Description:   

Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies.  [SP 800-4] provides guidance on firewalls and firewall policy. [SP 800-25B] provides guidance on security for virtualization technologies 


Priority: High   


Category: Security Architecture 


Services Associated with AWS:   

  • Amazon VPC, AWS Direct Connect, AWS Transit Gateway, AWS VPN
  • Amazon VPC, AWS WAF, AWS Shield, AWS Firewall Manager, AWS Direct Connect, AWS Transit Gateway
  • Amazon VPC, AWS Direct Connect, AWS Transit Gateway, AWS Shield, AWS Firewall Manager, AWS Config 


Objective Evidence:  

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation of professional competence by individual(s) performing security / IT architecture roles
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations 


Possible Technology Considerations : 

  • Secure Baseline Configurations (SBC)
  • Access Control List (ACL)
  • Demilitarized Zone (DMZ) 


What needs to be answered :  

Does the company implement DMZs? Are they adequate to meet the needs of the company? Does the system monitor and manage communications at the system boundary and at key internal boundaries within the system? 

  • Implementation of Subnetworks for Publicly Accessible Systems
    Description: This check ensures that subnetworks, or demilitarized zones (DMZs), are implemented for publicly accessible system components and that they are physically or logically separated from internal networks.
  • Usage of Boundary Control Devices and Techniques
    Description: This check verifies that boundary control devices and techniques, including routers, gateways, firewalls, virtualization, or cloud-based technologies, are used to maintain the separation of subnetworks from internal networks.
  • Secure Configuration of DMZs
    Description: This check confirms that DMZs are configured securely to protect internal networks from threats that could originate from publicly accessible systems.
     


More Details:   

All CUI containing systems on a cloud based network completely detached from company network.