Im configuring a hotspot port on an ASA and was wondering if anyone had a outbound acl handy that would cover most of the stuff likely related to hacking. Just thought if you already had the list, why reinvent it? Thanks if you can share.
Im a fraid that question is too dynamic in nature. Hijacking is highly dynamic thing, hostnames, IP adresses, attack vectors etc. change often and fast.
If you have the budget some content security like CSC-SSM or the Iromport Solution will help you stay current with protection against threats from the Internet including but not limited to phising sites etc...
Other mitigation techniques against hijacking can be implemented through IPS, depends on what exactly your threat scenario is.
Again other mitigation techniques could be implemented with very little effort, like anti-spoofing acls, DHCP Snooping and Dynamic ARP Inspection etc, depending on the platform you have available. Also the Cisco WLAN controllers have some built-in IPS functionality, some of them could be helpful to prevent some types of hijacking. But again the field is too wide for a few simple copy&paste lines for your config.
Hijacking is a very broad field, including many different techniques and attack vectors on virtually every layer of the ISO-model. To work out a functioning and working protection against hijacking you will need a thorough analysis of your threat scenario and your available equipment. In most cases a simple acl is not sufficient.
Thanks for your reply--well thought out and informative. I agree the quesiton attempts to relegate a subject worthy of its own library down to a simplistic, non-existent solution.
Can you easily summarize the difference between CSC-SSM and Ironport?
This site will be using an ASA5505. Are DHCP Snooping and Dynamic ARP Inspection etc only available on higher platforms?
Its hard to know in advance what people who take advantage of hotspots for nefarious activities might do, so I would attempt to rely on others who have already had experience sufficent to enumerate typical examples, but again, thats the subject of at least one book.
I have the all of obvious stuff in place that the 5505 offers, and it offers a lot for the price.
If the wireless hotspot is to be used by guests and /or visitors on your network I would look at the following:
- Assign the wireless clients a subnet that is not advertised to other routers in your internal network. That way they can only route out the Internet.
- Police the amount of Internet traffic that the guests can consume. This is to prevent them impacting on the production network.
- If the wireless AP is connected to a switch you can configure DHCP snooping and dynamic ARP inspection there. Also consider using VRF lite to separate out the wireless traffic from your internal network.
- Don assign the guests your internal DNS server. Rather assign them one of the public DNS servers like Googles. This will prevent them from being able to resolve the IP addresses of your internal servers from their DNS names.
- Depending on your infrastructure you could enable Netflow to monitor the sites that these guests are visiting.
- If you don have the budget you could enable HTTP inspection to block access to peer to peer file sharing, instant messaging and tunneling applications on your ASA.