Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CSF: Boundary Defenses

by Sharon Everson
February 26, 2016

CSF: Boundary Defenses

Organizations today can no longer afford to rely on conventional network defense devices to monitor and protect a network, both internally and externally. The lack of a multi-layered security strategy across each network segment will lead to increased intrusions and persistent threats. This dashboard aligns with the NIST Cybersecurity Framework (CSF) PR.AC-5 subcategory that displays information from network security devices and services, which will assist in improving network performance and security.

The CSF provides guidance based on existing standards, guidelines, and practices, which can be tailored to specific organizational needs. One of the five categories within the CSF is Protect. This category is divided into multiple subcategories that address specific security requirements with Access Control, Awareness, Data Security, Policies and Procedures, Maintenance, and Technology Protection. The first category within Protect function is Access Control (PR.AC), which provides guidance on access to assets for authorized users and devices. The PR.AC-5 subcategory is the primary focus of this dashboard, which will assist the analyst in monitoring network subnets, security devices, ports, firewall, and IDS events.

A critical aspect of protecting any network is protecting the network perimeter from outside sources. In order to accomplish this task, the organization should implement boundary protection devices and services such as anti-virus, firewalls, routers, and Intrusion Detection Systems (IDS) within each network boundary. Within this dashboard, the analyst will be able to detect firewall events, boundary defense status, port usage, and monitor security solution activity. Along with IDS inbound activity, both internal and outbound events are also presented, allowing the analyst to detect the presence of intruders, and other malicious activity.

Applying a multi-layered defense strategy will allow for multiple devices and services to protect the network in case one layer is breached. Proper network segmentation is crucial in the protection of network resources. Any network breach or disruption of network services can interfere with and compromise user productivity, business operations, and network integrity. Internal networks are just as critical, and need to be monitored frequently for insider threats, malicious activity, and attacks. Other types of networks such as wireless, extranet, and DMZs are often interconnected, allowing for attackers to gain access by pivoting to internal resources. Port activity and usage is a critical aspect that an organization should monitor regularly. The analyst can use the data provided within this dashboard to detect unauthorized ports and services. By integrating a multi-layered network security strategy, organizations will be able to effectively defend against attacks, protect network assets, and achieve a comprehensive defense-in-depth strategy.

The dashboard and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment. The dashboard requirements are:

  • Tenable.sc 5.2.0
  • Nessus 8.5.1
  • LCE 6.0.0
  • NNM 5.9.0

Tenable.sc Continuous View (CV) provides continuous network event monitoring, risk reduction, and ensures compliance. Nessus is continuously updated with information about advanced persistent threats and zero-day vulnerabilities. NNM provides deep packet inspection to continuously discover events traveling the wire. LCE also has the capability to discover services, network devices, ports, and other critical infrastructure. Combined, Tenable.sc CV’s continuous network monitoring is able to detect systems, services, and security events across the enterprise.

The following components are included in this dashboard:

  • IDS Trend and Correlation - IDS Events: This component displays a trend of inbound, outbound, and internal IDS events for the past seven days. This is useful to see if there have been any large spikes in attacks in any direction. Analysts can use this component to monitor for changes in traffic based on IDS events.
  • Monitor Security Solutions - Activity in Last 72 Hours: This component assists in monitoring security solutions. The matrix presents activity indicators for various security solutions: Firewall, IDS, Antivirus, Antispam, and Anti-scanning. This component assumes that if log events were received in the last 72 hours from a particular technology, then that technology is active on the network, so the indicator is highlighted. Further investigation is warranted if a protection technology should be active, but no events are being received.
  • Network Mapping - Included Class C Subnets: This table assists an organization in understanding the scope of its network by grouping all the IP addresses discovered actively by Nessus, passively by NNM, and from log events recorded by LCE into representative Class C subnets. This information can assist an organization in detecting any unauthorized subnets or rogue devices. Note that if the organization has a very large network, this component can be modified to present Class B subnets, if desired. The Total column displays the number of detections. This number of detections may be greater than the number of hosts in each subnet, as each host may have been detected multiple times.
  • Firewall Status - Firewall Event Summary: This component displays the top 50 normalized firewall events by event count for firewalls from vendors such as Cisco, Juniper, Palo Alto, Fortinet, and many more. Each event will display the normalized event name, total event count, and trending data of this specific normalized event name. Using Tenable.sc CV for monitoring the different types of firewall events, a security analyst can determine if any malicious or suspicious firewall activity is occurring on the network.
  • CSC - Boundary Defense: This component displays information on a series of plugins that detect bot activity or spikes in connection, authentication failures, and denials. Cells are green when there are no relevant detections and turn red when activity is detected. Analysts can use this component to quickly identify activity of potential concern related to boundary defenses.
  • Verizon DBIR - Network TCP Port Usage: This table provides a list of the top 100 ports in use on the network. This table can be useful when monitoring network flows or establishing a baseline of traffic. Any new ports discovered should be investigated to determine their source and purpose. Any sudden change in count should be investigated as well. In the Verizon 2015 DBIR and the Mandiant M-Trends 2015 reports, common indicators of compromise were unauthorized FTP and other protocols. This component is included in dashboards related to the 2015 Verizon Data Breach Investigation Report (DBIR).
Try for Free Buy Now

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.