Level 1


Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies.  [SP 800-4] provides guidance on firewalls and firewall policy. [SP 800-25B] provides guidance on security for virtualization technologies 

Priority: High   


Category: Security Architecture 

Services Associated with AWS:   

  • Amazon VPC, AWS Direct Connect, AWS Transit Gateway, AWS VPN
  • Amazon VPC, AWS WAF, AWS Shield, AWS Firewall Manager, AWS Direct Connect, AWS Transit Gateway
  • Amazon VPC, AWS Direct Connect, AWS Transit Gateway, AWS Shield, AWS Firewall Manager, AWS Config 

Services Associated with Azure: 

  • Azure Application Gateway 
  • Azure Network Security Group (NSG) 
  • Azure Firewall 
  • Azure Virtual Network (VNet) 

Objective Evidence:  

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation of professional competence by individual(s) performing security / IT architecture roles
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations 

Possible Technology Considerations : 

  • Secure Baseline Configurations (SBC)
  • Access Control List (ACL)
  • Demilitarized Zone (DMZ) 

What needs to be answered :  

Does the company implement DMZs? Are they adequate to meet the needs of the company? Does the system monitor and manage communications at the system boundary and at key internal boundaries within the system? 

Checks for AWS 

  • Implementation of Subnetworks for Publicly Accessible Systems
    Description: This check ensures that subnetworks, or demilitarized zones (DMZs), are implemented for publicly accessible system components and that they are physically or logically separated from internal networks.
  • Usage of Boundary Control Devices and Techniques
    Description: This check verifies that boundary control devices and techniques, including routers, gateways, firewalls, virtualization, or cloud-based technologies, are used to maintain the separation of subnetworks from internal networks.
  • Secure Configuration of DMZs
    Description: This check confirms that DMZs are configured securely to protect internal networks from threats that could originate from publicly accessible systems.

Checks for Azure 

  • Enforce Network Security Group (NSG) on Subnets
    Description: This policy ensures that Network Security Groups are applied to all subnets in the Azure Virtual Network to control inbound and outbound network traffic to and from the subnets, including those in the DMZ.

  • Restrict Publicly Exposed Ports on NSGs in DMZ Subnets
    Description: This policy restricts the opening of publicly exposed ports (e.g., ports 80, 443, etc.) on Network Security Groups associated with subnets in the DMZ. This helps prevent unauthorized access to DMZ resources.

  • Enable Just-In-Time (JIT) Access for Virtual Machines in DMZ
    Description: This policy enforces the use of Just-In-Time (JIT) access for virtual machines located in the DMZ. JIT access allows temporary and controlled access to VMs only when needed, reducing the attack surface.

  • Enforce Tagging of DMZ Resources
    Description: This policy mandates that all resources within the DMZ are properly tagged. Tags help with resource organization, management, and can be used to create more granular access controls.

  • Enable Azure Firewall for DMZ Subnets
    Description: This policy ensures that an Azure Firewall is deployed and configured for DMZ subnets, providing a central point for controlling and inspecting traffic between the DMZ and internal networks.

More Details:   

All CUI containing systems on a cloud based network completely detached from company network.