Requirement text: RM.4.151: Perform scans for unauthorized ports available across perimeter network
boundaries over the organization’s Internet network boundaries and other organizationally defined boundaries.
DISCUSSION FROM SOURCE: CMMC
Adversaries constantly probe trusted boundaries, such as an organization’s perimeter with
the Internet, to find opportunities to create unauthorized connections. Organizations must
perform their own scans to determine if unauthorized connections are possible. To help
validate access control on network boundaries an organization will schedule actions, such as
scanning from various points of presence to assets on various network segment boundaries
to identify proper boundary access protections are in place and properly configured. This
allows the organization to identify if there are trusted network boundaries that may be
breached because of a misconfiguration, or due to the trust between one segment of an
environment and another. Basically, this means a one-to-many connection attempt from
each network boundary. Identifying the results of each test, where it was trying to access,
whether it was successful or not, time of day, IP addresses, etc. can all be used to determine
if the actions of the environment match the network protection design, i.e., whether an open
port is authorized or unauthorized.
CMMC CLARIFICATION
Organizations need to perform actions to validate the implementation of the enterprise
security architecture that restricts connections at trusted network boundaries. Mature
organizations design, implement, document their security mechanisms, and they perform
actions that help identify whether or not the security mechanisms are in place and working
as expected. Even the best security practitioners have been known to make a slight mistake
on a configuration of a security mechanism and find out later that the component is not
providing the protection necessary to keep the environment secure.
Example 1
Your organization has a data center that only allows connectivity from clients over HTTPS
web services. There is a firewall between the user network and the data center systems to
make sure this access to controlled. The firewall admin mistakenly placed a rule into the
system that allows a connection to HTTP services in the data center by users. This access
may allow someone to access specific systems and send passwords over in the clear, thus
exposing user credentials. Fortunately, a scan by corporate cyber services identifies this
allowed connectivity and emails a report to the admin of the firewall. The admin changes
the rule in the firewall and the access is stopped before anything bad happens.
Example 2
Your organization does not allow printers to initiate connectivity to any other environment
within the enterprise. There is a firewall that prevents this action from taking place. Only
user systems are allowed to initiate communication with printers. During routine checks, it
is identified that the printer network has the ability to initiate communication to the user
network as well as the data center. This could be bad if a printer becomes compromised.
The firewall team is alerted of this finding and the problem is thwarted before
communications are used in a manner undesired by the organization.
References
• CIS Controls v7.1 12.2
• NIST CSF v1.1 DE.CM-7