Level 1
Description:
This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.
Priority: High
Domain: SYSTEM AND COMMUNICATIONS PROTECTION (SC)
Category: Security Architecture
Services Associated with AWS:
- Amazon VPC
- AWS Network Firewall
- AWS WAF
- AWS Security Groups
- Amazon GuardDuty
Services Associated with Azure:
- Azure Network Security Groups (NSGs)
- Azure Firewall
- Azure Application Gateway
- Azure Web Application Firewall (WAF)
- Azure Traffic Manager
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate how IT Asset Management (ITAM) is implemented
- Administrative: supporting documentation to demonstrate the ""secure practices"" used to build technology platform-specific secure baseline configurations
- Technical: screen shot of Configuration Management Database (CMDB) console
- Technical: screen shot of firewall configurations"
Possible Technology Considerations
- Access Control List (ACL)
What needs to be answered?
Are all business need exceptions to network communications traffic (inbound/outbound) “deny all” policies documented? Does the system deny network traffic by default and allow network traffic by exception?\
Checks for AWS
- Deny-By-Default Network Communications
Description This check confirms that the network communications traffic is denied by default, and only permitted traffic is explicitly defined and allowed. This applies to both inbound and outbound traffic at the system boundary and within the system. - Allow-By-Exception Network Communications
Description This check ensures that a deny-all, permit-by-exception policy is implemented, meaning only essential and approved network communications are allowed. - Network Communications Traffic Control
Description This check verifies that robust control measures are in place for network communications traffic, including monitoring, blocking, and allowing specific traffic based on defined policies.
Checks for Azure
- Deny-By-Default Network Communications:
Description: This policy confirms that the network communications traffic is set to deny by default. It means that all inbound and outbound traffic is blocked unless explicitly allowed by specific rules. This helps to establish a strong security posture by reducing the attack surface and preventing unauthorized network access. - Allow-By-Exception Network Communications:
Description: This policy ensures that a deny-all, permit-by-exception approach is enforced for network communications. It means that only essential and approved network connections are permitted, and all other traffic is denied. By following this policy, organizations can maintain strict control over their network traffic and minimize the risk of unauthorized access or data breaches. - Network Communications Traffic Control:
Description: This policy validates the presence of robust control measures for network communications traffic. It includes monitoring, blocking, and allowing specific traffic based on defined policies. Implementing proper network traffic controls helps in detecting and preventing suspicious activities, ensuring compliance with security requirements, and safeguarding the integrity of the network infrastructure.
More Details:
Connections set to deny all rules unless provided with specific access credentials.