CSCv7|9.5

Title

Implement Application Firewalls

Description

Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.

Reference Item Details

Category: Limitation and Control of Network Ports, Protocols, and Services

Audit Items

View all Reference Audit Items

NamePluginAudit Name
2.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 13.0 Ventura v2.0.0 L1
2.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 14.0 Sonoma v1.0.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 11.0 Big Sur v4.0.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 10.15 Catalina v3.0.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 12.0 Monterey v3.0.0 L1
2.5.2.2 Ensure Firewall Is EnabledUnixCIS Apple macOS 10.14 v2.0.0 L1
4.4.4 Apply Application Control Security Profile to PoliciesFortiGateCIS Fortigate 7.0.x Level 1 v1.2.0
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - Deny By Concurrent RequestsWindowsCIS IIS 10 v1.2.1 Level 1
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - maxConcurrentRequestsWindowsCIS IIS 10 v1.2.1 Level 1
5.1.1 Ensure allow and deny filters limit access to specific IP addressesUnixCIS NGINX Benchmark v2.0.1 L2 Loadbalancer
5.1.1 Ensure allow and deny filters limit access to specific IP addressesUnixCIS NGINX Benchmark v2.0.1 L2 Webserver
5.1.1 Ensure allow and deny filters limit access to specific IP addressesUnixCIS NGINX Benchmark v2.0.1 L2 Proxy
5.3.1 Ensure that the CNI in use supports Network PoliciesUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
5.3.1 Ensure that the CNI in use supports Network PoliciesUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
5.3.1 Ensure that the CNI in use supports Network PoliciesOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
5.3.1 Ensure that the CNI in use supports Network PoliciesUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
5.3.1 Ensure that the CNI in use supports Network PoliciesUnixCIS Kubernetes Benchmark v1.9.0 L1 Master
5.6.6 Consider firewalling GKE worker nodesGCPCIS Google Kubernetes Engine (GKE) v1.5.0 L2
5.7.1 Create administrative boundaries between resources using namespacesOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
5.22 Ensure the default seccomp profile is not DisabledUnixCIS Docker v1.6.0 L1 Docker Linux
6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Active RulesUnixCIS Apache HTTP Server 2.4 L2 v2.1.0 Middleware
6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Active RulesUnixCIS Apache HTTP Server 2.4 L2 v2.1.0
6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Inbound Anomaly ThresholdUnixCIS Apache HTTP Server 2.4 L2 v2.1.0 Middleware
6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Inbound Anomaly ThresholdUnixCIS Apache HTTP Server 2.4 L2 v2.1.0
6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Outbound Anomaly ThresholdUnixCIS Apache HTTP Server 2.4 L2 v2.1.0 Middleware
6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Outbound Anomaly ThresholdUnixCIS Apache HTTP Server 2.4 L2 v2.1.0
6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Paranoia LevelUnixCIS Apache HTTP Server 2.4 L2 v2.1.0 Middleware
6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Paranoia LevelUnixCIS Apache HTTP Server 2.4 L2 v2.1.0