SANS Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services

Exposure level and Risk level are directly proportional to each other!

Ports, protocols and services are entry points and mechanisms into a target network or system. Default installations, misconfigurations, unauthorized services, etc result in increased exposure. The attackers are always on the lookout for such avenues that are vulnerable and these can be leveraged to gain access to the target network or system.

SANS Critical Control 11 talks about tracking, controlling and limiting the use of network ports, protocols and services with the intention of reducing the attack surface.

SANS lists the following key points for limitation and control of network ports, protocols and services:

  1. Active scanner analyzes production systems for unauthorized ports, protocols, and services
  2. System baselines regularly updated based on necessary/required services
  3. Active scanner validates which ports, protocols, and services are blocked or allowed by the application firewall
  4. Active scanner validates which ports, protocols, and services are accessible on business systems protected with host-based firewalls.

Unified VRM includes internal network and external network modules which are responsible for detecting, aggregating and reporting risks in a prioritized fashion for internal and external networks respectively. These modules include an active scanner that interact with the target system in order to identify open ports, supported protocols and services running.

Unified VRM allows customers to scan production systems as and when required thereby allowing the user to keep track of authorized ports, protocols and service after each scan. Unauthorized ports, protocols or services identified can be disabled or uninstalled and tested by performing another scan using Unified VRM’s built-in scanner.

The active scanner in the Unified VRM can be leveraged to test the application firewall’s implementation. The scanner can be used to verify if the application firewall is able to block all traffic except those directed towards authorized ports and services, and generate an alert.

Host based firewalls are implemented in addition to application firewall to maintain a defense-in-depth strategy. The Unified VRM’s active scanner can be directed towards business systems to identify unauthorized ports, protocols and services in the presence of a host-based firewall.