Establish and maintain a documented list of protocols, ports, applications, and services for essential operations.

UCF ID: 00537
Control Type: Establish/Maintain Documentation
Status: Live

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

    Establish and maintain documentation justifying the use of any protocols beyond HTTP, SSL, SSH, and VPN. [UCF Control ID 00539]
    Establish and maintain documentation justifying the use of risky protocols, such as FTP. [UCF Control ID 01280]

Authority documents complied with:

FFIEC IT Examination Handbook – Information Security, Pg 43, Exam Tier II Obj B.4; North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards, CIP-005-1 R2.2; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, § 1.1.5, § 2.2.2; Federal Information System Controls Audit Manual (FISCAM), February 2009, AC-3.2(E); The National Strategy to Secure Cyberspace, February 2003, Pg 30; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.5; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.12.2; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, CM-7(1), CM-7.2; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § AC-17(8); The Standard of Good Practice for Information Security, NW3.7.2; The Center for Internet Security Wireless Networking Benchmark, Version 1.0 April 2005, § 2.3.1 (2.3.1.030); The Center for Internet Security Wireless Networking Benchmark, Apple Addendum, Version 1.0 April 2005, § 1.2 (2.3.1.030); The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, version 1.0, April 2005, § 1.2 (2.3.1.030); The Center for Internet Security Wireless Networking Benchmark, DLINK Addendum, version 1.0, April 2005, § 1.2 (2.3.1.030); The Center for Internet Security Wireless Networking Benchmark, Linksys Addendum, version 1.0, April 2005, § 1.2 (2.3.1.030); DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2, § 2.2 (WIR1250), § 3.11; DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2, § 4.1.5, § 4.2.3, § 5.2, § 6.2.1; DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4, § 2.2 (WIR2250), § 3.8; DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2, § 5 (WIR0470); ISO/IEC 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008, § 15.12, § J.12; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 11.4.4; ISO/IEC 27002 Code of practice for information security management, 2005, § 11.4.4; OECD / World Bank Technology Risk Checklist, Version 7.3, § V.6, § V.7; Australian Government ICT Security Manual (ACSI 33), § 3.10.50; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 1.1.5, § 2.2.2; Guide to Bluetooth Security, NIST SP 800-121, September 2008, Table 4-2 Item 12, Table 4-3 Item 9, Table 4-4 Item 7; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007, Table 8-4 Item 38; Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings, Version 1.0 August 2006, § 7.3, § 7.4, § 7.9, § 9.4; Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1, § 12.1; Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009, § 4.2.1.E, § 4.5.1.A; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCPP-1; Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1, § 4.2.2; DISA Secure Remote Computing Security Technical Implementation Guide, Version 2, Release 1, § 2.4, § 3.1; ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001, ¶ 9.3, ¶ 9.4, ¶ 13.11

Banking and Finance Guidance

The organization should remove all unnecessary services on the firewall. [Pg 43, Exam Tier II Obj B.4, FFIEC IT Examination Handbook – Information Security]

Energy Guidance

At all access points to the Electronic Security Perimeter(s), the Responsible Entity shall enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter, and shall document, individually or by specified grouping, the configuration of those ports and services. [CIP-005-1 R2.2, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards]

Payment Card Guidance

§ 1.1.5 Protocols, ports, and services allowed for use by the organization must be documented and justified. For insecure protocols that are being used, the implemented security features should be documented. All unnecessary and insecure protocols should be disabled.
§ 2.2.2 Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the device’s specified function). [§ 1.1.5, § 2.2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]

Protocols, ports, and services allowed for use by the organization must be documented and justified. For insecure protocols that are being used, the implemented security features should be documented. All unnecessary and insecure protocols should be disabled. [§ 1.1.5, § 2.2.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

Security protocols, such as SSL, TLS, and IPSEC, should be used to encrypt cardholder data during transmissions over open, public networks. [§ 12.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1]

§ 4.2.1.E Disable all unnecessary applications, ports, and protocols on Access Points (APs).
§ 4.5.1.A SSLv3 is mandatory for traffic that carries cardholder data. [§ 4.2.1.E, § 4.5.1.A, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009]

US Federal Security Guidance

A communications port protection device is called for. [AC-3.2(E), Federal Information System Controls Audit Manual (FISCAM), February 2009]

Key protocols should be reliable and secure. [Pg 30, The National Strategy to Secure Cyberspace, February 2003]

The organization should ensure all protocols, ports, and services have been identified. [DCPP-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

US Internal Revenue Guidance

The use of unnecessary protocols, ports, and services for the processing, storing, and transmitting of Federal Tax Information must be prohibited. [§ 5.6.5, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

The consideration of port protection devices that authorize access to the port itself is called for. [§ 3.12.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

Organizational records and documents should be examined on a regular basis to ensure all unnecessary functions, ports, protocols, and services have been disable or removed from the system.
Test the system to ensure all identified functions, ports, protocols, and services have been disabled or removed from the system. [CM-7(1), CM-7.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

The organization should disable networking protocols within the information system unless specifically authorized. [App F § AC-17(8), Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Bluetooth device stacks should be locked down to ensure only approved services and profiles are available. The Serial Port Profile should be the only Bluetooth profile that is enabled, and users should not be able to enable any of the disabled profiles. [Table 4-2 Item 12, Table 4-3 Item 9, Table 4-4 Item 7, Guide to Bluetooth Security, NIST SP 800-121, September 2008]

All insecure and unused management protocols for the access point should be disabled. The required management protocols should be configured for least privilege. [Table 8-4 Item 38, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007]

To aid in preventing DoS attacks, certain protocols, such as ICMP, should be limited to assume only a designated percentage of total bandwidth. All unneeded services should be disabled on Internet-accessible hosts, and restrict services that could be used in DoS attacks. [§ 4.2.2, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1]

System Configuration Guidance

SSHv1 is included in NetWare 6.5 by default. This version of Secure Shell (SSH) has many known security flaws and should be disabled. SSHv2 should be used instead of SSHv1. The TCP/IP settings should be enhanced to improve the system's resistance to defend against network attacks and denial of service attacks. The following lines should be added to the AUTOEXEC.NCF file to improve TCP/IP security: SET Discard Oversized Ping Packets = On; SET Largest Ping Packet Size = 10240; SET Discard Oversized UDP Packets = On; SET Largest UDP Packet Size = 33792; SET TCP Diagnostic Services = Off; SET TCP Defend Land Attacks = On; SET Maximum Wait States = 1000; SET Maximum Pending TCP Connection Requests = 2000; SET Allow IP Address Duplicates = Off; SET TCP UDP Diagnostic Services = Off; and SET SLP Close Idle TCP Connections Time = 30. IPX and any other protocols not being used should be disabled. Leaving unused protocols enabled can lead to attacks by hackers who are familiar with them and can also slow down network performance. The IP protocol should be used to connect Novell clients to Novell servers. [§ 7.3, § 7.4, § 7.9, § 9.4, Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings, Version 1.0 August 2006]

Other Configuration Guidance

Management ports on network devices should be disabled when not in use. [§ 2.3.1 (2.3.1.030), The Center for Internet Security Wireless Networking Benchmark, Version 1.0 April 2005]

Management ports on network devices should be disabled when not in use. [§ 1.2 (2.3.1.030), The Center for Internet Security Wireless Networking Benchmark, Apple Addendum, Version 1.0 April 2005]

Network devices should have management ports disabled when not in use. [§ 1.2 (2.3.1.030), The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, version 1.0, April 2005]

Network devices should have management ports disabled when not in use. [§ 1.2 (2.3.1.030), The Center for Internet Security Wireless Networking Benchmark, DLINK Addendum, version 1.0, April 2005]

Network devices should have management ports disabled when not in use. [§ 1.2 (2.3.1.030), The Center for Internet Security Wireless Networking Benchmark, Linksys Addendum, version 1.0, April 2005]

§ 2.2 (WIR1250) Implement wireless e-mail servers and handheld configuration settings.
§ 3.11 Configure Enclave and Personal Firewall Architecture ports, protocols and services according to organization’s site specific architecture. [§ 2.2 (WIR1250), § 3.11, DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2]

Services not needed for the operational use of the system must be disabled on all wireless clients. Non-required software and/or services that support remote access services must not be installed on remote access servers or network access servers. Non-required services that support remote access services must not be enabled on remote access servers or network access servers. Only those services required for the server and remote access should be enabled. The Information Assurance Officer must document all open ports and ensure only required services and ports are open on the personal firewall. Terminal Access Controller Access Control Systems (TACACS) and Extended TACACS (XTACACS) should not be used as authentication protocols, because they no longer receive maintenance support. [§ 4.1.5, § 4.2.3, § 5.2, § 6.2.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2]

§ 2.2 (WIR2250) All required wireless e-mail server and device configuration should be implemented.
§ 3.8 The Enclave firewall should be configured to only allow the required connections, using the default or standard ports for needed services. Default Port 443 using TCP protocol for the following services: (a) Inbound connection between the handheld and Microsoft ActiveSync (HTTPS/SSL connection); (b) Inbound from handheld user’s desktop web browser of PDA/smartphone web browser to the Trust Digital Self Service Portal on the TD server (HTTPS/SSL connection); (c) When an ISA Sever is used in the WMM architecture, the Enclave Firewall must be configured to route all WMM traffic to ISA Server (Suggestion: Specify all inbound WMM IP addresses or all 443 traffic.) [§ 2.2 (WIR2250), § 3.8, DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4]

PDAs and Smart phones should have their IR ports and wireless radios disabled when they are not being used and only exchange information using the IR port with trusted DoD devices.
Interview the Information Assurance Officer (IAO) to verify a policy exists and users are made aware of the requirement to disable wireless radios and IR ports when they are not being used. [§ 5 (WIR0470), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2]

§ 2.4 Securing network services as in identification and authentication of the endpoint device; identification and authentication of the end-user; and the inspection and remediation of the endpoint device to determine if it matches established entry criteria are basic Network Access Control (NAC) requirements needed for end-users to be allowed access to authorized resources.
§ 3.1 NAC services are implemented using one or more network technologies to ensure that network devices and users are authenticated, authorized, and compliant with established network policy. DoD requires physical port authentication on classified networks and logical port security on unclassified networks. A policy assessment server can be placed in the network environment to implement the security required on the ports but also to assess and enforce the device’s security posture. The results of the client posture assessment can then be leveraged to automate enforcement of access policy restrictions based on assessment status, community of interest, or group specific policy. [§ 2.4, § 3.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 2, Release 1]

ISO Guidance

The state synchrony protocol requires certain critical security functions to use trusted protocols. The system should acknowledge receipt of data when requested. [§ 15.12, § J.12, ISO/IEC 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008]

Access to the diagnostic and configuration ports should be controlled. Many systems contain these ports for use by remote maintenance engineers. If these ports are unprotected, they could lead to unauthorized access. [§ 11.4.4, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

Access to the diagnostic and configuration ports should be controlled. Many systems contain these ports for use by remote maintenance engineers. If these ports are unprotected, they could lead to unauthorized access. [§ 11.4.4, ISO/IEC 27002 Code of practice for information security management, 2005]

¶ 9.3 Network Protocols. Different protocols have different security characteristics and need to be afforded special consideration. For example:
• shared media protocols are mainly used in LANs (and sometimes in MANs) and provide mechanisms to regulate the use of shared media among the systems connected. As a shared media is used, all information on the network is physically accessible by all connected systems,
• routing protocols are used to define the route through the different nodes on which information travels within MANs and WANs. Information is physically accessible for all systems along the route, and routing may be changed, either accidentally or intentionally.
The protocols may be used on different network topologies, for example bus, ring and star, whether implemented through wireless or non-wireless technologies, which may have further impact on security.
¶ 9.4 Network Applications. The type of applications used over a network need to be considered in the context of security. Types can include:
• terminal emulation based applications,
• store and forward or spooler based applications,
• client server applications.
¶ 13.11 Non-Repudiation. Where there is a requirement to ensure that substantive proof can be provided that information was carried by a network, safeguards such as the following should be considered:
• communication protocols that provide acknowledgment of submission,
• application protocols that require the originator's address or identifier to be provided and check for the presence of this information,
• gateways that check sender and receiver address formats for validity of syntax and consistency with information in relevant directories,
• protocols that acknowledge delivery from networks, and
• protocols that include mechanisms that allow the sequence of information to be determined.
Where it is important that information transmission or receipt can be proven should it be contested, further assurance should be provided through the use of a standard digital signature method. Senders of information, where proof of source is required, should seal the information using a digital signature to a common standard. Where proof of delivery is required, senders should request a reply sealed with a digital signature. To achieve this level of assurance the following should be considered:
• use of non-repudiation mechanisms (digital signature, time stamping, etc.) supported by a trusted third party such as a certification authority, and associated public key infrastructure,
• logging messages using mechanisms that prevent alteration of logs,
• mechanisms to protect secret and/or private (signature) keys against unauthorized use, and
• archiving any certificates or keys necessary to resolve disputes to ensure their availability and integrity for the required time (which may be longer that the period of use of the associated keying material). [¶ 9.3, ¶ 9.4, ¶ 13.11, ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001]

General Guidance

Ports used for diagnostic purposes on network equipment should be protected by access controls. [NW3.7.2, The Standard of Good Practice for Information Security]

EU Guidance

Prevention of entry or exit through any network port that is not required by the organization is called for. Additionally, OECD requires prevention of any network protocols not in use by the organization. [§ V.6, § V.7, OECD / World Bank Technology Risk Checklist, Version 7.3]

Asia and Pacific Rim Guidance

All unused ports on switches should be disabled. [§ 3.10.50, Australian Government ICT Security Manual (ACSI 33)]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.