Description:
Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. [SP 800-4] provides guidance on firewalls and firewall policy. [SP 800-25B] provides guidance on security for virtualization technologies
Priority: High
Category: Security Architecture
Services Associated with AWS:
- Amazon VPC, AWS Direct Connect, AWS Transit Gateway, AWS VPN
- Amazon VPC, AWS WAF, AWS Shield, AWS Firewall Manager, AWS Direct Connect, AWS Transit Gateway
- Amazon VPC, AWS Direct Connect, AWS Transit Gateway, AWS Shield, AWS Firewall Manager, AWS Config
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation of role-based security training being performed
- Administrative: supporting documentation of professional competence by individual(s) performing security / IT architecture roles
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
Possible Technology Considerations :
- Secure Baseline Configurations (SBC)
- Access Control List (ACL)
- Demilitarized Zone (DMZ)
What needs to be answered :
Does the company implement DMZs? Are they adequate to meet the needs of the company? Does the system monitor and manage communications at the system boundary and at key internal boundaries within the system?
- Implementation of Subnetworks for Publicly Accessible Systems
Description: This check ensures that subnetworks, or demilitarized zones (DMZs), are implemented for publicly accessible system components and that they are physically or logically separated from internal networks. - Usage of Boundary Control Devices and Techniques
Description: This check verifies that boundary control devices and techniques, including routers, gateways, firewalls, virtualization, or cloud-based technologies, are used to maintain the separation of subnetworks from internal networks. - Secure Configuration of DMZs
Description: This check confirms that DMZs are configured securely to protect internal networks from threats that could originate from publicly accessible systems.
More Details:
All CUI containing systems on a cloud based network completely detached from company network.