9.4: Apply Host-Based Firewalls or Port-Filtering
Sub-control 9.4 states that you must apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.
| Asset Type | Security Function | Implementation Groups |
|---|---|---|
| Devices | Protect | 1, 2, 3 |
Dependencies
- Sub-control 1.4: Maintain Detailed Asset Inventory
- Sub-control 1.5: Maintain Asset Inventory Information
Inputs
- Endpoint Inventory: The endpoints that are able to scan, and therefore assumed capable of hosting firewall/port-filtering software.
- Policy: A policy (or set of policies, potentially individually per endpoint) indicating which ports are allowed to be open.
Operations
- For each endpoint, retrieve the firewall policy.
- For each firewall policy, enumerate both the ports which allow communication, and any configuration of a default deny rule (could that be a default?), noting along the way which policies are configured appropriately or inappropriately.
Measures
| Measure | Definition |
|---|---|
| M1 = List of endpoints |
A list of all endpoints. |
| M2 = Count of items in M1 | A count of the total number of items in M1. |
|
M3 = List of endpoints with appropriately configured firewall ports policy |
A list of endpoints that have an appropriately configured firewall ports policy. |
| M4 = Count of items in M3 | A count of the total number of items in M3. |
| M5 = List of endpoints with inappropriately configured firewall ports policy |
A list of endpoints that do not have an appropriately configured firewall ports policy. |
| M6 = Count of items in M5 | A count of the total number of items in M5. |
|
M7 = List of endpoints with appropriately configured default deny rule |
A list of endpoints that have an appropriately configured default deny rule. |
| M8 = Count of items in M7 | A count of the total number of items in M7. |
| M9 = List of endpoints with inappropriately configured default deny rule | A list of endpoints that do not have an appropriately configured default deny rule. |
| M10 = Count of items in M9 | A count of the total number of items in M9. |
| M11 = List of endpoints with both appropriately configured firewall policy | A list of endpoints with both an appropriately configured firewall policy. |
| M12 = Count of items in M11 | A count of the total number of items in M11. |
| M13 = List of endpoints with at least one inappropriate firewall configuration | A list of all endpoints with at least one inappropriate firewall configuration. |
| M14 = Count of items in M13 | A count of the total number of items in M13. |
Metrics
Coverage
| Metric | Calculation |
|---|---|
| The ratio of correctly configured endpoints compared to the total number of endpoints. | M14 / M2 |