10.6.2 Security of Network Services
Illustrative Controls and TIBCO LogLogic Solution
Administrators must identify all changes to firewall and router configurations and ensure that all changes are authorized. The most efficient way to identify configuration changes is at the time of the modification. Administrators must set up alerts so that any changes to the configuration, authorized or otherwise, are detected and notified.
Administrators must identify all protocols passed through the firewall besides HTTP (generally port 80/tcp), SSL (generally port 443/tcp) and SSH (generally port 22/tcp). Once identified, administrators must review the exception list and document any justification related to the allowance of these protocols.
If non-standard ports are used with these three protocols, the justification for the non-standard ports must also be documented. If necessary, administrators should identify the timeframe in which these protocols should be allowed, and promptly remove them from the configuration after the time is up.
Administrators should set up network policy alerts to detect any unauthorized traffic passing through the firewalls. No firewall in any company should allow the use of any known risky services or protocol. These known risky services provide intruders an easy way into the company. Administrators must identify all protocols and services that are considered risky to pass through the firewall. These risky services include, but not limit to, FTP (21/tcp), Telnet (23/tcp), Rlogin (513/tcp), Rsh (514/tcp), Netbios (137-139/tcp,udp), and others. Any risky protocols or services must be immediately removed from the firewall policies.
In addition, vulnerabilities are continually being discovered by hackers or researchers and introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and through changes. Administrators must periodically review IDS logs to ensure that the IDS tools are fully utilized.
Reports and Alerts
Use the following link or reference to see the 10.6.2 reports and alerts: TIBCO LogLogic Reports and Alerts Quick Reference.