A host-based firewall SHALL be configured and enabled on all systems within all network segments in the business environment.
Operating systems generally include a host-based firewall that monitors traffic ingress and egress to the endpoint and enforces security rules on it. While a network firewall addresses traffic on a single network segment, host firewalls address the specific security nuances on individual endpoints. Like network firewalls, host firewalls use rules that are based on attributes like source/destination IP address, protocol, and port number. So, while a certain protocol may be allowed on the network, it can be blocked from use on specific endpoints. This is useful for scenarios involving internal servers that should only be operating on one or two ports and need all others disabled. Certain host firewalls, like Windows Defender Firewall, allow admins to specify profiles (Public, Private, Domain) that automatically apply a set of rules appropriate for the type of network the endpoint is operating in. Other examples of host-based firewalls include iptables and Uncomplicated Firewall (ufw) for Linux, and Application Firewall for macOS. Operating systems generally have the host firewall turned on by default out of the box. It should never be turned off on endpoints unless testing by trained IT professionals requires it. Even if the host firewall needs to be disabled for a task, it should be turned on immediately afterwards. Ensuring the presence of an active and up-to-date host firewall should be part of IT configuration management procedures for business environments.