12.4: Deny Communication Over Unauthorized Ports
Sub-control 12.1 states that you must deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization’s network boundaries.
| Asset Type | Security Function | Implementation Groups |
|---|---|---|
| Network | Protect | 1, 2, 3 |
Dependencies
- Sub-control 1.4: Maintain Detailed Asset Inventory
- Sub-control 1.5: Maintain Asset Inventory Information
-
Sub-control 2.4: Track Software Inventory Information
Inputs
-
List of endpoints to scan: The list of endpoints to scan that are assumed capable of hosting firewall/port-filtering software as derived from the endpoint inventory (.sub-control 1.4) Additionally, this could potentially be informed by the software inventory (sub-control 2.4)
-
Open policies: A policy (or set of policies, potentially individually per endpoint) indicating the ports that are allowed to be open.
Operations
-
For each endpoint, retrieve its firewall policy.
-
For each endpoint/firewall policy pair, examine the endpoint’s configuration to enumerate the ports that allow communication. Also, examine any configuration of a default deny rule. Note which endpoints are configured appropriately or inappropriately.
Measures
| Measure | Definition |
|---|---|
| M1 = List of scanned endpoints |
A list of all scanned endpoints. |
|
M2 = Count of items in M1 |
A count of the total number of items in M1. |
| M3 = List of endpoints with appropriate port configuration | A list of endpoints with appropriate port configuration. |
| M4 = Count of items in M3 | A count of the total number of items in M3. |
| M5 = List of endpoints with inappropriate port configuration | A list of endpoints with inappropriate port configuration. |
| M6 = Count of items in M5 | A count of the total number of items in M5. |
| M7= List of endpoints with appropriately configured default deny rule | A list of all endpoints with an appropriately configured default deny rule. |
| M8 = Count of items in M7 | A count of the total number of items in M7. |
| M9 = List of endpoints within appropriately configured default deny rule | A list of endpoints with an inappropriately configured default deny rule. |
| M10 = Count of items in M9 | A count of the total number of items in M9. |
| M11 = List of endpoints with both appropriately configured ports and default deny rules | A list of endpoints with both appropriately configured ports and default deny rules. |
| M12 = Count of items in M11 | A count of the total number of items in M11. |
Metrics
Coverage
| Metric | Calculation |
|---|---|
| The ratio of correctly configured endpoints compared to the total number of endpoints. | M12 / M2 |