1. AAA Authentication- Need to check if the AAA authentication is configured removing default password. AAA can be configured thru TACACS or Radius server depending upon the architecture / tools and technology availability.
2. Time and Time Zone Settings-Configure Time Zone on the device, NTP server and NTP authentication.
3 . Password Rules-Configure local user and encrypt password, enable passwords and configure use password encryptions.
4. Generic-Disable DHCP Server Service and HTTP Service, Configure Connection Timeout.
- Enable SSH for remote access
- Check the version of SSH and generate the key as per the requirement
- Enable SSH and console timeout
- Restrict only appropriate networks / IP to SSH access
- Configure SNMP trap server, enable trap as per the requirements
- Enable authorized SNMP host and SNMP community
7 . Password Management-Some of the below areas need to be cross checked while configuring the firewall.
- Ensure enable secret with strong password
- Encrypting Local login password
- Enable Password encryption service
8. Logging-Configure Console Logging Severity Level, Logging Facility, Logging History Level Logging to Syslog Server, Trap Severity Level, System Logging, Timestamps in Log Messages
9. Configure Explicit Deny Any in ACLs
10. Routing rules-Configure Unicast Reverse-Path Forwarding
11. Others-Translation Slot Timeout, Intrusion Detection Actions, AAA Flood Guard, Configure Fragment Chain Fragmentation Checks, Configure Protocol Inspection, Disable Inbound Traceroute Messages
These are some of the important hardening procedure that can be followed during Firewall Hardening procedure, these configuration may vary depending upon actual implementation.