Description:
Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. [SP 800-4] provides guidance on firewalls and firewall policy. [SP 800-25B] provides guidance on security for virtualization technologies.
[28] There is no prescribed format or specified level of detail for system security plans. However, organizations ensure that the required information in 3.2.is conveyed in those plans.
Priority: High
Category: Security Architecture
Services Associated with AWS:
- AWS Network Firewall, AWS VPC Traffic Mirroring, AWS Direct Connect, AWS WAF, AWS Shield
- AWS Security Groups, AWS Identity and Access Management (IAM), AWS WAF, AWS Shield
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate how content filtering is governed
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Technical: screenshot of configuration settings
- Technical: screenshot of content filter settings
Possible Technology Considerations :
- Secure Baseline Configurations (SBC)
- IT Asset Management (ITAM)
- Configuration Management Database (CMDB)
- Content / DNS Filtering Solution
What needs to be answered :
Has the company identified network communications boundaries? Does the system monitor and manage communications at the system boundary and at key internal boundaries within the system? Do policies for managed interfaces such as gateways, routers, firewalls, VPNs, and company DMZs restrict external web traffic to only designated servers exist?
- Monitoring and Control of Communication at Boundaries
Description: This check ensures that communications are monitored, controlled, and protected at the external boundaries and key internal boundaries of organizational systems. This includes the use of boundary components such as gateways, routers, firewalls, and encrypted tunnels. - Restricting and Prohibiting Interfaces in Organizational Systems
Description: This check verifies that interfaces in organizational systems are restricted or prohibited as necessary. This could include restricting external web communications traffic to designated web servers and prohibiting external traffic that appears to be spoofing internal addresses. - Consideration of Commercial Telecommunications Services in Security Implementation
Description: This check confirms that organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements. Despite contract security provisions, such services can represent sources of increased risk.
Related AWS Service: AWS Direct Connect, AWS Transit Gateway, AWS VPN
More Details:
Company systems monitored at internal and external communication boundaries.