This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system at managed interfaces denies network traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.
NIST 800-53 (r5) Discussion:
Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system.
38North Guidance:
Meets Minimum Requirement:
Configure managed interfaces (e.g., firewalls, NACLs, load balancers, etc.) to deny network traffic by default and allow network traffic by exception.
Restrict inbound network traffic by IP range.
Employ a reverse web proxy configured with URL, domain name, and/or IP address whitelisting to restrict outbound network connections.
Best Practice:
Implement a comprehensive security architecture review process that includes review and managerial approval of all ports, protocols, services, and IP ranges utilized by the system.
Any changes to the approved security architecture should undergo a formal Change Management process that includes a security impact analysis and managerial approval.
Conduct a monthly review of the approved ports, protocols, services, and IP ranges for continued relevance and business need.
Conduct a monthly scan to detect the unauthorized use of ports, protocols, services, and IP ranges.
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Configuration settings of managed interfaces (e.g., firewall/NACL rule sets, VPN access rule sets, reverse web proxy whitelists, load balancer listeners/target groups, etc.). Screenshots are acceptable.
Evidence to show that internal communication traffic is routed through authentication proxy servers at managed interfaces when routed to external networks.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD