Device Class 3: Boundary Protection

Control ID: SC-7 Boundary Protection Family: System and Communications Protection Source: NIST 800-53r4
Control: The information system:
  1. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
  2. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
  3. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
Supplemental Guidance:
Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g.,routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.

Related Controls: AC-4, AC-17, CA-3, CM-7, IR-4, RA-3, SC-5, SC-13, CP-8
Control Enhancements:
(3) Boundary Protection | Access Points
The organization limits the number of external network connections to the information system.
Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections.
Related Controls: N/A

(4) Boundary Protection | External Telecommunications Services
The organization:
  1. Implements a managed interface for each external telecommunication service;
  2. Establishes a traffic flow policy for each managed interface;
  3. Protects the confidentiality and integrity of the information being transmitted across each interface;
  4. Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
  5. Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.

Supplemental Guidance:
Related Controls: SC-8

(5) Boundary Protection | Deny By Default / Allow By Exception
The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).
Supplemental Guidance: This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.
Related Controls: N/A

(7) Boundary Protection | Prevent Split Tunneling For Remote Devices
The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.
Supplemental Guidance: This control enhancement is implemented within remote devices (e.g.,notebook computers) through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being readily configurable by users. This control enhancement is implemented within the information system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local information system resources such as printers/file servers. However, split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as non-remote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing non-remote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling.
Related Controls: N/A

(18) Boundary Protection | Fail Secure
The information system fails securely in the event of an operational failure of a boundary protection device.
Supplemental Guidance: Fail secure is a condition achieved by employing information system mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces (e.g.,routers, firewalls, guards, and application gateways residing on protected subnetworks commonly referred to as demilitarized zones), information systems do not enter into unsecure states where intended security properties no longer hold. Failures of boundary protection devices cannot lead to, or cause information external to the devices to enter the devices, nor can failures permit unauthorized information releases.
Related Controls: CP-2, SC-24

(21) Boundary Protection | Isolation Of Information System Components
The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-defined missions and/or business functions].
Supplemental Guidance: Organizations can isolate information system components performing different missions and/or business functions. Such isolation limits unauthorized information flows among system components and also provides the opportunity to deploy greater levels of protection for selected components. Separating system components with boundary protection mechanisms provides the capability for increased protection of individual components and to more effectively control information flows between those components. This type of enhanced protection limits the potential harm from cyber-attacks and errors. The degree of separation provided varies depending upon the mechanisms chosen. These protection mechanisms include, for example, routers, gateways, and firewalls separating system components into physically separate networks or subnetworks, cross-domain devices separating subnetworks, virtualization techniques, and encrypting information flows among system components using distinct encryption keys.
Related Controls: CA-9, SC-3
References: FIPS Publication 199; NIST Special Publications 800-41, 800-77.
Mechanisms:

  • The device shall maintain a mechanism for monitoring all communications that cross its boundary, such that:
    • All communications can be scanned and optionally logged irrespective of the function those communications are associated with:
      • Communications monitoring diagnostics and settings are restricted from general application use .
      • Communications monitoring diagnostics and settings may be modified through an administrative interface.
  • The device shall discard IP packets whose source address is known to the device if the device does not have either:
    • A request pending to the source.
    • The source is on a whitelist of sources that may send the device unsolicited IP traffic.
  • The device shall discard IP packets whose source address is unknown to the device .
  • The device shall monitor the status of its inbound firewall. If its firewall is not operating, the device:
    • Shall not accept any data from external sources targeting management, security or application update functions (Fail Secure)
  • The device shall provide support for assigning applications to categories such that two applications may only exchange data if they are classified in the same category. The device may support assigning one application to more than one category. The device shall support at least four application categories and may support more .

Protocol Implementation Conformance Statements:
ID Statement Status Reference Notes
SC-7/1 Supports Communications scanning SC-7/1:M
SC-7/2 Supports Communications logging SC-7/2:O
SC-7/3 Supports Communications scan/log admin interface SC-7/3:M
SC-7/4 Provides One or less on-board network connection SC-7/4:M
SC-7/5 Provides One or less fixed-point backhaul network connection SC-7/5:M
SC-7/6 Provides One or less local maintenance diagnostic port SC-7/6:M
SC-7/7 Supports Known IP packet discard SC-7/7:M SC-5/3
SC-7/9 Monitors Firewall status and fails secure SC-7/9:M
SC-7/10 Classifies application function SC-7/10:M
SC-7/11 Supports at least four application categories SC-7/11-M Note number supported
SC-7/12 Supports putting an application in multiple categories SC-7/12-O