Allow access only to the necessary ports
Summary
Network segments and servers with applications or content must allow access only to the necessary ports.
Description
Unnecessary open ports increase the likelihood of exposure to exploits and attacks targeting specific services or applications. Closing unused ports mitigates the risk of exploitation and limits the potential impact of security vulnerabilities.
Additionally, proper segmentation of network resources and restriction of ports contribute are important parts of a secure network architecture.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- CIS-4_5. Implement and manage a firewall on end-user devices
- CIS-4_8. Uninstall or disable unnecessary services on enterprise assets and software
- HIPAA-164_312_e_1. Standard: transmission security
- NERC CIP-007-6_R1_1. Ports and services
- OWASP TOP 10-A10. Server-side request forgery
- NY SHIELD Act-5575_B_6. Personal and private information
- MITRE ATT&CK®-M1031. Network intrusion prevention
- PA-DSS-6_2. For wireless technology, implement strong encryption for authentication and transmission
- CMMC-AC_L2-3_1_17. Wireless access protection
- CMMC-MP_L2-3_8_1. Media protection
- CMMC-MP_L2-3_8_7. Removable media
- CMMC-PE_L1-3_10_5. Manage physical access
- CMMC-SC_L1-3_13_1. Boundary protection
- HITRUST CSF-01_l. Remote diagnostic and configuration port protection
- HITRUST CSF-08_c. Securing offices, rooms and facilities
- HITRUST CSF-09_m. Network controls
- FedRAMP-CM-7. Least functionality
- ISO/IEC 27002-8_21. Security of network services
- ISA/IEC 62443-RA-7_7. Least functionality
- OSSTMM3-9_7_3. Wireless security (controls verification) - Privacy
- ISSAF-E_13. Network security - Switch security assessment (assess private VLAN attack)
- ISSAF-L_4_3. Network security - WLAN security (audit and review)
- PTES-5_2_2_1. Vulnerability analysis - Network vulnerability scanners (port based)
- PTES-5_2_2_2. Vulnerability analysis - Network vulnerability scanners (service based)
- PTES-7_3_1. Post exploitation - Infrastructure analysis (network configuration)
- NIST 800-171-4_7. Restrict, disable, or prevent the use of nonessential functions, ports, protocols, and services
- NIST 800-115-3_5. Network sniffing
- C2M2-9_2_c. Implement network protections for cybersecurity architecture
- C2M2-9_3_d. Implement IT and OT asset security for cybersecurity architecture
- PCI DSS-1_2_5. Network security controls are configured and maintained
- PCI DSS-1_4_2. Restrict inbound traffic from untrusted networks
- PCI DSS-9_2_2. Physical access controls manage entry into systems containing data
- SIG Core-I_3_2_5_1. Application security
- SIG Core-N_1_11. Network security
- CAPECâ„¢-700. Network Boundary Bridging
- ISO/IEC 27001-8_21. Security of network services
Vulnerabilities
- 024.Unrestricted access between network segments - AWS
- 109.Unrestricted access between network segments - RDS
- 157.Unrestricted access between network segments
- 158.Unrestricted access between network segments - Azure AD
- 311.Unrestricted access between network segments - JSch
- 368.Unrestricted access between network segments - StrictHostKeyChecking
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.