Today we continue our look at a series of practical steps that districts can use to increase their NIST compliance. Looking at the complete set of NIST controls can be a daunting experience. One of the best ways we have found to make these cybersecurity improvements more attainable is following the CIS Controls Top 20 list, which maps nicely over into NIST. CIS also breaks their controls list into three implementation groups, in somewhat of a "start here" group 1, a more "advanced" group 2, and when that's done for full "Ninja status," move to group 3. This series is going to focus on a walk through the "start here" group 1 items.
Today's topic is about host-based protections, part of managing (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices to minimize windows of vulnerability available to attackers. The implementation group 1 (IG1) requirement for this control has a single action item:
Action item #1 - Apply Host-Based Firewalls or Port-Filtering - Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.
The requirement here is that on all your endpoint devices, whether they be servers or workstations, you are running some control utility that limits communication inbound and outbound from the workstation to only those ports and protocols required to run the applications installed on the device. The goal here is to limit an attacker or other malware’s ability to make use of wide-open ports and protocols between devices to facilitate its operation and distribution across your network.
For most of you with Windows-based servers and workstations, the obvious answer is the embedded Windows Firewall service. This service is most easily configured and tuned for your network via AD Group Policies.
For Linux type devices, the most common tool used is "iptables" to configure firewall rules on your Linux machine.
There are a few alternate vendor options out there for alternate interfaces to the onboard OS firewall or complete substitute firewalls for those interested.
The key to all of this is taking the time to do the due diligence to configure the host-based firewalls properly so that your applications run as intended while the host's attack surface is minimized.
As always, if you are looking for assistance with getting host-based firewall policies deployed in your network, reach out to our team. We will be happy to help you get started.