Back

Prohibit systems from connecting directly to external networks.


CONTROL ID
08709
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Manage all external network connections., CC ID: 11842

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It is necessary to set up computers that are connected to external networks with security in mind. (P15.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • When accessing an organisation's network via a VPN connection, split tunnelling is disabled. (Control: ISM-0705; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Mobile devices access the internet via a VPN connection to an organisation's internet gateway rather than via a direct connection to the internet. (Control: ISM-0874; Revision: 5, Australian Government Information Security Manual, June 2023)
  • Networked management interfaces for ICT equipment are not directly exposed to the internet. (Control: ISM-1863; Revision: 0, Australian Government Information Security Manual, June 2023)
  • When accessing an organisation's network via a VPN connection, split tunnelling is disabled. (Control: ISM-0705; Revision: 4, Australian Government Information Security Manual, September 2023)
  • Networked management interfaces for ICT equipment are not directly exposed to the internet. (Control: ISM-1863; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Mobile devices and desktop computers access the internet via a VPN connection to an organisation's internet gateway rather than via a direct connection to the internet. (Control: ISM-0874; Revision: 6, Australian Government Information Security Manual, September 2023)
  • Are direct connections prohibited for inbound or outbound traffic between the Internet and the cardholder data environment? (1.3.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Are direct connections prohibited for inbound or outbound traffic between the Internet and the cardholder data environment? (1.3.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Are direct connections prohibited for inbound or outbound traffic between the Internet and the cardholder data environment? (1.3.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are direct connections prohibited for inbound or outbound traffic between the Internet and the cardholder data environment? (1.3.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. (SC-7(7) ¶ 1, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. (SC-7(7) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device]. (CA-3(3) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. (SC-7(7) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device]. (CA-3(3) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). (SC.3.184, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). (SC.3.184, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). (SC.3.184, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). (SC.L2-3.13.7 Split Tunneling, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [FedRAMP Assignment; Boundary Protections which meet the Trusted Internet Connection (TIC) requirements]. (CA-3(3) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. (SC-7(7) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [FedRAMP Assignment; Boundary Protections which meet the Trusted Internet Connection (TIC) requirements]. (CA-3(3) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. (SC-7(7) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards]. (SC-7(7) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards]. (SC-7(7) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards]. (SC-7(7) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards]. (SC-7(7) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. (SC-7(7) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. (SC-7(7) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Prevent remote devices from simultaneously establishing non-remote connections with the information system and communicating via some other connection to resources in external networks. (3.13.7, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). (3.13.7, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). (3.13.7, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization prohibits the direct connection of an {organizationally documented unclassified, national security system} to an external network without the use of {organizationally documented boundary protection device}. (CA-3(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization prohibits the direct connection of a classified, national security system to an external network without the use of {organizationally documented boundary protection device}. (CA-3(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization prohibits the direct connection of an {organizationally documented unclassified, non-national security system} to an external network without the use of {organizationally documented boundary protection device}. (CA-3(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization prohibits the direct connection of an {organizationally documented information system} to a public network. (CA-3(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. (SC-7(7), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. (SC-7(7), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. (SC-7(7), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. (SC-7(7) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. (SC-7(7) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. (SC-7(7) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization prohibits the direct connection of a classified, national security system to an external network without the use of [Assignment: organization-defined boundary protection device]. (CA-3(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device]. (CA-3(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]. (CA-3(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization prohibits the direct connection of an [Assignment: organization-defined information system] to a public network. (CA-3(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards]. (SC-7(7) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Prohibit the direct connection of [Assignment: organization-defined system] to a public network. (SC-7(28) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]. (SC-7(25) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]. (SC-7(27) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device]. (SC-7(26) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards]. (SC-7(7) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Prohibit the direct connection of [Assignment: organization-defined system] to a public network. (SC-7(28) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]. (SC-7(25) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]. (SC-7(27) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device]. (SC-7(26) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device]. (CA-3(3) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization prohibits the direct connection of an [Assignment: organization-defined information system] to a public network. (CA-3(4) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. (SC-7(7) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
  • The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device]. (CA-3(3) ¶ 1, TX-RAMP Security Controls Baseline Level 2)