Device Class 1: Boundary Protection
Control ID: SC-7 Boundary Protection | Family: System and Communications Protection | Source: NIST 800-53r4 | ||||||||||||||||||||||||||||||||||||||||
Control: The information system:
|
||||||||||||||||||||||||||||||||||||||||||
Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g.,routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related Controls: AC-4, AC-17, CA-3, CM-7, IR-4, RA-3, SC-5, SC-13, CP-8 |
||||||||||||||||||||||||||||||||||||||||||
Control Enhancements:
(3) Boundary Protection | Access Points The organization limits the number of external network connections to the information system. Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections. Related Controls: N/A (4) Boundary Protection | External Telecommunications Services The organization:
Supplemental Guidance: Related Controls: SC-8 (5) Boundary Protection | Deny By Default / Allow By Exception The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception). Supplemental Guidance: This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. Related Controls: N/A (7) Boundary Protection | Prevent Split Tunneling For Remote Devices The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. Supplemental Guidance: This control enhancement is implemented within remote devices (e.g.,notebook computers) through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being readily configurable by users. This control enhancement is implemented within the information system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local information system resources such as printers/file servers. However, split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as non-remote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing non-remote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling. Related Controls: N/A |
||||||||||||||||||||||||||||||||||||||||||
References: FIPS Publication 199; NIST Special Publications 800-41, 800-77. | ||||||||||||||||||||||||||||||||||||||||||
Mechanisms:
|
||||||||||||||||||||||||||||||||||||||||||
Protocol Implementation Conformance Statements:
|