DO YOUR FIREWALLS HAVE ACCESS CONTROL LISTS OR OUT-OF-CONTROL LISTS?
Do you badge in and out of your office each day? That electronic lock should be doing two things: making sure you can get in (and get to work), and keeping people who shouldn’t be there out. If the permissions aren’t right, you could be blocked from entering. Or, worse, people who aren’t authorized could walk right in. This is what happens if the Access Control Lists (ACLs) on your firewall aren’t properly configured. Valid traffic could be blocked, or unauthorized traffic could slip through. This can impact productivity and even be a security risk.
ACLs can be hundreds or even thousands of lines long. They may have been set up years ago and been modified too many times to count. Are you confident that they are controlling the traffic the way you want? Do you need deeper network insights to see what is really going on?
Reviewing your Access Control Lists can be a tedious task, but the latest release of SolarWinds® Network Configuration Manager (NCM) makes it easy. This release introduces a new feature, Network Insight™ for Cisco® ASA, so you can easily review and audit ACLs for your Cisco ASA firewall.
- Review what ACLs are configured
You can’t control it if you don’t know you have it. First, take a look to see what Access Control Lists are set up. The network insights you get with NCM will allow you to view all ACLs configured on the ASA. See if you have an ACL that was configured but never applied. Do you have ACLs that were set up so long ago that none of the original creators are still around?
- Audit where and how they are assigned
An ACL may be configured correctly but assigned to the wrong zone, reducing its effectiveness. Are your ACLs assigned to the correct zones? What interfaces are assigned to those zones? Review where your Cisco ASA ACLs are assigned to maximize their strength.
- See what rules are being used
Do you have rules in place that are never used, or rules that are getting hit all the time? Use NCM’s ACL Rule Browser to browse to object group definitions, search and filter within your ACLs, and view the hit count for individual rules to debug your access rules. Rules that are never hit may have been superseded by other policy changes. Rules that are getting hit all the time may indicate a need to refine the rule. With increased network insight you can optimize the ACL rules on your Cisco ASA.
- Detect shadow or redundant rules
Access Control List rules are applied in the order they are listed. When a rule is overridden by a previous rule that does a different action, it is a shadow rule. A rule that is hidden because a previous rule does the same action is a redundant rule. For example, your office wants to let in anyone who is an employee, but not on the weekends. If the badge reader checks “let in all employees” first and then checks the day of the week, the weekend rule is a shadow rule. It will not matter because the door unlocked after confirming it was an employee who was trying to enter. You can reduce security risks and help ensure your ACLs are working as intended by identifying shadow or redundant rules.
- Compare ACLs for changes
It can be difficult to troubleshoot ACL config issues. Network Configuration Manager helps make this process easier with side-by-side ACL config comparisons on your Cisco ASAs. You can compare an ACL to a previous version on the same node, or compare to other nodes, interfaces, or to a different ACL. Identify errors and verify consistency with Network Insights for Cisco ASA.
By working through this simple checklist, you can restore confidence that your firewalls are effectively managing the traffic flow in and out of your network. You can try Network Insight for Cisco ASA in the latest release of Network Configuration Manager. With a free, 30-day trial of NCM, you can see for yourself how easily you can bring your ACLs back under control. Look like a firewall expert without having to be a firewall expert!
This article was originally published here.