Menu

[Solved]Task Assess Security Posture Cisco Asa 5520 Firewall Configuration Security Requirements S Q37221183

Your task is to assess the security posture of a Cisco ASA 5520firewall configuration against the security requirements in a STIGviewer. The config file you should use for this assignment can beseen below.   Determine whether this firewallconfiguration is compliant or not compliant (i.e. pass or fail) foreach of these 10 requirements. Also indicate your rationale why youbelieve each is compliant or not compliant:

1) V-15432
2) V-28784
3) V-3085
4) V-3000
5) V-3967
6) V-3014
7) V-14717
8) V-15294
9) V-23747
10) V-14671

: Saved

:

ASA Version 8.2(1)

!

hostname edgeasa

domain-name usf.edu

enable password yXcNfJE4yYvA2tFR encrypted

passwd yXcNfJE4yYvA2tFR encrypted

names

!

interface GigabitEthernet0/0

speed 1000

nameif inside

security-level 100

ip address 10.10.10.75 255.255.0.0

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

speed 100

duplex full

nameif management

security-level 100

ip address 19.42.11.11 255.255.255.0

management-only

!

interface GigabitEthernet1/0

speed 1000

nameif outside

security-level 0

ip address 192.168.7.80 255.255.255.0

!

interface GigabitEthernet1/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/3

shutdown

no nameif

no security-level

no ip address

!

banner motd

banner motd This is a firewall config from a Cisco ASA 5520config file

banner motd meant for educational purposes only – USF CNT3403

banner asdm

banner asdm This is a firewall config from a Cisco ASA 5520config file

banner asdm meant for educational purposes only – USF CNT3403

ftp mode passive

domain-lookup inside

dns server-group DefaultDNS

domain-name usf.edu

access-list permit_in extended deny ip any host100.100.100.2

access-list permit_in extended deny udp any any eq 3544

access-list permit_in extended permit tcp host 20.20.20.5host

100.100.100.9 eq www

access-list permit_in extended permit tcp host 20.20.20.6host

100.100.100.9 eq www

access-list permit_in extended permit tcp host 20.20.20.5host

100.100.100.10 eq https

access-list permit_in extended permit tcp host 20.20.20.6host

100.100.100.10 eq https

access-list permit_in extended deny ip 30.30.30.32255.255.255.240 any

access-list permit_in extended permit tcp any host100.100.100.25 eq smtp

access-list permit_in extended permit tcp any host100.100.100.26 eq smtp

access-list permit_in extended permit tcp host 40.40.40.20host

100.100.100.201 eq https

access-list permit_in extended permit tcp host 40.40.40.21host

100.100.100.201 eq https

access-list permit_in extended permit ip host 50.50.50.15host

100.100.100.249

access-list permit_in extended permit tcp 60.60.60.0255.255.255.0 host

100.100.100.130 range ftp-data ftp

access-list permit_in extended permit tcp 70.70.70.0255.255.255.0

150.150.150.0 255.255.255.0 eq ssh

access-list permit_in extended permit tcp 70.70.70.0255.255.255.0

150.150.150.0 255.255.255.0 range ftp-data ftp

access-list permit_in extended permit tcp 80.80.80.0255.255.255.0 host

100.100.100.130 eq https

access-list permit_in extended permit tcp 90.90.90.0255.255.255.0 host

100.100.100.130 range ftp-data ftp

access-list permit_in extended permit tcp 90.90.90.0255.255.255.0 host

100.100.100.130 eq https

access-list permit_in extended permit tcp host 95.95.95.50host

100.100.100.249 range 44441 44443

access-list permit_in extended permit tcp host 95.95.95.51host

100.100.100.249 eq https

access-list permit_in extended permit tcp host 95.95.95.51host

100.100.100.249 eq 44441

access-list permit_in extended permit tcp any host100.100.100.253 eq

https

pager lines 24

logging enable

logging timestamp

logging buffer-size 65536

logging console critical

logging monitor informational

logging trap errors

logging asdm warnings

logging host inside 10.10.10.60

logging host inside 10.10.10.61

mtu inside 1500

mtu management 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp deny any inside

icmp deny any management

icmp deny any outside

asdm image disk0:/asdm-621.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 access-list permit_in

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface ssh 10.10.10.60 sshnetmask

255.255.255.255

static (inside,outside) tcp interface https 10.10.10.60 httpsnetmask

255.255.255.255

access-group permit_in in interface inside

access-group permit_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.7.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00mgcp-pat

0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00sip-disconnect

0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server default protocol tacacs+

aaa-server default (inside) host 180.180.180.10

timeout 5

key *****

aaa-server default (inside) host 180.180.180.11

timeout 5

key *****

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

aaa authentication enable console default

aaa authentication ssh console default

aaa authorization command default LOCAL

aaa accounting command privilege 15 default

aaa accounting enable console default

http server enable

http server idle-timeout 5

http server session-timeout 7

http 19.42.11.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdowncoldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh scopy enable

ssh timeout 5

ssh version 2

console timeout 10

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp authenticate

ntp server 10.10.10.60

ntp server 10.10.10.61

webvpn

username usfadmin password SXXjXB5AFPjkywIj encrypted

username superadmin password abc123 encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

inspect snmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:efa9838bfaf8618d690ebe9780f3cd16

: end

Expert Answer

Answer to Your task is to assess the security posture of a Cisco ASA 5520 firewall configuration against the security requirements… . . .

OR


Leave a Reply

Your email address will not be published. Required fields are marked *

See what happens after you have accessed solutions.

We are an established writing agency offering a variety of homework related solutions.

 

Place New Order Now

Once your purchase clears after clicking the purchase button, you will get the download link on the confirmation page and its mirror on your email for convenience.