Cisco Preparative Procedures and Operational User Guide Cisco Adaptive Security Appliance (ASA) 9.8 on Firepower 2100 Series Preparative Procedures & Operational User Guide for the Common Criteria Certified Configuration Version 0.7 July 9, 2018 Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA © 2018 Cisco Systems, Inc. All rights reserved. Cisco Preparative Procedures and Operational User Guide Table of Contents Introduction ................................................................................................................................................... 7 ASA Version 9.8(2)/ASDM Version 7.8 Documentation Set .................................................................. 7 Audience ................................................................................................................................................... 8 Supported Hardware & Software Versions ............................................................................................... 8 Overview of the Cisco ASA Firewall & VPN Platforms .......................................................................... 9 Operational Environment Component & Usage ....................................................................................... 9 Example Deployment .............................................................................................................................. 11 Security Information ................................................................................................................................... 11 Organizational Security Policy ............................................................................................................... 12 Securing the Operational Environment ................................................................................................... 12 Certified Configuration ........................................................................................................................... 13 Features Prohibited from Use ............................................................................................................. 13 Physical Security ..................................................................................................................................... 13 Administrative Access ................................................................................................................................ 13 Console Access ....................................................................................................................................... 14 Setting the Clock ..................................................................................................................................... 14 Monitoring & Maintenance ..................................................................................................................... 15 System Logs ............................................................................................................................................ 15 Administration ........................................................................................................................................ 15 Saving the Configuration ........................................................................................................................ 17 Backup and Restoration .......................................................................................................................... 17 Device Failover ....................................................................................................................................... 17 Terminating Administrative Sessions / Logging Out.............................................................................. 18 Authentication to the ASA .......................................................................................................................... 18 Local and Remote Access to ASA .......................................................................................................... 18 Login Banners for ASA and ASDM ....................................................................................................... 20 Usernames, Privileges, and Administrative Roles .................................................................................. 21 Usernames and Privileges ................................................................................................................... 21 Authorized Administrator ................................................................................................................... 21 Passwords ................................................................................................................................................ 22 Password Complexity, Length, and Uniqueness ................................................................................. 22 2 Cisco Preparative Procedures and Operational User Guide Password Policies ................................................................................................................................ 23 Account Lockout after Failed Login Attempts ....................................................................................... 25 Authentication to FXOS ............................................................................................................................. 26 Local and Remote Access to FXOS ........................................................................................................ 26 Secure Communications ............................................................................................................................. 26 Evaluated Cryptography ......................................................................................................................... 26 Enabling FIPS Mode ............................................................................................................................... 26 Configuring SSH [Optional] ................................................................................................................... 27 RSA Key Generation .......................................................................................................................... 27 Restrict SSH Connections ................................................................................................................... 27 Enable SSHv2 and Disable SSHv1 ..................................................................................................... 28 Encryption Algorithms ........................................................................................................................ 28 Hashing Algorithms ............................................................................................................................ 29 Key-Exchange ..................................................................................................................................... 29 SSH Session Rekey Limits ................................................................................................................. 29 Authentication ..................................................................................................................................... 30 Idle Timeouts ...................................................................................................................................... 30 SCopy (disabled by default) ................................................................................................................ 31 Configuring TLS ..................................................................................................................................... 31 Specify the TLS Version ..................................................................................................................... 31 Specify the TLS Ciphersuites (optional) ............................................................................................. 31 Specify the TLS Server and Client Certificates .................................................................................. 32 Enabling SSL (TLS) VPN (optional) .................................................................................................. 32 Configuring IPsec ................................................................................................................................... 32 Managing Public Key Infrastructure (PKI) Keys................................................................................ 33 Enable IKEv2 ...................................................................................................................................... 33 IKEv2 Parameters for IKE Phase 1 (the IKE SA) .............................................................................. 33 IKEv2 Parameters for IKE Phase 2 (the IPsec SA) ............................................................................ 34 Create an Access-List and Assigning to Crypto Map ......................................................................... 35 Select Tunnel or Transport mode ........................................................................................................ 36 Certificate Map Subject DN ................................................................................................................ 36 Viewing an IPsec Configuration ......................................................................................................... 37 3 Cisco Preparative Procedures and Operational User Guide Clearing Security Associations ........................................................................................................... 37 IPsec Authentication ........................................................................................................................... 38 VPN Client Access Restriction ........................................................................................................... 42 Configure an IP Address Assignment Policy ...................................................................................... 42 Specifying a VPN Session Idle Timeout ............................................................................................. 42 Firewall Functionality ................................................................................................................................. 42 Routed Mode and Transparent Mode...................................................................................................... 43 Routed Mode ....................................................................................................................................... 43 Transparent Mode ............................................................................................................................... 43 Setting Transparent or Routed Firewall Mode at the CLI ................................................................... 43 Audit Trail Full Mode ............................................................................................................................. 43 Enabling Syslog Host Status Monitoring ............................................................................................ 43 Recovering from Syslog Host Down .................................................................................................. 44 Traffic Flow Overview ........................................................................................................................... 44 Trusted & Untrusted Networks ........................................................................................................... 44 Stateful Inspection Overview .............................................................................................................. 45 Application Layer Protocol Inspection ............................................................................................... 45 Same-Security-Traffic ......................................................................................................................... 46 Access Lists ........................................................................................................................................ 46 Configure Extended ACLs .................................................................................................................. 46 Using the ‘Established’ Keyword ....................................................................................................... 47 Time-to-Live ....................................................................................................................................... 47 VLAN Interfaces ................................................................................................................................. 47 Interface Types .................................................................................................................................... 47 Servers and Proxies ............................................................................................................................. 48 Protect from SYN Flood DoS Attack (TCP Intercept) ....................................................................... 48 Configure Global Timeouts ................................................................................................................ 50 Default Traffic Flow (without ACLs) ..................................................................................................... 50 Optional Traffic Inspection ..................................................................................................................... 53 Unicast RPF ........................................................................................................................................ 53 STP & Transparent Mode ................................................................................................................... 53 Inspect ICMP ...................................................................................................................................... 53 4 Cisco Preparative Procedures and Operational User Guide Inspect ARP ........................................................................................................................................ 53 Prohibit IPv6 Extension Header 0 ....................................................................................................... 54 Optional Authentication of Throughput Traffic ...................................................................................... 54 Mandatory Traffic Flow Controls ............................................................................................................... 55 Set “ip audit” Actions ............................................................................................................................. 55 Do not disable certain signatures ............................................................................................................ 55 Define “ip audit” Policies ....................................................................................................................... 56 Apply “ip audit” Policies to Interfaces ................................................................................................... 56 Configuration of Packet Fragmentation Handling .................................................................................. 56 Overview of Traffic to Be Dropped, and the Related Syslog Messages ................................................. 57 Logging and Log Messages ........................................................................................................................ 66 Timestamps in Audit Messages .............................................................................................................. 66 Usernames in Audit Messages ................................................................................................................ 67 Using TCP Syslog to Detect Syslog Host Down .................................................................................... 67 Timely Notification/Transmission of ACL Logging .............................................................................. 67 Secure Transmission of Audit Messages ................................................................................................ 67 Configure Reference Identifier: .......................................................................................................... 67 Securing Syslog with TLS: ................................................................................................................. 69 Local and Remote Access to FXOS ........................................................................................................ 70 Securing Syslog with IPsec: ................................................................................................................ 71 Local and Remote Access to FXOS ........................................................................................................ 71 Securing RADIUS Accounting Messages with IPsec: ........................................................................ 71 Local and Remote Access to FXOS ........................................................................................................ 71 Auditable Events Certified Under Common Criteria .............................................................................. 72 Software (ASA and FXOS) Installation ...................................................................................................... 80 Adaptive Security Device Manager (ASDM) ............................................................................................. 80 Enabling HTTPS Access ......................................................................................................................... 81 Configure DN matching for ASDM........................................................................................................ 81 Enable Idle-Timeouts of ASDM Sessions .............................................................................................. 81 Accessing ASDM from Your Workstation ............................................................................................. 82 Running ASDM .................................................................................................................................. 82 Network Services and Protocols ................................................................................................................. 83 5 Cisco Preparative Procedures and Operational User Guide Local and Remote Access to FXOS ........................................................................................................ 83 Local and Remote Access to FXOS ........................................................................................................ 84 Local and Remote Access to FXOS ........................................................................................................ 86 Local and Remote Access to FXOS ........................................................................................................ 87 Local and Remote Access to FXOS ........................................................................................................ 88 Local and Remote Access to FXOS ........................................................................................................ 89 Local and Remote Access to FXOS ........................................................................................................ 90 Local and Remote Access to FXOS ........................................................................................................ 91 Modes of Operation .................................................................................................................................... 93 Appendix: .................................................................................................................................................... 95 Acronyms & Abbreviations .................................................................................................................... 95 Obtaining Documentation ....................................................................................................................... 97 Obtaining Technical Assistance .............................................................................................................. 97 Cisco Technical Support & Documentation Website ............................................................................. 97 Submitting a Service Request ................................................................................................................. 97 Definitions of Service Request Severity ................................................................................................. 98 Obtaining Additional Publications and Information ............................................................................... 98 6 Cisco Preparative Procedures and Operational User Guide Introduction This document describes how to install and configure the Cisco ASA Adaptive Security Appliance (ASA) version 9.8(2) on Firepower 2100 Series certified under Common Criteria as conformant to the Firewall collaborative Protection Profile (FWcPP1) and Virtual Private Network Gateway collaborative Extended Package (VPNGWcEP2). In this guide, “security appliance” and “adaptive security appliance” apply to all Firepower 2100 Series models running Cisco ASA version 9.8(2), unless specifically noted otherwise. Version 9.8(2) will be referred to as 9.8(2) or just 9.8 hereinafter. Note: Failure to follow the information provided in this document will result in the adaptive security appliance not being compliant with the evaluation and may make it insecure. This document is an addendum to other documentation available for installation and configuration of the Cisco ASA with version 9.8(2), and this document should be read in its entirely before configuring the security appliance. The Firepower 2100 Series appliances running ASA are also running FXOS (Firepower eXtensitble Operating System) version 2.2. To configure the FXOS portion of this system, refer to “Cisco FXOS 2.2 on Firepower 2100 Series Preparative Procedures & Operational User Guide for the Common Criteria Certified Configuration.” Note: Except where specified, details described in this document apply only to ASA. For corresponding details about FXOS, refer to, “Cisco FXOS 2.2 on Firepower 2100 Series Preparative Procedures & Operational User Guide for the Common Criteria Certified Configuration.” ASA Version 9.8(2)/ASDM Version 7.8 Documentation Set  ASA Release Notes—Release Notes for the Cisco ASA Series, 9.8(x) https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/release/notes/asarn98.html  ASDM Release Notes—Release Notes for Cisco ASDM, 7.8(x) https://www.cisco.com/c/en/us/td/docs/security/asdm/7_8/release/notes/rn78.html  ASA for Firepower 2100 Series Getting Started Guide: https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/fp2100/asa-2100-gsg.html  ASA Upgrade Guide: https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade.html, specifically, the section “Upgrade the ASA on the Firepower 2100”: https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/asa-appliance- asav.html#topic_ybn_b55_bbb  CLI Configuration: o General Operations CLI Configuration—Cisco ASA Series General Operations CLI Configuration Guide, 9.8 https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general- config.html o Firewall CLI Configuration—Cisco ASA Series Firewall CLI Configuration Guide, 9.8 https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/firewall/asa-98-firewall- config.html o VPN CLI Configuration—Cisco ASA Series General Operations CLI Configuration Guide, 9.8 https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn- config.html o FXOS Configuration-- To configure the FXOS portion of this system, refer to “Cisco FXOS 2.2 on Firepower 2100 Series Preparative Procedures & Operational User Guide for the Common 1 Also known as the collaborative Protection Profile for Stateful Traffic Filter Firewalls. 2 Also known as the Network Device Collaborative Protection Profile (NDcPP)/Stateful Traffic Filter Firewall Collaborative Protection Profile (FWcPP) Extended Package VPN Gateway. 7 Cisco Preparative Procedures and Operational User Guide Criteria Certified Configuration, May 18, 2018” Also use the Cisco FXOS CLI Configuration Guide, 2.2(2) for details about use of the FXOS CLI: https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos222/cli- guide/b_CLI_ConfigGuide_FXOS_222.html  ASDM Configuration: o General Operations ASDM Configuration—Cisco ASA Series General Operations ASDM Configuration Guide,7.8 https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/general/asdm-78-general- config.html o Firewall ASDM Configuration—Cisco ASA Series Firewall ASDM Configuration Guide, 7.8 https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/firewall/asdm-78-firewall- config.html o VPN ASDM Configuration—Cisco ASA Series VPN ASDM Configuration Guide, 7.8 https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config.html   Cisco AnyConnect Secure Mobility Client Administrator Guide, http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b _AnyConnect_Administrator_Guide_4-0.html  Syslog Messages—Cisco ASA Series Syslog Messages, 9.8 http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs.html To find an HTML or PDF version of many Cisco titles go to www.cisco.com. Type the title in the ‘Search’ field and click Go. For the ASA series see also the online document: Navigating the Cisco ASA Series Documentation. http://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asaroadmap.html Audience This document is written for administrators configuring the Cisco ASA running software version 9.8(2) running on Firepower 2100 Series appliances. This document assumes you are familiar with networks and network terminology, that you are a trusted individual, and that you are trained to use the Internet and its associated terms and applications. Supported Hardware & Software Versions Only the following hardware and software listed in Table 1 and Table 2 is compliant with the security appliance 9.8(2) Common Criteria evaluation. Using hardware not specified invalidates the secure configuration. Likewise, using any software version other than the Cisco ASA with 9.8(2) will invalidate the secure configuration. Table 1: Supported Hardware Hardware Models FP2110, FP2120, FP2130, FP2140 Table 2: Supported Software Software Version Cisco Adaptive Security Appliance (ASA) 'image' 9.8(2) Cisco VPN Client (in operational environment) 5.0.07.0440 or later (64-bit), or 5.0.07.0410 or later (32-bit) 8 Cisco Preparative Procedures and Operational User Guide Cisco AnyConnect Client (in operational environment) 4.0 or later Cisco Adaptive Security Device Manager (ASDM) 7.8 Firepower eXtensible Operating System (FXOS) 2.2 Overview of the Cisco ASA Firewall & VPN Platforms The configuration consists of the following configuration:  One or more 2100 Appliances: The appliance is a single-use device with a hardened version of the Linux Kernel 3.10 running ASA Release 9.8(2), and a hardened version of Linux Kernel 2.6 running in FXOS 2.2. For exact models, please see section 1.5 of the Security Target.  ASDM software: The ASDM 7.8 software is installed on each ASA. Only the Cisco ASDM Launcher is installed locally on the management platform. Operational Environment Component & Usage The following are components of the environment of the evaluated product. Table 3: Components of the Operational Environment Operational Required Usage / Purpose Description for ASA Performance Environment Component Management Workstation Yes This includes any IT Environment Management workstation with with SSH Client SSH client installed that is used by the TOE administrator to support TOE administration through SSHv2 protected channels. Any SSH client that supports SSHv2 may be used. Remote IPsec tunnel Yes This includes any peer with which the TOE participates in tunneled Endpoints communications. Remote tunnel endpoints may be any device or software client that supports IPsec tunneling. Both VPN clients and VPN gateways can be considered to be remote tunnel endpoints. ASDM Management Yes The ASDM 7.8 operates from any of the following operating Platform systems:  Microsoft Windows 7, 8, 10, Server 2008, Server 2012 and Server 2012 R2  Apple OS X 10.4 and later  Red Hat Enterprise Linux 5 Note that that ASDM software is part of the TOE and the management platform is used to connect to the TOE and run the 9 Cisco Preparative Procedures and Operational User Guide ASDM. The only software installed on the management platform is a Cisco ASDM Launcher. Web browser Yes The following web browsers are supported for access to the ASDM;  Internet Explorer (6.0 or higher)  Firefox (1.5 or higher)  Safari (2.0 or higher)  Chrome (18 or higher) Note: Using the latest supported web browser version is recommended. Remote Authentication No This includes any IT environment AAA server that provides single- Server use authentication mechanisms. This can be any AAA server that provides single-use authentication. The TOE correctly leverages the services provided by this AAA server to provide single-use authentication to administrators. Connections to remote AAA servers must be tunneled in IPsec. NTP Server No The ASA supports communications with an NTP server. Using an NTP server with support for NTPv3 is recommended. Certificate Authority (CA) Yes The ASA supports communication with other CAs. Remote Tunnel Endpoint Yes This includes any peer with which the TOE participates in tunneled communications. Remote tunnel endpoints may be any device or software client (e.g., Cisco AnyConnect, Cisco VPN client) that supports IPsec tunneling. Both VPN clients and VPN gateways can be considered to be remote tunnel endpoints. Audit (syslog) Server Yes A syslog server with the capability to support the ability to receive syslog messages through an IPsec or TLS tunnel is required for use with the ASA. 10