800-53|SC-7

Title

BOUNDARY PROTECTION

Description

The information system:

Supplemental

Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.

Reference Item Details

Related: AC-17,AC-4,CA-3,CM-7,CP-8,IR-4,RA-3,SC-13,SC-5

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Use a Split-Horizon ArchitectureUnixCIS BIND DNS v1.0.0 L1 Caching Only Name Server
1.1 Use a Split-Horizon ArchitectureUnixCIS BIND DNS v1.0.0 L1 Authoritative Name Server
1.1.1 Create Separate Partition for /tmpUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.2 Ensure /tmp is configuredUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.2 Ensure /tmp is configuredUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.2 Ensure separate partition exists for /tmpUnixCIS SUSE Linux Enterprise Server 11 L2 v2.1.1
1.1.2 Ensure separate partition exists for /tmpUnixCIS SUSE Linux Enterprise Workstation 11 L2 v2.1.1
1.1.3 Ensure separate file system for /tmpUnixCIS Amazon Linux 2 STIG v1.0.0 L3
1.1.3 Set nosuid option for /tmp PartitionUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.3.9.5 Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' to 'Highest protection'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.7 Configure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.8 Configure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.10 Configure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.11 Configure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.15 Set 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' to 'Highest'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.16 Configure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)'WindowsCIS Windows 8 L1 v1.0.0
1.1.4.1.8 Ensure 'Navigate URL' is set to 'Enabled'WindowsCIS Microsoft Office Enterprise v1.1.0 L1
1.1.4.1.13 Ensure 'Saved from URL' is set to 'Enabled'WindowsCIS Microsoft Office Enterprise v1.1.0 L1
1.1.4.4.2 Enable listening ports range is set as appropriate for organizationZoomCIS Zoom L2 v1.0.0
1.1.5 Create Separate Partition for /varUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.10 Add nodev Option to /homeUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.11 Add nodev Option to Removable Media PartitionsUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.11 Ensure separate partition exists for /var/tmpUnixCIS Fedora 19 Family Linux Server L2 v1.0.0
1.1.11 Ensure separate partition exists for /var/tmpUnixCIS Fedora 19 Family Linux Workstation L2 v1.0.0
1.1.12 Add noexec Option to Removable Media PartitionsUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.13 Add nosuid Option to Removable Media PartitionsUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.13 Ensure nodev option set on /var/tmp partitionUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.13 Ensure nodev option set on /var/tmp partitionUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.13 Ensure separate partition exists for /homeUnixCIS SUSE Linux Enterprise Server 11 L2 v2.1.1
1.1.13 Ensure separate partition exists for /homeUnixCIS SUSE Linux Enterprise Workstation 11 L2 v2.1.1
1.1.14 Add nodev Option to /dev/shm PartitionUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.14 Ensure nosuid option set on /var/tmp partitionUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.14 Ensure nosuid option set on /var/tmp partitionUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.15 Add nosuid Option to /dev/shm PartitionUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.16 Add noexec Option to /dev/shm PartitionUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.17 Ensure separate partition exists for /homeUnixCIS Fedora 19 Family Linux Server L2 v1.0.0
1.1.17 Ensure separate partition exists for /homeUnixCIS Fedora 19 Family Linux Workstation L2 v1.0.0
1.1.17 Set Sticky Bit on All World-Writable DirectoriesUnixCIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.18 Ensure nodev option set on /home partitionUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.18 Ensure nodev option set on /home partitionUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.19 Ensure noexec option set on removable media partitionsUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.19 Ensure noexec option set on removable media partitionsUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.20 Ensure nodev option set on removable media partitionsUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.20 Ensure nodev option set on removable media partitionsUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.21 Ensure nosuid option set on removable media partitionsUnixCIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.21 Ensure nosuid option set on removable media partitionsUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.21 Ensure sticky bit is set on all world-writable directoriesUnixCIS Debian 9 Workstation L1 v1.0.1
1.1.21 Ensure sticky bit is set on all world-writable directoriesUnixCIS Debian 9 Server L1 v1.0.1
1.1.22 Ensure sticky bit is set on all world-writable directoriesUnixCIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.22 Ensure sticky bit is set on all world-writable directoriesUnixCIS Fedora 19 Family Linux Server L1 v1.0.0