Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system fails securely in the event of an operational failure of a boundary protection device.
NIST 800-53 (r4) Supplemental Guidance:
Fail secure is a condition achieved by employing information system mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces (e.g., routers, firewalls, guards, and application gateways residing on protected subnetworks commonly referred to as demilitarized zones), information systems do not enter into unsecure states where intended security properties no longer hold. Failures of boundary protection devices cannot lead to, or cause information external to the devices to enter the devices, nor can failures permit unauthorized information releases. Related controls: CP-2, SC-24.
NIST 800-53 (r5) Discussion:
Fail secure is a condition achieved by employing mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces, systems do not enter into unsecure states where intended security properties no longer hold. Managed interfaces include routers, firewalls, and application gateways that reside on protected subnetworks (commonly referred to as demilitarized zones). Failures of boundary protection devices cannot lead to or cause information external to the devices to enter the devices nor can failures permit unauthorized information releases.
38North Guidance:
Meets Minimum Requirement:
Configure boundary protection devices to fail into a closed, deny-all state, denying all ingress traffic to, and egress traffic from, backend system components (e.g., web/application servers, databases, etc.). All open connections should terminate upon network device failure.
Best Practice:
Configure boundary protection devices to fail into a closed, deny-all state, denying all ingress traffic to, and egress traffic from, backend system components (e.g., web/application servers, databases, etc.). All open connections should terminate upon network device failure.
Deploy boundary protection devices in pairs either in a high availability (i.e., both devices sharing the workload) or an active/standby (i.e., failover) configuration.
Configure and integrate boundary protection device health checks (up/down status) and/or monitoring with a SIEM solution. In the event of a network device failure, the SIEM should generate and forward an alert to a Network Administrator.
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Configurations for a sample of boundary protection devices (e.g., firewalls, load balancers, gateways, etc.).
Disconnect a sample of boundary protection devices and demonstrate the following:
That egress network traffic from internal system components to the internet is denied; and
That ingress traffic from the internet to internal system components is denied.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse