The firewall must not utilize any services or capabilities that are not necessary for the administration of the firewall.

From Firewall Security Technical Implementation Guide - Cisco

Part of Firewall has unnecessary services enabled.

SV-3054r3_rule The firewall must not utilize any services or capabilities that are not necessary for the administration of the firewall.

Vulnerability discussion

The risk of an attack increases with more services enabled on the firewall, since the firewall will listen for these services. If non-firewall services (e.g., DNS servers, e-mail client servers, ftp servers, web servers, etc.) are part of the standard firewall suite and are not necessary for administration of the firewall, they will be uninstalled or disabled.

Check content

Have the Firewall Administrator display the services running on the firewall appliance or underlying OS. CAVEAT: Anti-virus software running on the firewall's OS would be an exception to the above requirement. It is recommended that anti-virus software be implemented on any non-appliance firewall if supported. However, it is not a finding if anti-virus software has not been implemented. If services that are not necessary for the administration of the firewall are found to be running on the firewall, this is a finding.

Fix text

The Firewall Administrator will only utilize services related to the operation of the firewall. Any unnecessary services, even if they are part of the firewall standard suite, must be uninstalled or disabled.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer