Control: The information system:
Boundary Protection Supplemental Guidance:
Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualisation systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarised zones or DMZs. Restricting or prohibiting interfaces within organisational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organisations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.
Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13.
Boundary Protection Control Enhancements:
SC-7 (1) Boundary Protection - Physically separated subnetworks
[Withdrawn: Incorporated into SC-7].
SC-7 (2) Boundary Protection - Public Access
[Withdrawn: Incorporated into SC-7].
SC-7 (3) Boundary Protection - Access Points
The organisation limits the number of external network connections to the information system.
Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections.
SC-7 (4) Boundary Protection - External Telecommunications Services
The organisation:
- (a) Implements a managed interface for each external telecommunication service;
- (b) Establishes a traffic flow policy for each managed interface;
- (c) Protects the confidentiality and integrity of the information being transmitted across each interface;
- (d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
- (e) Reviews exceptions to the traffic flow policy [Assignment: organisation-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.
Supplemental Guidance: Related control: SC-8.
SC-7 (5) Boundary Protection - Deny by Default / Allow by Exception
The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).
Supplemental Guidance: This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.
SC-7 (6) Boundary Protection - Response to recognised failures
[Withdrawn: Incorporated into SC-7 (18)].
SC-7 (7) Boundary Protection - Prevent split tunnelling for remote devices
The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.
Supplemental Guidance: This control enhancement is implemented within remote devices(e.g., notebook computers) through configuration settings to disable split tunnelling in those devices, and by preventing those configuration settings from being readily configurable by users. This control enhancement is implemented within the information system by the detection of split tunnelling (or of configuration settings that allow split tunnelling) in the remote device, and by prohibiting the connection if the remote device is using split tunnelling. Split tunnelling might be desirable by remote users to communicate with local information system resources such as printers/file servers. However, split tunnelling would in effect allow unauthorised external connections, making the system more vulnerable to attack and to exfiltration of organisational information. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organisation with sufficient assurance that it can effectively treat such connections as non-remote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing non-remote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunnelling.
SC-7 (8) Boundary Protection - Route traffic to authenticated proxy servers
The information system routes [Assignment: organisation-defined internal communications traffic] to [Assignment: organisation-defined external networks] through authenticated proxy servers at managed interfaces.
Supplemental Guidance: External networks are networks out side of organisational control. A proxy server is a server (i.e., information system or application) that acts as an intermediary for clients requesting information system resources (e.g., files, connections, web pages, or services) from other organisational servers. Client requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be configured with organisation-defined lists of authorised and unauthorised websites.
SC-7 (9) Boundary Protection - Restrict threatening outgoing communications traffic
The information system:
- (a) Detects and denies outgoing communications traffic posing a threat to external information systems; and
- (b) Audits the identity of internal users associated with denied communications.
Supplemental Guidance: Detecting outgoing communications traffic from internal actions that may pose threats to external information systems is sometimes termed extrusion detection. Extrusion detection at information system boundaries as part of managed interfaces includes the analysis of incoming and outgoing communications traffic searching for indications of internal threats to the security of external systems. Such threats include, for example, traffic indicative of denial of service attacks and traffic containing malicious code.
SC-7 (10) Boundary Protection - Prevent Unauthorised Exfiltration
The organisation prevents the unauthorised exfiltration of information across managed interfaces.
Supplemental Guidance: Safeguards implemented by organisations to prevent unauthorised exfiltration of information from information systems include, for example:
- (i) strict adherence to protocol formats;
- (ii) monitoring for beaconing from information systems;
- (iii) monitoring for steganography;
- (iv) disconnecting external network interfaces except when explicitly needed;
- (v) disassembling and reassembling packet headers; and
- (vi) employing traffic profile analysis to detect deviations from the volume/types of traffic expected within organisations or call backs to command and control centres.
Devices enforcing strict adherence to protocol formats include, for example, deep packet inspection firewalls and XML gateways. These devices verify adherence to protocol formats and specification at the application layer and serve to identify vulnerabilities that cannot be detected by devices operating at the network or transport layers. This control enhancement is closely associated with cross-domain solutions and system guards enforcing information flow requirements.
Related control: SI-3.
SC-7 (11) Boundary Protection - Restrict Incoming Communications Traffic
The information system only allows incoming communications from [Assignment: organisation- defined authorised sources] to be routed to [Assignment: organisation-defined authorised destinations].
Supplemental Guidance: This control enhancement provides determinations that source and destination address pairs represent authorised/allowed communications. Such determinations can be based on several factors including, for example, the presence of source/destination (12)
address pairs in lists of authorised/allowed communications, the absence of address pairs in lists of unauthorised/disallowed pairs, or meeting more general rules for authorised/allowed source/destination pairs.
Related control: AC-3.
SC-7 (12) Boundary Protection - Host based protection
The organisation implements [Assignment: organisation-defined host-based boundary protection mechanisms] at [Assignment: organisation-defined information system components].
Supplemental Guidance: Host-based boundary protection mechanisms include, for example, host-based firewalls. Information system components employing host-based boundary protection mechanisms include, for example, servers, workstations, and mobile devices.
SC-7 (13) Boundary Protection - Isolation of Security Tools / Mechanisms / Support Components
The organisation isolates [Assignment: organisation-defined information security tools, mechanisms, and support components] from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system.
Supplemental Guidance: Physically separate subnetworks with managed interfaces are useful, for example, in isolating computer network defences from critical operational processing networks to prevent adversaries from discovering the analysis and forensics techniques of organisations.
SC-7 (14) Boundary Protection - Protects against Unauthorised physical connections
The organisation protects against unauthorised physical connections at [Assignment: organisation-defined managed interfaces].
Supplemental Guidance: Information systems operating at different security categories or classification levels may share common physical and environmental controls, since the systems may share space within organisational facilities. In practice, it is possible that these separate information systems may share common equipment rooms, wiring closets, and cable distribution paths. Protection against unauthorised physical connections can be achieved, for example, by employing clearly identified and physically separated cable trays, connection frames, and patch panels for each side of managed interfaces with physical access controls enforcing limited authorised access to these items.
SC-7 (16) Boundary Protection - Prevent discovery of components / devices
The information system prevents discovery of specific system components composing a managed interface.
Supplemental Guidance: This control enhancement protects network addresses of information system components that are part of managed interfaces from discovery through common tools and techniques used to identify devices on networks. Network addresses are not available for discovery (e.g., network address not published or entered in domain name systems), requiring prior knowledge for access. Another obfuscation technique is to periodically change network addresses.
SC-7 (17) Boundary Protection - Automated Enforcement of Protocol Formats
The information system enforces adherence to protocol formats.
Supplemental Guidance: Information system components that enforce protocol formats include, for example, deep packet inspection firewalls and XML gateways. Such system components verify adherence to protocol formats/specifications (e.g., IEEE) at the application layer and identify significant vulnerabilities that cannot be detected by devices operating at the network or transport layers.
Related control: SC-4.
SC-7 (18) Boundary Protection - Fail Secure
The information system fails securely in the event of an operational failure of a boundary protection device.
Supplemental Guidance: Fail secure is a condition achieved by employing information system mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces (e.g., routers, firewalls, guards, and application gateways residing on protected subnetworks commonly referred to as demilitarised zones), information systems do not enter into insecure states where intended security properties no longer hold. Failures of boundary protection devices cannot lead to, or cause information external to the devices to enter the devices, nor can failures permit unauthorised information releases.
SC-7 (19) Boundary Protection - Blocks communication from non-organisationally configured hosts
The information system blocks both inbound and outbound communications traffic between [Assignment: organisation-defined communication clients] that are independently configured by end users and external service providers.
Supplemental Guidance: Communication clients independently configured by end users and external service providers include, for example, instant messaging clients. Traffic blocking does not apply to communication clients that are configured by organisations to perform authorised functions.
SC-7 (20) Boundary Protection - Dynamic Isolation / Segregation
The information system provides the capability to dynamically isolate/segregate [Assignment: organisation-defined information system components] from other components of the system.
Supplemental Guidance: The capability to dynamically isolate or segregate certain internal components of organisational information systems is useful when it is necessary to partition or separate certain components of dubious origin from those components possessing greater trustworthiness. Component isolation reduces the attack surface of organisational information systems. Isolation of selected information system components is also a means of limiting the damage from successful cyber attacks when those attacks occur.
SC-7 (21) Boundary Protection - Isolation of Information system components
The organisation employs boundary protection mechanisms to separate [Assignment: organisation-defined information system components] supporting [Assignment: organisation-defined missions and/or business functions].
Supplemental Guidance: Organisations can isolate information system components performing different missions and/or business functions. Such isolation limits unauthorised information flows among system components and also provides the opportunity to deploy greater levels of protection for selected components. Separating system components with boundary protection mechanisms provides the capability for increased protection of individual components and to more effectively control information flows between those components. This type of enhanced protection limits the potential harm from cyber attacks and errors. The degree of separation provided varies depending upon the mechanisms chosen. Boundary protection mechanisms include, for example, routers, gateways, and firewalls separating system components into physically separate networks or subnetworks, cross-domain devices separating subnetworks, virtualisation techniques, and encrypting information flows among system components using distinct encryption keys.
SC-7 (22) Boundary Protection - Separate subnets for connecting to different security domains
The information system implements separate network addresses (i.e., different subnets) to connect to systems in different security domains.
Supplemental Guidance: Decomposition of information systems into subnets helps to provide the appropriate level of protection for network connections to different security domains containing information with different security categories or classification levels.
SC-7 (23) Boundary Protection - Disable sender feedback on protocol validation failure
The information system disables feedback to senders on protocol format validation failure.
Supplemental Guidance: Disabling feedback to senders when there is a failure in protocol validation format prevents adversaries from obtaining information which would otherwise be unavailable.
IT Security Compliance Standards and Regulations
These are some of the IT Security Compliance Standards and Regulations that we can help address;Services
We offer a range of specialist Cyber Consultancy services including; If you require additional help on a subject matter not listed above, just get in touch with us as we may still be able to help or we could offer to introduce you to a specialist partner within our network.Boundary Protection Terminology
A firewall is a network security system, either hardware- or software-based, that uses rules to control incoming and outgoing network traffic.
A firewall acts as a barrier between a trusted network and an untrusted network. A firewall controls access to the resources of a network through a positive control model. This means that the only traffic allowed onto the network is defined in the firewall policy; all other traffic is denied.
Before firewalls emerged in the late 1980s, the only real form of network security was performed by access control lists (ACLs) residing on routers. ACLs determined which IP addresses were granted or denied access to the network.