SC-07 Boundary Protection
Control: The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.
Supplemental Guidance: Any connections to the Internet, or other external networks or information systems, occur through managed interfaces consisting of appropriate boundary protection devices (e.g., proxies, gateways, routers, firewalls, guards, encrypted tunnels) arranged in an effective architecture (e.g., routers protecting firewalls and application gateways residing on a protected subnetwork commonly referred to as a demilitarized zone or DMZ). Information system boundary protections at any designated alternate processing sites provide the same levels of protection as that of the primary site. As part of a defense-in-depth protection strategy, the organization considers partitioning higher- impact information systems into separate physical domains (or environments) and applying the concepts of managed interfaces described above to restrict or prohibit network access in accordance with an organizational assessment of risk. FIPS 199 security categorization guides the selection of appropriate candidates for domain partitioning. The organization carefully considers the intrinsically shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may include third party provided access lines and other service elements. Consequently, such interconnecting transmission services may represent sources of increased risk despite contract security provisions. Therefore, when this situation occurs, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk. NIST Special Publication 800-77 provides guidance on virtual private networks. Related security controls: MP- 4, RA-2.
(1) The organization physically allocates publicly accessible information system components to separate subnetworks with separate, physical network interfaces.
Enhancement Supplemental Guidance: Publicly accessible information system components include, for example, public web servers.
(2) The organization prevents public access into the organization’s internal networks except as appropriately mediated.
(3) The organization limits the number of access points to the information system to allow for better monitoring of inbound and outbound network traffic.
(4) The organization implements a managed interface (boundary protection devices in an effective security architecture) with any external telecommunication service, implementing controls appropriate to the required protection of the confidentiality and integrity of the information being transmitted.
(5) The information system denies network traffic by default and allows network traffic by exception (i.e., deny all, permit by exception).
(6) The organization prevents the unauthorized release of information outside of the information system boundary or any unauthorized communication through the information system boundary when there is an operational failure of the boundary protection mechanisms.
Baseline: LOW SC-7 MOD SC-7 (1) (2) (3) (4) (5) HIGH SC-7 (1) (2) (3) (4) (5) (6)
Family: System And Communications Protection
ISO 17799 mapping: 11.4.6
COBIT 4.1 mapping: DS5.10
PCI-DSS v2 mapping: 1.2, 1.2.1, 1.3.1, 1.3.2, 1.3.3, 1.3.4