Advanced: The network infrastructure should be managed across network connections that are separated from the business use of that network, relying on separate VLANs or preferably relying on entirely different physical connectivity for management sessions for network devices.
Procedures and tools for implementing this control:
Port scanners and most vulnerability scanning tools can be used to attempt to launch packets through the device, measuring all TCP and UDP ports. This measures the effectiveness of the firewall’s configuration. A sniffer can be set up on the other side of the firewall to determine which packets are allowed through the device. The results of the test can be matched against the list of services that are allowed both inbound and outbound (defined through policy that should represent documented business needs for each allowed service), thereby identifying misconfigured firewalls. Such measurement should be conducted at least every quarter, and also when significant changes are made to firewall rule sets and router access control lists.
More effective organizations use commercial tools that evaluate the rule set of firewalls and routers with access control lists to determine whether they are consistent or in conflict, providing an automated sanity check of network filters and search for errors in rule sets or ACLs that may allow unintended services through the device. Such tools should be run each time significant changes are made to firewall rule sets or router access control lists.
Critical Control 5: Boundary Defense
How do attackers exploit the lack of this control?
Attackers target Internet-facing systems because they are accessible. They use weaknesses they find there as jumping off points to get inside the boundary to steal or change information or to set up persistent presence for later attacks. Additionally, many attacks occur between business partner networks, sometimes referred to as extranets, as attackers hop from one organization’s network to another, exploiting vulnerable systems on extranet perimeters.