This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.
NIST 800-53 (r4) Supplemental Guidance:
External networks are networks outside of organizational control. A proxy server is a server (i.e., information system or application) that acts as an intermediary for clients requesting information system resources (e.g., files, connections, web pages, or services) from other organizational servers. Client requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Related controls: AC-3, AU-2.
NIST 800-53 (r5) Discussion:
External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers that provide access to the Internet. Proxy servers can support the logging of Transmission Control Protocol sessions and the blocking of specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for “man-in-the-middle” attacks (depending on the implementation).
38North Guidance:
Meets Minimum Requirement:
Employ a reverse web proxy configured with a whitelist/blacklist of authorized/unauthorized URLs, domain names, and/or IP addresses to restrict outbound network connections.
Route internal communication traffic destined for external networks via the reverse web proxy.
Best Practice:
Configure logging on the reverse web proxy with SIEM integration.
Utilize a Web Application Firewall (WAF) inline with a reverse web proxy or a reverse web proxy with WAF functionality (e.g., packet inspection, filtering capabilities, etc.).
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Evidence to show that internal communication traffic is routed through authentication proxy servers at managed interfaces when routed to external networks. Screenshots are acceptable.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD