Best practices for planning to secure administrative
access and traffic to management networks and interfaces.
If you’re in the planning stage of implementing
your management network, follow these best practices to prepare
for a safe deployment that follows the principles of least privilege
for all management network access, and for access to the firewall
and Panorama management interfaces. If you already deployed your
management network, compare your architecture to the best practice recommendations
and see if there is any way to further secure management access. After
you deploy these best practices, your management network will allow
access only to the administrators, services, and APIs required to
manage firewalls and Panorama.
Set
up a bastion host or a similarly hardened server for the sole purpose
of providing access to the private management network. Lock down
the bastion host as tightly as possible because it may allow access
from administrators over the internet (via VPN) as well as internal
access from outside the management network. Using the bastion host
only for management network access is safest because the more services
the host handles, the more potential vulnerabilities may be present.
If
you can’t set up a bastion host, create or use an existing management network
specifically for firewall and Panorama management and restrict access to
that network to only the administrators who have legitimate need
to manage firewalls and Panorama. Ensure that administrators go
through strict authentication before they can access the management
network.
Set up
User-ID on firewalls protecting
the bastion host(s) and management network(s) and follow
User-ID best practice recommendations.
User-ID enables you to manage user group and individual user access
in Security policy rules to provide an additional level of identification
and protection along with specifying allowed IP addresses, zones, devices,
and applications. Combining these objects in Security policy enables you
to lock down management access and allow only the necessary traffic
on device management interfaces.
Set up a centralized authentication system such as a privileged account
management (PAM) or privileged identity management (PIM) solution to
centralize control of access privileges.
Understand which administrators need to access the firewall
and Panorama and the level of access that they need so that you
can plan role-based access control (RBAC). Level of access means
not just considering read-only versus read-write access, it means
limiting administrative rights to view or change only the specific
areas of the device that they manage. Granular RBAC requires individual
administrator accounts so that you can use Admin Role profiles to
control the exact access level for each administrator and may also require
passing RADIUS attributes to the device.
Understand which services need management access to the firewall and
Panorama. Allow only necessary services to access the management network
and device management interfaces.
Audit, list, and understand all programmatic access requirements
that leverage the firewall and Panorama APIs. For example:
Network-as-code
and policy-as-code tools that modify the configuration, such as
Ansible or Terraform.
Rulebase analysis and audit tools.
PAM/PIM tools.
DNS, DHCP, and IPAM (DDI) tools.
IT operations and service management tools.
In-house scripts and tools.
Any other programmatic access to the management interface.
For
each required programmatic access, list:
Admin accounts
used.
Method of access (HTTPS, SSH, or API).
Source IP address or network of the access.
Filter the System logs for administrative login
events to help with auditing existing programmatic access.
Ensure that your architecture enables you to inspect and
log all inbound management traffic and to regularly monitor the
traffic for suspicious activity.
To ensure that you can connect to and manage critical devices, including
firewalls and Panorama, during power outages and other events that prevent
the use of normal communication channels, design and implement an
access strategy for business
continuity.