CIS Control 4.6 Implement and Manage a Firewall on End-User Devices
Safeguard 4.6 requires you to securely manage your assets and software. Example implementations include managing configuration through version-controlled-infrastrcuture-as-code and accessing administrative interfaces over secure network protocols, such as SSH (Secure Shell) and Hypertext Transfer Protocol Secure (HTTPS).
You should not use insecure management protocols such as Telnet (Teletype Network) and HTTP, unless it is operationally essential.
Infrastructure-as-code help you ensure that changes are reviewed by someone on your team before being implemented into production to reduce the risk of mistakes or vulnerabilities from being introduced into the system. It also enables you to track changes in real time and to roll back to a previous version to maintain the integrity of the system.
The big takeaway with Safeguard 4.6 is to disable Telnet and HTTP if it's not required, you should also consider disabling other outdated technologies like POP, IMAP, SMTP, TLSv1.0, TLSv1.1, and many others. Disabling of them will force your teams to use the approved and secure management interfaces.
For each asset, you want to document how you should be connecting to the asset and if any legacy or unsupported services or interfaces are required for it to function.
Remember you shouldn't document the processes, the map (configuration data), and the key (credentials) in the same place.
I want to personally thank you for following along and if you learned something new or found this content to be valuable please like and share. Since I have started this journey I am seeing more education around CIS Security and its framework throughout the industry.