building cyber defenses, cis control #9: limitation control of network ports, protocols and services
by Marian Bodunrin
4:00 min read or Audio
Transmitting and receiving data via network ports is a necessary evil. Because your network process uses a specific port to communicate to another port there is no avoiding the inherent risk. The most perilous services on a network are the ones you don't know are running. Default system installations often activate services with little or no useful purpose and often go unnoticed. "Shadow IT" operations may start up unauthorized, poorly secured services.
There are 65,535 TCP ports and 65,535 UDP ports. Some of them are more vulnerable than others. For example, TCP port 21 connects FTP servers to the internet but have several vulnerabilities, such as cleartext authentication, which make it easy for an attacker with a packet sniffer to view usernames and passwords. Telnet on TCP port 23 sends data in cleartext which makes it vulnerable to attackers listening in to intercept user’s credentials, and man-in-the-middle attacks. Also, the busiest ports are the easiest for attackers to infiltrate. TCP port 80 for HTTP supports web traffic. Attacks on web clients that use port 80 include SQL injections, cross-site request forgeries, cross-site scripting and buffer overruns.
A well-run, secure network does not expose any service without a reason. The issue arises if no one notices the services that are running, no one may be monitoring them or keeping them up to date. CIS Control #9 addresses the Limitation and Control of Network Ports, Protocols and Services, and gives specific recommendations for avoiding the risk of unmanaged services and ports.
System administrators need an established baseline of what ports and services are supposed to be running on each machine. In addition, they need to run regular, automated port scans. Simple, free software is available that will do the job. The scan should note any differences from the baseline and notify the administrators.
The first time a scan is run, it's likely IT administrators will discover previously unaccounted for or undesirable services, possibly due to oversight. These services should be tracked and disabled upon discovery. Most importantly, perform a periodic performance of port scans on a regular basis to determine which services are listening on the network, which ports are open, and to identify the version of the protocol and service listening on each open port. All such efforts will further reduce the attack vector.
Every software installation carries some risk. It could open up unmanaged ports by default, just because they might be useful in certain cases.
When installing new software, the best practice is to identify any added services and configure it to run only the ones that have value for business operation. Running a port scan before and after installation will verify if any others were added--and all legitimate services should be securely configured.
For an organization to adequately mitigate risks, a layered perimeter of defenses such as application-aware firewalls, network access controls (NAC), intrusion detection/prevention systems should be deployed to avert unauthorized access. “Defense in depth” is the watchword of a good security setup.
Use of endpoint firewalls, removal of all unnecessary services and segmenting critical services across systems, and applying patches as soon as they become available, will reduce your organization’s risk exposure. For instance, a network scan can identify all servers which are visible from the internet--if any don't need to be visible, moving them to an internal VLAN will keep them safe. If they run any unauthorized services that aren't caught, at least they won't be directly reachable from outside.
Running multiple critical services on the same machine is an invitation to trouble. If the same machine runs DHCP, SMTP and HTTP, an attacker that breaches one could jump to the others. Each of those services should have its own virtual or physical machine, with just the ports needed to run it.
It's easy enough to install multiple virtual machines on one computer. That way, each port's services have their own operating system, root file directory, and network settings. If one of them gets compromised, the problem is more likely to stay localized long enough to identify it and fix it.
Minimize to Maximize
Just as building management needs to know every door through which people can enter and how that door is secured against sneaking in undetected, so IT management needs to know every port and service which the servers expose. If they're there for a reason, they should be managed and secured. If there's no reason for them, they could be an unguarded back door to the network, which should be shut and locked. Though it is impossible to eradicate all risk, exposure can be greatly minimized when appropriate controls are put in place to deter an attacker. Implementing CSC #9 will further mature the cybersecurity posture of your organization and a continuous monitoring tool deployed to serve as an ongoing exercise will contribute to the effort of reducing risk and maximizing cybersecurity.