How can this control be implemented, automated, and its effectiveness measured?
QW: Network perimeters should implement both ingress and egress filtering, allowing only those services and protocols that have a defined, documented business need for the organization. A ‘default to deny’ rule should be applied between firewalled networks, with only specific services allowed through.
Config/Hygiene: Host-based firewalls or port filtering tools should be applied on end systems, again with a default deny rule.
Config/Hygiene: Configuration and vulnerability testing tools should be tuned to compare services that are listening on each machine against a list of authorized services. The tools should be further tuned to identify changes over time on systems for both authorized and unauthorized services. Use government-approved scanning files to ensure minimum standards are met.
Config/Hygiene: Implement hardening recommendations from guidelines for underlying operating systems and installed applications, such as those found in mandatory STIG (Secure Technical Implementation Guides) requirements, NIST configuration guidelines, or Center for Internet Security hardening guides, if they exist for the given technology.
Config/Hygiene: Periodically, a secure version of an authorized service should be activated on a relatively unimportant system to verify that the change is flagged by the configuration and vulnerability testing tools in the environment.
Procedures and tools for implementing this control:
Port scanning tools are used to determine which services are listening on the network for a range of target systems. In addition to determining which ports are open, effective port scanners can be configured to identify the version of the protocol and service listening on each discovered open port. This list of services and their versions are compared against an inventory of services required by the organization for each server and workstation, in an asset management system, such as those described in Critical Control #1. Recently added features in these port scanners are being used to determining the changes in services offered by scanned machines on the network since the previous scan, helping security personnel identify differences over time.
To evaluate their scanning procedures, information security personnel often run a free network listening tools on a sample machine, configured simply to listen on a given TCP