Implement and Manage a Firewall on Servers
Description
Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.
Implementation Checklist
Tool Recommendations
Next-generation firewall platform with application-aware policies, threat prevention, URL filtering, and SD-WAN
Palo Alto Networks · Appliance + subscription
Enterprise firewall and security fabric with NGFW, SD-WAN, IPS, and integrated security services
Fortinet · Appliance + subscription
Enterprise firewall with application visibility, IPS, malware defense, and encrypted traffic analytics
Cisco · Appliance + subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Lateral Movement Through Unprotected Server Ports
ConfidentialityAttackers who compromise one server move laterally to others through open ports and services that a host-based firewall would have blocked, escalating the breach scope.
Remote Exploitation of Unnecessary Server Services
IntegrityServers without host-based firewalls expose all running services to the network, allowing attackers to exploit vulnerable services that should have been restricted to local or specific source access.
Server-to-Server Worm Propagation
AvailabilityWithout host-based firewalls enforcing least-privilege network access, worms and automated attacks propagate rapidly between servers on the same network segment.
Vulnerabilities (When Safeguard Absent)
No Host-Based Firewall on Servers
Without server firewalls, all network-accessible services on the server are exposed to any device that can route to it, relying entirely on perimeter controls.
Servers Accessible on All Ports from Internal Network
Absence of host-based firewalls means internal network compromise provides unrestricted access to all server services, negating defense-in-depth strategies.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Firewall rule set export and review documentation | Reviewed quarterly |
| Record | Firewall change request and approval records | Per change |
| Record | Third-party risk assessment reports and scorecards | Annually per vendor |
| Document | Vendor contracts with security requirements | Per contract cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |