Security Control 13:
Boundary Defense

Control the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines: Establish multilayered boundary defenses by relying on firewalls, proxies, demilitarized zone (DMZ) perimeter networks, and other network-based tools. Filter inbound and outbound traffic, including through business partner networks (“extranets”).

Key: REQ = Required, REC = Recommended, OPT = Optional

IDDetailsHighMedLow

13.1

Develop plans to rapidly deploy filters on internal networks to help stop the spread of malware or an intruder.

REQ REQ REQ

13.2

Deny communications with (or limit data flow to) known malicious IP addresses (black lists) or limit access to trusted sites (white lists).

REQ REC OPT

13.3

Deploy network-based IDS sensors on Internet and extranet DMZ systems and networks that look for unusual attack mechanisms and detect compromise of these systems.

[additional details]

These network-based IDS sensors may detect attacks through the use of signatures, network behavior analysis, or other mechanisms to analyze traffic.

REQ REC OPT

13.4

Network-based IPS devices should be deployed to compliment IDS by blocking known bad signature or behavior of attacks.

[additional details]

As attacks become automated, methods such as IDS typically delay the amount of time it takes for someone to react to an attack. A properly configured network-based IPS can provide automation to block bad traffic.

REQ REC OPT

13.5

Define a network architecture that clearly separates internal systems from DMZ and extranet systems.

[additional details]

DMZ systems are machines that need to communicate with the internal network as well as the Internet, while extranet systems are those whose primary communication is with other systems at a business partner. DMZ systems should never contain sensitive data and internal systems should never be directly accessible from the Internet.

REQ REC OPT

13.6

Require all remote log-in access (including VPN, dial-up, and other forms of access that allow log-in to internal systems) to use two-factor authentication.

REQ REC OPT

13.7

To limit access by an insider or malware spreading on an internal network, devise internal network segmentation schemes to limit traffic to only those services needed for business use across the internal network.

REQ REC OPT

13.8

Design and implement network perimeters so that all outgoing web, file transfer protocol (FTP), and secure shell traffic to the Internet must pass through at least one proxy on a DMZ network.

[additional details]

The proxy should support logging individual TCP sessions; blocking specific URLs, domain names, and IP addresses to implement a black list; and applying white lists of allowed sites that can be accessed through the proxy while blocking all other sites. Force outbound traffic to the Internet through an authenticated proxy server on the perimeter. Proxies can also be used to encrypt all traffic leaving the network.

REC OPT OPT

Additional Reading