Title

The firewall must not utilize any services or capabilities that are not necessary for the administration of the firewall. (Cat II impact)

Discussion

The risk of an attack increases with more services enabled on the firewall, since the firewall will listen for these services. If non-firewall services (e.g., DNS servers, e-mail client servers, ftp servers, web servers, etc.) are part of the standard firewall suite and are not necessary for administration of the firewall, they will be uninstalled or disabled.

Check Content

Have the Firewall Administrator display the services running on the firewall appliance or underlying OS. CAVEAT: Anti-virus software running on the firewall's OS would be an exception to the above requirement. It is recommended that anti-virus software be implemented on any non-appliance firewall if supported. However, it is not a finding if anti-virus software has not been implemented. If services that are not necessary for the administration of the firewall are found to be running on the firewall, this is a finding.

Fix Text

The Firewall Administrator will only utilize services related to the operation of the firewall. Any unnecessary services, even if they are part of the firewall standard suite, must be uninstalled or disabled.

Additional Identifiers

Rule ID:

Vulnerability ID: V-3054

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.