Disabling Insecure Ports and Protocols
What Are Secure Ports and Protocols?
When insecure ports and protocols are used to exchange sensitive data, you weaken your security posture. Examples of insecure protocols would be HTTP, FTP, or Telnet because they operate in clear text. To properly harden your operating system, these insecure protocols must be replaced with secure alternatives like HTTPS, SFTP, or SSH.
In AWS, you can verify that your infrastructure only allows the use of secure ports and protocols in several ways, including:
- Using AWS Config, set up a managed rule (like restricted-common-ports) that monitors if known, insecure ports are disabled.
- Create a security group rule in a VPC that controls inbound and outbound traffic.
- Amazon Inspector has Network Reachability rules which analyze configurations for network access to your EC2 instances.
Transcription
One of the fundamentals of hardening our operating systems against attack is to only enable the services, the protocols, and the applications that we actually need. Now, sometimes, the application architect or the system architect has determined that we need a port or a protocol or a service that is, itself, known to be insecure. One of the principal reasons why that might be insecure is because it operates in clear text. HTTP is an example. FTP is an example. Telnet is an example. Anytime that these applications will be used to transfer sensitive information – which could be as basic as a username and a password – then we really need to consider secure alternatives to that. We consider the use of HTTPS instead of HTTP. We just wrap our HTTP session in a TLS tunnel, then we can transfer that data securely. The same thing with FTP – we might replace that with SFTP, which would be an SSH-based implementation of file copy protocols. The same thing goes for Telnet – we would replace that with SSH, as well. It’s important, in our application stacks, to consider the different protocols that are being used and the security impacts of those protocols. If a secure alternative is available, to use it. If a secure alternative is not available, to take additional steps. Maybe, if we had to use FTP, then we would require the use of PGP or GPG encrypted files that we would be transferring back and forth to keep the sensitive information out of unencrypted application sessions. Be sure to revisit your operating systems, to revisit your technology stacks, take a look at the ports, the protocols, and the services and make sure that they are the ones that absolutely must be there and for any insecure ones that are used, consider using secure alternatives instead.
Related Videos
AWS Controls for Implementing a DMZ
AWS Functions to Restrict Database Access
AWS Password Best Practices
AWS Password Expiration Policies
AWS Password Reuse Policy
AWS Tools for Your SDLC
Access Control Using IAM Instance Roles
Assign Access Based on Business Need to Know
Attaching IAM Policies to Groups or Roles
Avoid Use of the Root Account
Basics of Role Assumption
Best Practices for Change Management in AWS
Best Practices for Password Parameters
Cloud Attacks on the Rise
Configuring Network Border Controls
Creating a Data Flow Diagram
Creating a Network Diagram
Define Acceptable Use of Technology Part 1
Defining Resources in IAM Policies
Defining Resources in S3 Bucket Policies
Defining Roles and Responsibilities in AWS
Developing a Process for User Authentication
Disabling Unused Credentials
Do All Keys Have Resources Attached?
Documenting a Systems Inventory in AWS
Enabling MFA for All IAM Users
Encrypting Traffic In and Out of AWS
Encryption Decisions for Your Technology Stack
Encryption Opportunities
Encryption for EBS Volumes
Encryption for S3 Buckets
Enforce Separation with Access Controls
Enforcing Strong Encryption in AWS
Enforcing Strong TLS Ciphers
Events that Drive Key Rotation
House Accounts in CloudTrail
How to Attach IAM Policies to Groups or Roles
How to Check MFA in a Credential Report
How to Check Use of the Root Account
How to Configure Encryption for EBS Volumes on Existing EC2 Instances
How to Configure Encryption for EBS Volumes on New EC2 Instances
How to Configure Encryption for RDS
How to Configure Encryption for S3 Buckets
How to Find Administrative Privileges in IAM Policies
How to House Multiple Accounts Within an AWS Organization
How to Modify Password Complexity in a Password Policy
How to Modify Permissions to EBS Snapshots
How to Prevent Password Reuse in a Password Policy
How to Restrict Public Access to S3 Buckets
How to Use S3 Bucket Policies
IAM Policies for Account Authentication
IAM Policies that Address Administrative Privileges
Identifying Unused Credentials in a Credential Report
Industry Best Practices for Configuration Standards
Introduction to AWS Network Firewall
Introduction to Amazon EKS
Introduction to Amazon S3 Access Points
Introduction to IAM Access Analyzer
Key Rotation and Management
Load Balancers Must Require TLS 1.2
MFA for API Calls
Meeting Firewall and Router Configuration Standards
Network Segmentation for AWS
Performing Code Review Prior to Release
Physical Security Responsibilities for AWS
Physical Security Responsibilities for AWS Users
Physical Security Threats for AWS
Prevent Shared, Group, or Generic Accounts in AWS
Preventing Public Accessibility on DB Instances
Preventing Publicly Available CloudTrail Logs
Preventing Publicly Available S3 Buckets
Protecting Web Applications in AWS
Publish and Maintain an Information Security Policy
Quarterly Reviews of Your Security Program
Restricting Access to EBS Snapshots
Reviewing Firewall and Router Configurations
Rotating Access Keys
Route 53 Support for DNSSEC
Secure Code Development in AWS
Support MFA through IAM Policies
Systems Manager Maintenance
The AWS Shared Responsibility Model
Understanding the "Deny All" Function
Using AWS KMS
Using IAM Instance Roles for AWS Resource Access
Using OWASP's Kubernetes Cheat Sheet
Using Prowler to Evaluate AWS Security
Using Systems Manager from a Service-Linked Role
Using TLS 1.2 to Encrypt Data in Transit
