800-53|SC-7

Title

BOUNDARY PROTECTION

Description

The information system:

Supplemental

Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-17,AC-4,CA-3,CM-7,CP-8,IR-4,RA-3,SC-13,SC-5

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1 Use a Split-Horizon Architecture	Unix	CIS BIND DNS v1.0.0 L1 Caching Only Name Server
1.1 Use a Split-Horizon Architecture	Unix	CIS BIND DNS v1.0.0 L1 Authoritative Name Server
1.1.1 Create Separate Partition for /tmp	Unix	CIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.2 Ensure /tmp is configured	Unix	CIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.2 Ensure /tmp is configured	Unix	CIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.2 Ensure separate partition exists for /tmp	Unix	CIS SUSE Linux Enterprise Server 11 L2 v2.1.1
1.1.2 Ensure separate partition exists for /tmp	Unix	CIS SUSE Linux Enterprise Workstation 11 L2 v2.1.1
1.1.3 Ensure separate file system for /tmp	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
1.1.3 Set nosuid option for /tmp Partition	Unix	CIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.3.9.5 Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' to 'Highest protection'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.9.7 Configure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.9.8 Configure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.9.10 Configure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.9.11 Configure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 default)'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.9.15 Set 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' to 'Highest'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.9.16 Configure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)'	Windows	CIS Windows 8 L1 v1.0.0
1.1.4.1.8 Ensure 'Navigate URL' is set to 'Enabled'	Windows	CIS Microsoft Office Enterprise v1.1.0 L1
1.1.4.1.13 Ensure 'Saved from URL' is set to 'Enabled'	Windows	CIS Microsoft Office Enterprise v1.1.0 L1
1.1.4.4.2 Enable listening ports range is set as appropriate for organization	Zoom	CIS Zoom L2 v1.0.0
1.1.5 Create Separate Partition for /var	Unix	CIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.10 Add nodev Option to /home	Unix	CIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.11 Add nodev Option to Removable Media Partitions	Unix	CIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.11 Ensure separate partition exists for /var/tmp	Unix	CIS Fedora 19 Family Linux Server L2 v1.0.0
1.1.11 Ensure separate partition exists for /var/tmp	Unix	CIS Fedora 19 Family Linux Workstation L2 v1.0.0
1.1.12 Add noexec Option to Removable Media Partitions	Unix	CIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.13 Add nosuid Option to Removable Media Partitions	Unix	CIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.13 Ensure nodev option set on /var/tmp partition	Unix	CIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.13 Ensure nodev option set on /var/tmp partition	Unix	CIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.13 Ensure separate partition exists for /home	Unix	CIS SUSE Linux Enterprise Server 11 L2 v2.1.1
1.1.13 Ensure separate partition exists for /home	Unix	CIS SUSE Linux Enterprise Workstation 11 L2 v2.1.1
1.1.14 Add nodev Option to /dev/shm Partition	Unix	CIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.14 Ensure nosuid option set on /var/tmp partition	Unix	CIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.14 Ensure nosuid option set on /var/tmp partition	Unix	CIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.15 Add nosuid Option to /dev/shm Partition	Unix	CIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.16 Add noexec Option to /dev/shm Partition	Unix	CIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.17 Ensure separate partition exists for /home	Unix	CIS Fedora 19 Family Linux Server L2 v1.0.0
1.1.17 Ensure separate partition exists for /home	Unix	CIS Fedora 19 Family Linux Workstation L2 v1.0.0
1.1.17 Set Sticky Bit on All World-Writable Directories	Unix	CIS Red Hat Enterprise Linux 5 L1 v2.2.1
1.1.18 Ensure nodev option set on /home partition	Unix	CIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.18 Ensure nodev option set on /home partition	Unix	CIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.19 Ensure noexec option set on removable media partitions	Unix	CIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.19 Ensure noexec option set on removable media partitions	Unix	CIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.20 Ensure nodev option set on removable media partitions	Unix	CIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.20 Ensure nodev option set on removable media partitions	Unix	CIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.21 Ensure nosuid option set on removable media partitions	Unix	CIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.21 Ensure nosuid option set on removable media partitions	Unix	CIS Fedora 19 Family Linux Server L1 v1.0.0
1.1.21 Ensure sticky bit is set on all world-writable directories	Unix	CIS Debian 9 Workstation L1 v1.0.1
1.1.21 Ensure sticky bit is set on all world-writable directories	Unix	CIS Debian 9 Server L1 v1.0.1
1.1.22 Ensure sticky bit is set on all world-writable directories	Unix	CIS Fedora 19 Family Linux Workstation L1 v1.0.0
1.1.22 Ensure sticky bit is set on all world-writable directories	Unix	CIS Fedora 19 Family Linux Server L1 v1.0.0

Detections

Analytics