This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system:
(a) Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; and
(b) Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
(c) Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture.
NIST 800-53 (r4) Supplemental Guidance:
Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13.
NIST 800-53 (r5) Discussion:
Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189] provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).
38North Guidance:
Meets Minimum Requirement:
(a) Route all remote access through a hardened bastion host deployed inside a DMZ. Deploy a firewall solution on the bastion host, and use NACLs to restrict ingress traffic to trusted IP addresses. Configure logging on the bastion host, and any other managed interface (e.g., WAF, Load Balancer, etc.) and integrate with a SIEM solution. This centralizes and authorizes access based on role and monitors all user activity.
(b) Inbound internet traffic destined for publicly-accessible system components should enter a DMZ and terminate on a hardened bastion host (for administrative traffic) or traverse an application load balancer (for application/user traffic) - both deployed inside public subnets. Deploy backend system components such as application servers and databases in separate private subnets. Utilize firewalls and NACLs to control network traffic between application tiers (e.g., Web/DMZ Tier, Application Tier, Database Tier).
(c) For outbound connections (ex., to pull software updates, access data on public services, etc.), utilize a NAT gateway.
Best Practice:
Utilize SSH/RDP, user and site-to-site IPSec VPNs, or TLS to secure and restrict remote access.
Utilize a WAF to monitor/filter inbound/outbound connections at the external boundary.
For outbound connections, utilize a web proxy configured with URL/domain whitelisting in addition to a NAT gateway. The two network devices operate at different layers of the OSI stack (NAT - Network Layer; Web Proxy - Application Layer). The proxy serves as a choke point for security, auditing, and performance.
Deny network communications traffic by default and allow network communications traffic by exception at all managed interfaces.
Enforce logical isolation between customer and administrative environments. Implement cloud-native peering connections to facilitate communication between virtual networks, as necessary, while bypassing the internet.
Strategically position Network Intrusion Detection Systems (NIDS) at various points in the network to monitor ingress/egress traffic to and from networked devices. Any intrusion activity or violation should be reported to an administrator (via an alerting system such as PagerDuty) or collected centrally using a SIEM.
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Configuration settings of firewalls/NACLs restricting inbound/outbound traffic.
Configuration settings of SSH, VPN, and/or TLS connections.
Evidence of network perimeter devices and their configuration settings (e.g., bastion hosts, load balancers, WAFs, web proxies, NAT gateways, etc.)
Evidence of network segmentation using public/private subnets.
Configuration settings of SIEM integration with network perimeter devices (ex., log forwarding path, etc.).
CSP Implementation Tips:
Amazon Web Services (AWS):
Utilize Amazon VPCs, AWS Direct Connect, AWS WAF, Elastic Load Balancer, Security Groups, NACLs, NATs,
Enable/configure VPC Flow Logs, AWS CloudTrail, and Amazon CloudWatch event rules to detect, and alert Operations/Security teams of, unusual activity such unauthorized access attempts, changes to Security Group rule sets, etc.
EKS customers are responsible for configuring and documenting their system boundary to include established connections with clients hosted outside of AWS and applications running on EK2 or Fargate in accordance with their organizational requirements.
Microsoft Azure: TBD
Google Cloud Platform: TBD