins 44 secs

Hardware: ASA5530-K8, 2048 MB RAM, CPU Pentium 4 Celeron 2500 MHz

Internal ATA Compact Flash, 489MB

Slot 1: ATA Compact Flash, 244MB

BIOS Flash M50FW016 @ 0xffe00000, 2048KB

Encryption hardware device: Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode: CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode: CNlite-MC-IPSECm-MAIN-2.01

0: Ext: GigabitEthernet0/0: media index 0: irq 9

1: Ext: GigabitEthernet0/1: media index 1: irq 9

2: Ext: GigabitEthernet0/2: media index 2: irq 9

3: Ext: GigabitEthernet0/3: media index 3: irq 9

4: Ext: Management0/0: media index 0: irq 11

5: Int: No HWIDB: media index 4: irq 11

6: Int: Control0/0: media index 1: irq 5 

License Features for this Platform:

Maximum Physical Interfaces: Unlimited 

Maximum VLANs: 50 

Inside Hosts: Unlimited 

Failover: Enabled 

VPN-DES: Enabled 

VPN-3DES-AES: Enabled 

Cut-through Proxy: Enabled 

Guards: Enabled 

URL-filtering: Enabled 

Security Contexts: 20 

GTP/GPRS: Disabled 

VPN Peers: 5000 

Serial Number: P3000000002

Running Activation Key: 0x881ed361 0x447555a8 0xac73bc44 0xb3f0f888 0x8e26f18b

Configuration register is 0x11

Configuration last modified by enable_15 at 15:55:27.399 UTC Mon XXX 23 2005

Configuration Notes

This section contains the following topics:

Saving Your Configuration

Using the Established Command

Enabling Timestamps

Enabling Reliable Logging

Systems Logs

Saving Your Configuration

The write memory command should be used frequently when making changes to the configuration of the security appliance. If the security appliance reboots and resumes operation when uncommitted changes were made, these changes will be lost and the security appliance will revert to the last configuration saved.

Using the Established Command

Administrators are advised not to use the established command on the certified security appliance. Incorrect use of this command may give outside users greater access to inside systems than is intended, and for this reason its use is not recommended. For more details go to the following website:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_security_advisory09186a0080094293.shtml

Enabling Timestamps

By default, all audit records are not stamped with the time and date, which are generated from the system clock when an event occurs. The certifiedsecurity appliance requires that the timestamp option is enabled. To enable the timestamp of audit events, use the logging timestamp command. To ensure that the timestamp option remains the default, use the write memory command to save the option into the startup configuration.

Enabling Reliable Logging

By default, auditing events are transported to the remote syslog server over UDP. The certified security appliance requires auditing events to be transported over TCP. The TCP option is configured using the logging host interface ip_address tcp/port_number command. With TCP logging configured, new sessions through the certified security appliance will be disallowed if log messages cannot be forwarded to the remote host.

To facilitate the TCP logging function, the adaptive security appliance must be configured on a secure Windows server. For details on how to obtain and configure the logging function, see "Using the Security Appliance Syslog Server"

Systems Logs

Cisco Security Appliance System Log Messages provides details on the security appliance system logs. The following sections are not supported on a certified security appliance:

Security Appliance System Log

Receiving SNMP requests

Sending SNMP Traps

Other Remote Management and Monitoring Tools

ASDM

Cisco Secure Policy Manager

SNMP Traps

Note Telnet is not supported on the certified security appliance. It is disabled by default.

Server Settings

You must install the ACS server. The following document provides information on installing the Cisco Secure ACS: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/install/inst02.htm#wp980695

Configure Authentication on the Security Appliance

To create a server group, add AAA servers to it, configure the protocol and add authentication to SSH, perform the following steps:

Note Only TACACS+ and RADIUS security protocols are included in the evaluated configuration. Do not select any of the other options for protocol under aaa-server. TACACS+ and RADIUS both require a password to authenticate to the server. The administrator is required to follow the guidance in this document when creating the RADIUS or TACACS+ password.

Step 1 Identify the server group name and the protocol. To do so, enter the following command: 

hostname(config)# aaa-server server_group protocol {radius | tacacs+}

For example, to use RADIUS to authenticate network access and TACACS+ to authenticate CLI access, you need to create at least two server groups, one for RADIUS servers and one for TACACS+ servers.

You can have up to 15 single-mode server groups or 4 multi-mode server groups. Each server group can have up to 16 servers in single mode or up to 4 servers in multi-mode.

When you enter a aaa-server protocol command, you enter group mode.

Step 2 For each AAA server on your network, follow these steps:

Identify the server, including the AAA server group it belongs to. To do so, enter the following command: 

hostname(config)# aaa-server server_group (interface_name) host server_ip password

When you enter a aaa-server host command, you enter host mode.

After the aaa-server and group are configured, use the following commands to configure authentication. 

hostname(config)# aaa authentication enable console [server-tag | LOCAL]

The security appliance allows SSH connections to the security appliance for management purposes. The security appliance allows a maximum of 5 concurrent SSH connections per context, if available, with a maximum of 100 connections divided between all contexts. SSH sessions in the evaluated configuration must be authenticated using a single use password solution, and not the local password database. 

hostname(config)# aaa authentication ssh console [server-tag]

Note Enable authentication can use either the local user database or remote aaa server, and reusable passwords are permitted. SSH authentication must use remote aaa server configured for single use authentication. Use of the authentication method "none" is not permitted.

Note Only tacacs+ and radius security protocols are supported at this time.

For information on configuring SSH, see the "Allowing SSH Access" section in the Cisco Security Appliance Command Line Configuration Guide, Version 7.0.

Note By default SSH allows both version one and version two, always select version 2. To specify the version number enter the following command, hostname(config)# ssh version version_number.

Note Instead of entering the enable command at the ">" prompt after establishing the ssh session, the administrator shall enter "login" and then login with a local database account and password. This results in all audit events being attributed to that local user.

Configure Console Access on Firewall to use AAA (Optional)

Console access on the firewall using AAA is an option, but is not required in the evaluated configuration.

For information on how to enable authentication and command authorization for system administrators, see the AAA for System Administrators section in the Cisco Security Appliance Command Line Configuration Guide 7.0.

Usernames on the Security Appliance

Usernames are defined on the certified configuration and are used to separate the defined roles into separate individuals. Usernames are used for identifying to the certified configuration over the local session from the Supervisor module. Use the username command to assign a password and a privilege level for a user. Privilege levels range from 0 (the lowest) through 15. System administrators generally have the highest privilege level. 

username name {nopassword | password password [encrypted]} [privilege priv_level]}

Note Only level 15 users are required in the evaluated configuration.

In the following example, the username is testuser: 

username testuser password 12RsxXQnphyr/I9Z encrypted privilege 15

When the evaluated configuration is operating in multiple context mode, usernames are constrained to the individual context where they were created.

For a complete description of the command syntax, see the Cisco Security Appliance Command Reference, Version 7.0

Note Local authentication is not an option for SSH authentication in the evaluation configuration. The administrator is also advised to never use the value none by itself for any authentication option. Use of the value "none" by itself removes the requirement for entering a password.

Configure AAA for Telnet and FTP

To configure AAA for Telnet and FTP using cut-through proxies you must configure the AAA server group and authentication settings first. After those settings are in effect, enable authentication of Telnet and FTP using the `aaa authentication include {telnet, ftp} command.

Note Running ftp and telnet servers on non-standard ports will result in those flows not requiring RADIUS or TACACS+ authentication and is not to be allowed in the evaluated configuration. 

hostname(config)# aaa-server aaasrvgrp protocol radius

hostname(config-aaa-server-group)# exit

hostname(config)# aaa-server aaasrvgrp host 10.30.1.20

hostname(config-aaa-server-host)# authentication-port 1645

hostname (config-aaa-server-host)# timeout 10

hostname (config-aaa-server-host)# retry-interval 2

hostname (config-aaa-server-host)# exit

hostname (config)# aaa authentication include telnet outside 0 0 0 0 aaasrvgrp

hostname (config)# aaa authentication include ftp outside 0 0 0 0 aaasrvgrp

hostname (config)# aaa authentication include telnet inside 0 0 0 0 aaasrvgrp

hostname (config)# aaa authentication include ftp inside 0 0 0 0 aaasrvgrp

To ensure that separate sessions from a multi-user machine are not able to piggy-back on an existing authentication request, ensure that the timeout for authentication is set to 0, for no caching of authentication data. 

hostname (config)# timeout uauth 0:00:00

Configuring Failover