Do you know a good and comprehensive hardening guideline for ASAs? I am looking for a reliable reference or baseline for my projects, as I see various practices and I don’t always know what is acceptable or not…
For instance, I have an AAA configured ASA, but still I can read the following:

enable password xxxx level 5 encrypted
enable password xxxx encrypted
passwd xxxx encrypted 

I’m pretty sure not all these are necessary and/or secure.

Let me know your thoughts,

Hello Jeff!

I was just working on reviewing a couple of ASA configs for hardening and applying best practices, so this is kind of fresh in my mind.

First of all, it depends on the version of ASA you’re using. Going from version 7.x to 8.x involved drastic changes in the configuration of ASAs.

The version of ASA I used in my recent project was 9.1(2) and a very useful document was http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/200150-Cisco-Guide-to-Harden-Cisco-ASA-Firewall.html for general guidelines.

Specifically, for the passwords you mentioned, the passwd xxxx encrypted command is for the login password to the ASA. Also, you have two enabled passwords each providing different access levels which is fine if you need that. The passwords are encrypted by default so you shouldn’t be able to read them.

I hope this has been helpful!