Detections
Analytics

CSCv7|9.5

Title

Implement Application Firewalls

Description

Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.

Reference Item Details

Category: Limitation and Control of Network Ports, Protocols, and Services

Audit Items

View all Reference Audit Items

NamePluginAudit Name
2.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 14.0 Sonoma Cloud-tailored v1.1.0 L1
2.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 13.0 Ventura Cloud-tailored v1.1.0 L1
2.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 15.0 Sequoia v1.0.0 L1
2.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 13.0 Ventura v3.0.0 L1
2.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 14.0 Sonoma v2.0.0 L1
2.4.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 12.0 Monterey Cloud-tailored v1.0.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 12.0 Monterey v4.0.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 10.15 Catalina v3.0.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 11.0 Big Sur v4.0.0 L1
2.5.2.2 Ensure Firewall Is EnabledUnixCIS Apple macOS 10.14 v2.0.0 L1
4.4.4 Apply Application Control Security Profile to PoliciesFortiGateCIS Fortigate 7.0.x v1.3.0 L1
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - Deny By Concurrent RequestsWindowsCIS IIS 10 v1.2.1 Level 1
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - maxConcurrentRequestsWindowsCIS IIS 10 v1.2.1 Level 1
5.1.1 Ensure allow and deny filters limit access to specific IP addressesUnixCIS NGINX Benchmark v2.1.0 L2 Webserver
5.1.1 Ensure allow and deny filters limit access to specific IP addressesUnixCIS NGINX Benchmark v2.1.0 L2 Loadbalancer
5.1.1 Ensure allow and deny filters limit access to specific IP addressesUnixCIS NGINX Benchmark v2.1.0 L2 Proxy
5.1.3 Ensure 'identityAssertionEnabled' is set to 'true' within the CSIv2 Attribute LayerUnixCIS IBM WebSphere Liberty v1.0.0 L1
5.2.3 Ensure 'identityAssertionTypes' is specified to the correct identity tokens in CSIv2 Attribute Layer - review/ZechUnixCIS IBM WebSphere Liberty v1.0.0 L1
5.3.1 Ensure that the CNI in use supports Network PoliciesUnixCIS Kubernetes v1.10.0 L1 Master
5.3.1 Ensure that the CNI in use supports Network PoliciesUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
5.3.1 Ensure that the CNI in use supports Network PoliciesOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
5.3.1 Ensure that the CNI in use supports Network PoliciesUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
5.3.1 Ensure that the CNI in use supports Network PoliciesUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
5.6.6 Consider firewalling GKE worker nodesGCPCIS Google Kubernetes Engine (GKE) v1.7.0 L2
5.7.1 Create administrative boundaries between resources using namespacesOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
5.22 Ensure the default seccomp profile is not DisabledUnixCIS Docker v1.7.0 L1 Docker - Linux
6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and EnabledUnixCIS Apache HTTP Server 2.4 v2.2.0 L2
7.1 Ensure the 'hostNameExcludeList' attribute is set to a whitelist of host namesUnixCIS IBM WebSphere Liberty v1.0.0 L1
7.2 Ensure the 'hostNameIncludeList attribute' is set to a whitelist of host namesUnixCIS IBM WebSphere Liberty v1.0.0 L1
7.3 Ensure the 'addressExcludeList' attribute is set to a whitelist of hostnamesUnixCIS IBM WebSphere Liberty v1.0.0 L1
7.4 Ensure the 'addressIncludeList' attribute is set to a whitelist of IP addressesUnixCIS IBM WebSphere Liberty v1.0.0 L1