This is Part 10 & 11 of a 'How-To' effort to compile a list of tools (free and commercial) that can help IT administrators comply with what was formerly known as the "SANS Top 20 Security Controls". It is now known as the Center for Internet Security (CIS) Security Controls. A summary of the previous posts is here:
- Part 1 - we looked at Inventory of Authorized and Unauthorized Devices.
- Part 2 - we looked at Inventory of Authorized and Unauthorized Software.
- Part 3 - we looked at Secure Configurations.
- Part 4 - we looked at Continuous Vulnerability Assessment and Remediation.
- Part 5 - we looked at Malware Defenses.
- Part 6 - we looked at Application Security.
- Part 7 - we looked at Wireless Access Control.
- Part 8/9 – we looked at Data Recovery and Security Training.
Now we are taking on Secure Configurations for Network Devices such as Firewalls, Routers, and Switches and Limitation and Control of Network Ports, Protocols, and Services.
10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
10-1 - Compare firewall, router, and switch configuration against standard secure configurations defined for each type of network device in use in the organization. The security configuration of such devices should be documented, reviewed, and approved by an organization change control board. Any deviations from the standard configuration or updates to the standard configuration should be documented and approved in a change control system.
Know of any?
- Nessus - Can scan an uploaded configuration of any (most) network device and alert you to insecure configurations.
- Network Configuration Management - ManageEngine's
- Tripwire - audit configurations of switches, firewalls, routers, OSs, Applications, and more.
10-2 - All new configuration rules beyond a baseline-hardened configuration that allow traffic to flow through network security devices, such as firewalls and network-based IPS, should be documented and recorded in a configuration management system, with a specific business reason for each change, a specific individual's name responsible for that business need, and an expected duration of the need.
See tools listed under section 10-1.
10-3 - Use automated tools to verify standard device configurations and detect changes. All alterations to such files should be automatically reported to security personnel.
See tools listed under section 10-1.
10-4 - Manage network devices using two-factor authentication and encrypted sessions.
See tools listed in section 1-5. You must configure an authentication server that supports multi-factor authentication (RADIUS).
10-5 - Install the latest stable version of any security-related updates.
This is referring to network device updates. You can receive notifications from the vendor via RSS, email, or mailing list.
10-6 - Manage the network infrastructure across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices.
This is more of a procedure than a tool.
11. Limitation and Control of Network Ports, Protocols, and Services
11-1 - Ensure that only ports, protocols, and services with validated business needs are running on each system.
- Nmap - Well known port scanner available for Windows, Linux, Mac, (et al)
- Zenmap - Really, just a front end to nmap, for those of you who prefer to use a GUI. Downloading Nmap for Windows will give you Zenmap.
- Portscanner - from the makers of radmin a long time used remote desktop client.
- mDNS - not a traditional port scanner because it listens for traffic, and enumerates remote host data without making any connections, therefor completely invisible to firewalls, and other detection devices (HIDS). How it can be used - Slides and Video.
- Angry IP - Fast, multi platform port scanner
- AlienVualt USM - has Nmap built in with other detection software, but can act on the data found.
- ManageEngine - Very fast.
11-2 - Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.
Leaving out third-party tools this time... The Windows firewall, and GPOs work just great for this. iptables (I prefer over firewalld, because I said so) can also do this, with the ability to push out changes via puppet, or scripts.
BTW, Windows Firewall with Advanced Security has a STIG! There is also a STIG for configuring a default deny on iptables. You're welcome!
11-3 - Perform automated port scans on a regular basis against all key servers and compared to a known effective baseline. If a change that is not listed on the organization's approved baseline is discovered, an alert should be generated and reviewed.
See tools under section 11-1 and 3-8 (HIDS)
11-4 - Keep all services up to date and uninstall and remove any unnecessary components from the system.
This should be done when you build your master image. Also, your organizations STIG should define the baseline for your workstation and server operating system. I will refer you to section 3-1 for STIGs and secure baselines. Also, refer to section 3-2 for patching and software update tools
11-5 - Verify any server that is visible from the Internet or an untrusted network, and if it is not required for business purposes, move it to an internal VLAN and give it a private address.
Basically, don't put internal only servers out on the DMZ, or in the security zone where your public servers reside.
11-6 - Operate critical services on separate physical or logical host machines, such as DNS, file, mail, web, and database servers.
Self explanatory, but just in case...don’t combine your torrent server with your ADDC. :blush:
11-7 - Place application firewalls in front of any critical servers to verify and validate the traffic going to the server.
* ModSecurity - Probably the most well-known open source Layer 7 firewall. For good reason too, very feature rich and can be used within pfSense firewalls.
* AQTronix - Open source WAF, used for Apache and IIS web apps.
About the Author:
Rich Johnson is currently a Systems Security Administrator with 15 years of professional experience working in IT (more if you count the years programming in Basic on the Commodore 64 and repairing Nintendo consoles as a child). Rich has a bachelor degree in Information Technology, but feels his real knowledge has been gained through hands on experience, exploring security tools, and attending various security conventions. Rich currently resides in Utah and is probably learning some new interesting thing at this moment.