255 – Allow access only to the necessary ports

Summary

Network segments and servers with applications or content must allow access only to the necessary ports.

Description

Unnecessary open ports increase the likelihood of exposure to exploits and attacks targeting specific services or applications. Closing unused ports mitigates the risk of exploitation and limits the potential impact of security vulnerabilities. Additionally, proper segmentation of network resources and restriction of ports contribute are important parts of a secure network architecture.

Supported In

Essential: True

Advanced: True

References

• CIS-4_5. Implement and manage a firewall on end-user devices
• CIS-4_8. Uninstall or disable unnecessary services on enterprise assets and software
• HIPAA-164_312_e_1. Standard: transmission security
• NERCCIP-007-6_R1_1. Ports and services
• OWASP10-A10. Server-side request forgery
• NYSHIELD-5575_B_6. Personal and private information
• MITRE-M1031. Network intrusion prevention
• PADSS-6_2. For wireless technology, implement strong encryption for authentication and transmission
• CMMC-AC_L2-3_1_17. Wireless access protection
• CMMC-MP_L2-3_8_1. Media protection
• CMMC-MP_L2-3_8_7. Removable media
• CMMC-PE_L1-3_10_5. Manage physical access
• CMMC-SC_L1-3_13_1. Boundary protection
• HITRUST-01_l. Remote diagnostic and configuration port protection
• HITRUST-08_c. Securing offices, rooms and facilities
• HITRUST-09_m. Network controls
• FEDRAMP-CM-7. Least functionality
• ISO27002-8_21. Security of network services
• IEC62443-RA-7_7. Least functionality
• OSSTMM3-9_7_3. Wireless security (controls verification) - Privacy
• ISSAF-E_13. Network security - Switch security assessment (assess private VLAN attack)
• ISSAF-L_4_3. Network security - WLAN security (audit and review)
• PTES-5_2_2_1. Vulnerability analysis - Network vulnerability scanners (port based)
• PTES-5_2_2_2. Vulnerability analysis - Network vulnerability scanners (service based)
• PTES-7_3_1. Post exploitation - Infrastructure analysis (network configuration)
• NIST800171-4_7. Restrict, disable, or prevent the use of nonessential functions, ports, protocols, and services
• NIST800115-3_5. Network sniffing
• C2M2-9_2_c. Implement network protections for cybersecurity architecture
• C2M2-9_3_d. Implement IT and OT asset security for cybersecurity architecture
• PCI-1_2_5. Network security controls are configured and maintained
• PCI-1_4_2. Restrict inbound traffic from untrusted networks
• PCI-9_2_2. Physical access controls manage entry into systems containing data
• SIG-I_3_2_5_1. Application security
• SIG-N_1_11. Network security
• CAPEC-700. Network Boundary Bridging
• ISO27001-8_21. Security of network services

Weaknesses

• 109 – Unrestricted access between network segments - RDS
• 157 – Unrestricted access between network segments
• 158 – Unrestricted access between network segments - Azure AD
• 311 – Unrestricted access between network segments - JSch
• 368 – Unrestricted access between network segments - StrictHostKeyChecking
• 457 – Unrestricted access between network segments - databases
• 024 – Unrestricted access between network segments - AWS

Last updated

2024/01/18