4.5: Implement and Manage a Firewall on End-User Devices
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.
Asset Type |
Security Function |
Implementation Groups |
---|---|---|
Devices |
Protect |
1, 2, 3 |
Dependencies
Safeguard 1.1: Establish and Maintain Detailed Enterprise Asset Inventory
Safeguard 2.1: Establish and Maintain a Software Inventory
Safeguard 4.1: Establish and Maintain a Secure Configuration Process
Inputs
GV1
: Enterprise asset inventoryGV5
: Authorized software inventoryGV3
: Configuration standard
Operations
Identify and enumerate end-user devices capable of hosting a firewall or a deny rule using
GV1
(M1)- Using configuration standards
GV3
to check if firewalls or deny rules are properly configured on end-user devices Enumerate assets from Operation 1 with properly configured firewalls or a configured default deny rule (M3)
Enumerate assets from Operation 1 with improperly configured firewalls and lacking a configured default deny rule(M4)
- Using configuration standards
Measures
M1 = Count of end-user devices capable of hosting a firewall
M2 = Count of end-user devices with a properly configured firewall or default deny rule
M3 = Count of end-user devices with an improperly configured firewall and lacking a configured default deny rule
Metrics
Coverage
Metric |
The percentage of properly configured firewalls or deny rule on end-user devices
|
Calculation |
|