1.1.6 Documentation and business
justification for use of all services,
protocols, and ports allowed, including
documentation of security features
implemented for those protocols
considered to be insecure.
Examples of insecure services,
protocols, or ports include but are not
limited to FTP, Telnet, POP3, IMAP,
and SNMP v1 and v2.
1.1.6.a Verify that firewall and router configuration standards
include a documented list of all services, protocols and ports,
including business justification for each—for example,
hypertext transfer protocol (HTTP) and Secure Sockets Layer
(SSL), Secure Shell (SSH), and Virtual Private Network (VPN)
1.1.6.b Identify insecure services, protocols, and ports
allowed; and verify that security features are documented for
1.1.6.c Examine firewall and router configurations to verify that
the documented security features are implemented for each
insecure service, protocol, and port.
Compromises often happen due to unused or
insecure service and ports, since these often have
known vulnerabilities and many organizations
don’t patch vulnerabilities for the services,
protocols, and ports they don’t use (even though
the vulnerabilities are still present). By clearly
defining and documenting the services, protocols,
and ports that are necessary for business,
organizations can ensure that all other services,
protocols, and ports are disabled or removed.
If insecure services, protocols, or ports are
necessary for business, the risk posed by use of
these protocols should be clearly understood and
accepted by the organization, the use of the
protocol should be justified, and the security
features that allow these protocols to be used
securely should be documented and
implemented. If these insecure services,
protocols, or ports are not necessary for business,
they should be disabled or removed.