800-53|SC-7(8)

Title

ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS

Description

The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.

Supplemental

External networks are networks outside of organizational control. A proxy server is a server (i.e., information system or application) that acts as an intermediary for clients requesting information system resources (e.g., files, connections, web pages, or services) from other organizational servers. Client requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites.

Reference Item Details

Related: AC-3,AU-2

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: BOUNDARY PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.14 Ensure that the admission control plugin NodeRestriction is setUnixCIS Kubernetes Benchmark v1.9.0 L2 Master
1.2.15 Ensure that the admission control plugin NodeRestriction is setUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.15 Ensure that the admission control plugin NodeRestriction is setUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.16 Ensure that the admission control plugin NodeRestriction is setUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.3.4 Ensure that the --root-ca-file argument is set as appropriateOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
2.1.20 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selectedmicrosoft_azureCIS Microsoft Azure Foundations v2.1.0 L2
2.17 Ensure 'Proxy settings' is set to 'Enabled' and does not contain 'ProxyMode': 'auto_detect'WindowsCIS Google Chrome L1 v3.0.0
4.4.1 Block high risk categories on Application ControlFortiGateCIS Fortigate 7.0.x Level 1 v1.2.0
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - Deny By Concurrent RequestsWindowsCIS IIS 10 v1.2.1 Level 1
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - maxConcurrentRequestsWindowsCIS IIS 10 v1.2.1 Level 1
5.1.1 Ensure allow and deny filters limit access to specific IP addressesUnixCIS NGINX Benchmark v2.0.1 L2 Webserver
5.1.1 Ensure allow and deny filters limit access to specific IP addressesUnixCIS NGINX Benchmark v2.0.1 L2 Proxy
5.1.1 Ensure allow and deny filters limit access to specific IP addressesUnixCIS NGINX Benchmark v2.0.1 L2 Loadbalancer
5.2.2 Minimize the admission of containers wishing to share the host process ID namespaceUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
5.2.3 Minimize the admission of containers wishing to share the host IPC namespaceOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
5.2.3 Minimize the admission of containers wishing to share the host process ID namespaceUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
5.2.3 Minimize the admission of containers wishing to share the host process ID namespaceUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
5.2.3 Minimize the admission of containers wishing to share the host process ID namespaceUnixCIS Kubernetes Benchmark v1.9.0 L1 Master
5.17 Ensure HTTP Header Referrer-Policy is set appropriatelyUnixCIS Apache HTTP Server 2.4 L2 v2.1.0
5.17 Ensure HTTP Header Referrer-Policy is set appropriatelyUnixCIS Apache HTTP Server 2.4 L2 v2.1.0 Middleware
5.18 Ensure HTTP Header Permissions-Policy is set appropriatelyUnixCIS Apache HTTP Server 2.4 L2 v2.1.0
5.18 Ensure HTTP Header Permissions-Policy is set appropriatelyUnixCIS Apache HTTP Server 2.4 L2 v2.1.0 Middleware
7.2 Ensure SSLv2 is DisabledWindowsCIS IIS 10 v1.2.1 Level 1
7.5 Ensure TLS 1.1 is DisabledWindowsCIS IIS 10 v1.2.1 Level 1
9.1 Ensure the TimeOut Is Set to 10 or LessUnixCIS Apache HTTP Server 2.4 L1 v2.1.0 Middleware
9.1 Ensure the TimeOut Is Set to 10 or LessUnixCIS Apache HTTP Server 2.4 L1 v2.1.0
9.2 Configure 'Disable changing Automatic Configuration settings'WindowsCIS IE 9 v1.0.0
9.3 Configure 'Disable changing connection settings'WindowsCIS IE 9 v1.0.0
9.4 Configure 'Disable changing proxy settings'WindowsCIS IE 9 v1.0.0
9.5 Configure 'Make proxy settings per-machine (rather than per-user)'WindowsCIS IE 11 v1.0.0
9.5 Configure 'Make proxy settings per-machine (rather than per-user)'WindowsCIS IE 10 v1.1.0
9.7 Set 'Prevent changing proxy settings' to 'Enabled'WindowsCIS IE 10 v1.1.0
9.7 Set 'Prevent changing proxy settings' to 'Enabled'WindowsCIS IE 11 v1.0.0
9.8 Configure 'Disable changing Automatic Configuration settings'WindowsCIS IE 10 v1.1.0
9.8 Configure 'Disable changing Automatic Configuration settings'WindowsCIS IE 11 v1.0.0
9.11 Configure 'Disable changing connection settings'WindowsCIS IE 11 v1.0.0
9.11 Configure 'Disable changing connection settings'WindowsCIS IE 10 v1.1.0
10.6 Enable strict servlet ComplianceUnixCIS Apache Tomcat 9 L2 v1.2.0 Middleware
10.6 Enable strict servlet ComplianceUnixCIS Apache Tomcat 10 L2 v1.1.0
10.6 Enable strict servlet ComplianceUnixCIS Apache Tomcat 9 L2 v1.2.0
10.6 Enable strict servlet ComplianceUnixCIS Apache Tomcat 10 L2 v1.1.0 Middleware
18.10.56.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 v3.0.0 L1 Member Server
18.10.56.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2022 v3.0.0 L1 Domain Controller
18.10.56.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2022 v3.0.0 L1 Member Server
18.10.56.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 v3.0.0 L1 Domain Controller
18.10.56.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2016 v3.0.0 L1 DC
18.10.56.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2016 v3.0.0 L1 MS
DTBI305 - Automatic configuration is not disabled -'Autoconfig = 1'.WindowsDISA STIG IE 9 v1r5
DTBI305 - Automatic configuration of Internet Explorer connections must be disallowed.WindowsDISA STIG IE 10 V1R16
DTBI305 - Automatic configuration of Internet Explorer must be disallowed.WindowsDISA STIG Microsoft Internet Explorer 9 v1r15