home || catalog: SP800-53rev3 / class: Technical / family: (SC) System and Communications Protection ||
search controls:
search nistpubs:


SC-07 *


  SC-07: Boundary Protection  

base control objective:
The information system:
a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; and
b. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

supplemental objective information:
Restricting external web traffic only to organizational web servers within managed interfaces and prohibiting external traffic that appears to be spoofing an internal address as the source are examples of restricting and prohibiting communications. Managed interfaces employing boundary protection devices include, for example, proxies, gateways, routers, firewalls, guards, or encrypted tunnels arranged in an effective security architecture (e.g., routers protecting firewalls and application gateways residing on a protected subnetwork commonly referred to as a demilitarized zone or DMZ). The organization considers the intrinsically shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may include third party provided access lines and other service elements. Consequently, such interconnecting transmission services may represent sources of increased risk despite contract security provisions. Therefore, when this situation occurs, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk.

enhancements to the base objective:

(1) The organization physically allocates publicly accessible information system components to separate subnetworks with separate, physical network interfaces.
Enhancement Supplemental Guidance: Publicly accessible information system components include, for example, public web servers.

(2) The information system prevents public access into the organization’s internal networks except as appropriately mediated by managed interfaces employing boundary protection devices.

(3) The organization limits the number of access points to the information system to allow for more comprehensive monitoring of inbound and outbound communications and network traffic.
Enhancement Supplemental Guidance: The Trusted Internet Connection (TIC) initiative is an example of limiting the number of managed network access points.

(4) The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Employs security controls as needed to protect the confidentiality and integrity of the information being transmitted;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need;
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency]; and
(f) Removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need.

(5) The information system at managed interfaces, denies network traffic by default and allows network traffic by exception (i.e., deny all, permit by exception).

(6) The organization prevents the unauthorized release of information outside of the information system boundary or any unauthorized communication through the information system boundary when there is an operational failure of the boundary protection mechanisms.

(7) The information system prevents remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks.
Enhancement Supplemental Guidance: This control enhancement is implemented within the remote device (e.g., notebook/laptop computer) via configuration settings that are not configurable by the user of that device. An example of a non-remote communications path from a remote device is a virtual private network. When a non-remote connection is established using a virtual private network, the configuration settings prevent split-tunneling. Split tunneling might otherwise be used by remote users to communicate with the information system as an extension of that system and to communicate with local resources such as a printer or file server. Since the remote device, when connected by a non-remote connection, becomes an extension of the information system, allowing dual communications paths such as split-tunneling would be, in effect, allowing unauthorized external connections into the system.

(8) The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers within the managed interfaces of boundary protection devices.
Enhancement Supplemental Guidance: External networks are networks outside the control of the organization. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Proxy servers are also configurable with organization-defined lists of authorized and unauthorized web sites.

(9) The information system, at managed interfaces, denies network traffic and audits internal users (or malicious code) posing a threat to external information systems.
Enhancement Supplemental Guidance: Detecting internal actions that may pose a security threat to external information systems is sometimes termed extrusion detection. Extrusion detection at the information system boundary includes the analysis of network traffic (incoming as well as outgoing) looking for indications of an internal threat to the security of external systems.

(10) The organization prevents the unauthorized exfiltration of information across managed interfaces.
Enhancement Supplemental Guidance: Measures to prevent unauthorized exfiltration of information from the information system include, for example: (i) strict adherence to protocol formats; (ii) monitoring for indications of beaconing from the information system; (iii) monitoring for use of steganography; (iv) disconnecting external network interfaces except when explicitly needed; (v) disassembling and reassembling packet headers; and (vi) employing traffic profile analysis to detect deviations from the volume or types of traffic expected within the organization. Examples of devices enforcing strict adherence to protocol formats include, for example, deep packet inspection firewalls and XML gateways. These devices verify adherence to the protocol specification at the application layer and serve to identify vulnerabilities that cannot be detected by devices operating at the network or transport layer.

(11) The information system checks incoming communications to ensure that the communications are coming from an authorized source and routed to an authorized destination.

(12) The information system implements host-based boundary protection mechanisms for servers, workstations, and mobile devices.
Enhancement Supplemental Guidance: A host-based boundary protection mechanism is, for example, a host-based firewall. Host-based boundary protection mechanisms are employed on mobile devices, such as notebook/laptop computers, and other types of mobile devices where such boundary protection mechanisms are available.

(13) The organization isolates [Assignment: organization defined key information security tools, mechanisms, and support components] from other internal information system components via physically separate subnets with managed interfaces to other portions of the system.

(14) The organization protects against unauthorized physical connections across the boundary protections implemented at [Assignment: organization-defined list of managed interfaces].
Enhancement Supplemental Guidance: Information systems operating at different security categories may routinely share common physical and environmental controls, since the systems may share space within organizational facilities. In practice, it is possible that these separate information systems may share common equipment rooms, wiring closets, and cable distribution paths. Protection against unauthorized physical connections can be achieved, for example, by employing clearly identified and physically separated cable trays, connection frames, and patch panels for each side of managed interfaces with physical access controls enforcing limited authorized access to these items.

(15) The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.
Enhancement Supplemental Guidance: The information system prevents discovery of specific system components (or devices) composing a managed interface.
Enhancement Supplemental Guidance: This control enhancement is intended to protect the network addresses of information system components that are part of the managed interface from discovery through common tools and techniques used to identify devices on a network. The network addresses are not available for discovery (e.g., not published or entered in the domain name system), requiring prior knowledge for access. Another obfuscation technique is to periodically change network addresses.

(16) The organization employs automated mechanisms to enforce strict adherence to protocol format.
Enhancement Supplemental Guidance: Automated mechanisms used to enforce protocol formats include, for example, deep packet inspection firewalls and XML gateways. These devices verify adherence to the protocol specification (e.g., IEEE) at the application layer and serve to identify significant vulnerabilities that cannot be detected by devices operating at the network or transport layer.

mapping to FIPS199 baseline:

  LOW: base     MOD: base (1) (2) (3) (4) (5) (7)     HIGH: base (1) (2) (3) (4) (5) (6) (7) (8)  

related (regimented) controls:

AC-04   Information Flow Enforcement
IR-04   Incident Handling
SC-05   Denial of Service Protection

documents referenced in SP800-53rev3 for SC-07:

Document Date Status Title
FIPS 199 February, 2004 current   Standards for Security Categorization of Federal Information and Information Systems
NIST SP800-113 July, 2008 current   Guide to SSL VPNs
NIST SP800-28 October, 2001 current   Guidelines on Active Content and Mobile Code
NIST SP800-36 October, 2003 current   Guide to Selecting Information Technology Security Products
NIST SP800-41 September, 2009 current   Guidelines on Firewalls and Firewall Policy
NIST SP800-44 September 2002 current   Guidelines on Securing Public Web Servers
NIST SP800-46 June, 2009 current   Guide to Enterprise Telework and Remote Access Security
NIST SP800-54 September, 2006 DRAFT   Border Gateway Protocol Security
NIST SP800-58 January, 2005 current   Security Considerations for Voice Over IP Systems
NIST SP800-77 December, 2005 current   Guide to IPsec VPNs
NIST SP800-82 June, 2011 current   Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security
NIST SP800-83 September, 2006 current   Guide to Malware Incident Prevention and Handling

Search SP800-53rev3 catalog: