CIS CSC #9 – Limitation and Control of Network Ports, Protocols and Services

I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.

Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.

This control includes five (5) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there is one (1) IG1 controls and four (4) IG2 controls. This means that, at a minimum, we want to:

  • Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

After the last few controls, it is nice to get back to a control that can be implemented with little tools built-in to most operating systems. The commercial tools below will make it easier to identify open ports and possibly detect firewall configuration changes, but do not necessarily implement the sub-control listed above.

This control focuses on extending the principle of least privilege to the network ports and services running on every network-connected device. Implementing a default deny all rule translates to a whitelist approach – if we want any connections, we must explicitly allow them. This will likely be easier to implement on servers and network equipment than it will be on workstations since these devices tend (read: should) have a clearly defined purpose (e.g. SMB for file sharing, SSH for administration, etc.). This means the list of necessary ports will be clear cut.

End-user workstations may pose more of an issue, especially when it comes to maintaining the ruleset. These systems will see the most change, as departments bring new software into their workflow. Hopefully IT is tied in to the change control process to test the necessary rule changes as part of the software PoCs. The good news is that end-user workstations should have very few inbound connections. Ideally inbound connections are restricted to the dedicated subnet where the help desk resides, which would allow remoting into the system for support.

I thought this write-up did a nice job at explaining the process of managing Windows firewall rules via GPO. This is useful, as you can use the built-in tools to generate a rule base to allow applications, rather than having to manually write one rule at a time.

# Windows includes netstat to show connections - excerpts of the help text is included below
C:\WINDOWS\System32>netstat ?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-x] [-t] [interval]

  -a            Displays all connections and listening ports.
 [...]
  -n            Displays addresses and port numbers in numerical form.
 [...]

# To get a simple listing of open connections we can run the command below and work through 
# identifying the use case behind each connection, and either include in the whitelist or test 
# the blocking of that traffic

netstat -n -a

# *nix includes lsof to show connections - excerpts of the help text is included below

[root@LAB]# lsof -h
lsof 4.87
 latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
 latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
 latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
 usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-f[gG]] [+|-e s]
 [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [-Z [Z]] [--] [names]
Defaults in parentheses; comma-separated set (s) items; dash-separated ranges.
[...]
-i select IPv[46] files 
[...]
-n no host names         
[...]
-P no port names          
[...]

# To get a simple listing of open connections we can run the command below and work through 
# identifying the use case behind each connection, and either include in the whitelist or test 
# the blocking of that traffic

lsof -i -P -n

# We can also use nmap to scan the network to identify all open ports (time consuming). You can 
# also include port scanning as part of your recurring vuln. scans (CIS CSC #3) to detect 
# deviations from your baseline

nmap -p- -sS -sU 192.168.1.1 

Related News Stories

Relevant Tools

CommercialOpen-Source & “Freemium”
netBrainNmap
NeXpose (Rapid 7)OpenVAS
Security Center/Nessus (Tenable)Netstat / lsof
Qualys Cloud PlatformProcess Hacker / Process Explorer
SAINTMicrosoft Windows Advanced Firewall
IP360 (Tripwire nCircle)Ipchains / Iptables
Vulnerability Control (Skybox)

The CIS Controls are in version 7.1 at the time of this writing. For more information on this control check out the CIS Control #9 page here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s