Perform scans for unauthorized ports available across perimeter network boundaries over the organization's Internet network boundaries and other organizationally defined boundaries.
Organizations need to perform actions to validate the implementation of the enterprise security architecture that restricts connections at trusted network boundaries. Mature organizations design, implement, document their security mechanisms, and they perform actions that help identify whether or not the security mechanisms are in place and working as expected. Even the best security practitioners have been known to make a slight mistake on a configuration of a security mechanism and find out later that the component is not providing the protection necessary to keep the environment secure. Example 1 Your organization has a data center that only allows connectivity from clients over HTTPS web services. There is a firewall between the user network and the data center systems to make sure this access to controlled. The firewall admin mistakenly placed a rule into the system that allows a connection to HTTP services in the data center by users. This access may allow someone to access specific systems and send passwords over in the clear, thus exposing user credentials. Fortunately, a scan by corporate cyber services identifies this allowed connectivity and emails a report to the admin of the firewall. The admin changes the rule in the firewall and the access is stopped before anything bad happens. Example 2 Your organization does not allow printers to initiate connectivity to any other environment within the enterprise. There is a firewall that prevents this action from taking place. Only user systems are allowed to initiate communication with printers. During routine checks, it is identified that the printer network has the ability to initiate communication to the user network as well as the data center. This could be bad if a printer becomes compromised. The firewall team is alerted of this finding and the problem is thwarted before communications are used in a manner undesired by the organization.
CMMC Adversaries constantly probe trusted boundaries, such as an organization’s perimeter with the Internet, to find opportunities to create unauthorized connections. Organizations must perform their own scans to determine if unauthorized connections are possible. To help validate access control on network boundaries an organization will schedule actions, such as scanning from various points of presence to assets on various network segment boundaries to identify proper boundary access protections are in place and properly configured. This allows the organization to identify if there are trusted network boundaries that may be breached because of a misconfiguration, or due to the trust between one segment of an environment and another. Basically, this means a one-to-many connection attempt from each network boundary. Identifying the results of each test, where it was trying to access, whether it was successful or not, time of day, IP addresses, etc. can all be used to determine if the actions of the environment match the network protection design, i.e., whether an open port is authorized or unauthorized.
CIS Controls v7.1 12.2
NIST CSF v1.1 DE.CM-7