Reduce the Cyber Attack Surface - Tracking Open Network Ports
The more ‘open’ a system, the more vulnerable it becomes. Access to these devices must, therefore, be carefully restricted and as such, monitoring of all open network ports is an essential security best practice and often a key dimension of compliance standards, for example, NERC CIP.
Change Tracker™ Gen7 R2 is equipped with a distributed network port scanning capability specifically developed to address this exact requirement.
Key Fact: Having the option to distribute scanning vantage points is important to both minimize network traffic but more critically to preserve internal firewalling robustness. Full port scans can be operated without compromise and without any need to make any special allowances in firewalling rules using the NNT Proxy Agent capabilities.
Port ranges are simply dialed in for scanning, with any exceptions made for 'whitelisted' ports/ranges. Naturally, any rules covering ports included/excluded for scanning will be accompanied with explanatory notes in a clear audit trail. An Open Ports Baseline can be saved and labeled at any point and used to report any changes from previous points in time, or to expose differences between similar devices. When authorized changes to the Open Ports Baseline are made, the report is updated and of course, with a fully descriptive audit trail record.
Key Fact: NNT Proxy Agents can be run from any Windows or Linux host – no need to dedicate a specific platform to the task, in fact, any agent being used for other monitoring tasks (Operating System or Database System) can also run a network port scan tracker, or even the Change Tracker™ Gen7 R2 server can be used.
The Network Port Tracker is designed to detect and track changes to the open network ports on a device. The tracker uses a network-scanning approach, probing a device externally via the network to determine whether TCP and UDP ports are open or not.
If you are scanning using an agent, as with any Proxied Device, the configuration template and any compliance reports for the device are assigned directly to the device to be monitored, with the Proxy Agent being irrelevant and invisible other than at device setup.
Individual port numbers can be scanned, or ranges, and a series of either individual or ranges of ports can be targeted. Likewise, for exclusions – ports which are whitelisted but are sometimes open, sometimes closed, can be excluded from the scan, or even a range of ephemeral ports that are dynamic, for example.
Finally, a period for the scan is defined – typically weekly but can be more frequent if desirable. The scanning is very efficient and will only take a few minutes even for a wide range of UDP and TCP ports.
The Initial scan made after modifying the monitoring template or applying the template to a new device will generate a new ‘current status’ record for the device. Subsequent scan results are then compared to the ‘current status’ for the device and if there are differences, these are shown as a ‘side by side’ comparison. At this stage, the ‘current status’ has also changed in order to encompass changes detected in order to clearly show subsequent changes in isolation from previous changes. However, no change history is lost – ‘historical status’ records are created to preserve previous config images.
The result of any scheduled scan – the ‘current status’ - can be saved as a Baseline Report. The Baseline Report is a ‘hard’ record of the configuration status seen at a particular stage, generally referred to as the ‘Gold Build’.
The Baseline Report is useful for a number of applications:
- Gold Build Standard: Provides a means of detecting any configuration drift from the Gold Build.
- Audit Trail: notes can be appended to describe why changes incorporated into the Baseline Report have been approved
- Assess consistent Configuration Standards: Any Baseline Report can be run against any other device or groups of devices to identify differences in configuration settings from the Gold Build.
N.B. In the case of the Network Port Tracker Baseline Report, it is important to appreciate that both the ‘Current Status’ of open ports detected AND the monitoring template (with any include/exclude port ranges) are encapsulated within the report and have a fixed relationship.
In other words, regardless of whether the ports baseline changes due to a change in the scanning approach (the included/excluded ports) OR due to a tangible operational change e.g a new application, the Baseline Report will encompass both elements.