9.4: Apply Host-Based Firewalls or Port-Filtering
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Devices |
Protect |
1, 2, 3 |
Dependencies
Sub-control 1.4: Maintain Detailed Asset Inventory
Sub-control 1.5: Maintain Asset Inventory Information
Inputs
Endpoint Inventory: Derive from the endpoint inventory those endpoints able to scan (assumed capable of hosting firewall/port-filtering software)
A policy (or set of policies, potentially individually per endpoint) indicating the ports that are allowed to be open
Operations
For each endpoint, retrieve the firewall policy
For each firewall policy, enumerate both the ports which allow communication, and any configuration of a default deny rule (could that be a default?), noting along the way appropriately configured policies and inappropriately configured policies
Measures
M1 = List of endpoints
M2 = Count of M1
M3 = List of endpoints with appropriately configured firewall ports policy
M4 = Count of M3
M5 = List of endpoints with inappropriately configured firewall ports policy
M6 = Count of M5
M7 = List of endpoints with appropriately configured default deny rule
M8 = Count of M7
M9 = List of endpoints with inappropriately configured default deny rule
M10 = Count of M9
M11 = List of endpoints with both appropriately configured firewall policy
M12 = Count of M11
M13 = List of endpoints with at least one inappropriate firewall configuration
M14 = Count of M13
Metrics
Coverage
Metric |
The ratio of correctly configured endpoints to the total number of endpoint?
|
Calculation |
|