Back

Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary.


CONTROL ID
11821
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a network access control standard., CC ID: 00546

This Control has the following implementation support Control(s):
  • Place firewalls between all security domains and between any Demilitarized Zone and internal network zones., CC ID: 01274
  • Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information., CC ID: 01293
  • Place firewalls between all security domains and between any secure subnet and internal network zones., CC ID: 11784
  • Separate the wireless access points and wireless bridges from the wired network via a firewall., CC ID: 04588


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Firewalls or access servers should be installed in the computer room or in another proper location where the standards for facilities similar to those for server-installed locations are met. (P14.4., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is also necessary to consider physically separating internal networks for connecting with external networks from those that do not connect with external networks, as well as consider building a network configuration that uses a shut-off mechanism such as a virtual environment for external connect… (P14.6., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • As part of the defence strategy, banks should install and configure network security devices discussed earlier in the chapter for reasonable preventive/detective capability. Potential bottlenecks and single points of failure vulnerable to DDoS attacks could be identified through source code review, … (Critical components of information security 26) b., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should install network security devices, such as firewalls as well as intrusion detection and prevention systems, at critical junctures of its IT infrastructure to protect the network perimeters. The FI should deploy firewalls, or other similar measures, within internal networks to minimise t… (§ 9.3.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should install network security devices such as firewalls to secure the network between the FI and the Internet, as well as connections with third parties. (§ 11.2.1, Technology Risk Management Guidelines, January 2021)
  • Install anti-malware software such as anti-virus, anti-spyware, and software-based firewall on computers. Keep them updated and perform scans regularly. (Annex A1: Security of Personal Computers & Other Computing Devices 37, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • A CDS between a highly classified network and any other network implements isolated upward and downward network paths. (Security Control: 0635; Revision: 5, Australian Government Information Security Manual, March 2021)
  • A CDS between a highly classified network and any other network implements protocol breaks at each layer of the OSI model. (Security Control: 1521; Revision: 1, Australian Government Information Security Manual, March 2021)
  • Evaluated firewalls are used between an organisation's networks and public network infrastructure. (Control: ISM-1528; Revision: 3, Australian Government Information Security Manual, June 2023)
  • Evaluated firewalls are used between an organisation's networks and public network infrastructure. (Control: ISM-1528; Revision: 3, Australian Government Information Security Manual, September 2023)
  • Have one or more firewalls (or similar network device) been installed on the boundary of the organisation's internal network(s)? (Firewalls Question 1, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • Physical and virtualised network environments are designed and configured in such a way that the connections between trusted and untrusted networks must be restricted and monitored. At defined intervals, it is reviewed whether the use of all services, logs and ports serve a real commercial purpose. … (Section 5.9 KOS-02 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Network and information systems and technology critical for the operation of essential functions are protected from cyber attack. An organisational understanding of risk to essential functions informs the use of robust and reliable protective security measures to effectively limit opportunities for … (B4. ¶ 1, NCSC CAF guidance, 3.1)
  • The control system shall provide the capability to monitor and control all methods of access to the control system via untrusted networks. (5.15.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • The network device supporting device access into a network shall provide the capability to monitor and control all methods of access to the network device via untrusted networks. (15.3.1 ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Are physical or virtual firewalls used? (Appendix D, Build and Maintain a Secure Network Bullet 3, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • How are boundaries enforced between trusted (internal to the client) networks and untrusted networks (such as CSP, other client, or public-facing networks)? (Appendix D, Build and Maintain a Secure Network Bullet 2, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Install and maintain a firewall configuration to protect data (Requirement 1:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Is a firewall required and implemented at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone? (1.1.4 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? - Reviewing public-facing web applications via manual or automated application vulnerability… (6.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? - Reviewing public-facing web applications via manual or automated application vulnerability… (6.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Install and maintain a firewall configuration to protect data (Requirement 1:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Is the personal firewall software configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices? (1.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Install and maintain a firewall configuration to protect data (Requirement 1:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is the personal firewall software configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices? (1.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? - Reviewing public-facing web applications via manual or automated application vulnerability … (6.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? - Reviewing public-facing web applications via manual or automated application vulnerability … (6.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • NSCs are implemented between trusted and untrusted networks. (1.4.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine configuration standards and network diagrams to verify that NSCs are defined between trusted and untrusted networks. (1.4.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine network configurations to verify that NSCs are in place between trusted and untrusted networks, in accordance with the documented configuration standards and network diagrams. (1.4.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • NSCs are implemented between trusted and untrusted networks. (1.4.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • NSCs are implemented between trusted and untrusted networks. (1.4.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • NSCs are implemented between trusted and untrusted networks. (1.4.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Employ automated tools to continuously monitor workstations, servers, and mobile devices with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers. (Control 8.1, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks, including but not limited to cross-site scripting, SQL injection, command injection, and directory traversal attacks. For applications th… (Control 18.2, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, to protect wireless network environments, including the following: - Perimeter firewalls implemented and configured to restrict unauthorized traffic - Security settings enabled with … (IVS-12, Cloud Controls Matrix, v3.0)
  • Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent. (CIS Control 4: Safeguard 4.4 Implement and Manage a Firewall on Servers, CIS Controls, V8)
  • Network integrity is protected, incorporating network segregation where appropriate. (PR.AC-5, CRI Profile, v1.2)
  • The network device shall provide the capability to deny access requests via untrusted networks unless explicitly approved by an assigned role. (15.3.3 (1) ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • The network device supporting device access into a network shall provide the capability to monitor and control all methods of access to the network device via untrusted networks. (15.3.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components]. (SC-7(12) ¶ 1, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components]. (SC-7(12) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components]. (SC-7(12) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • using and maintaining up-to-date firewall and anti-virus and anti-malware software to protect against threats posed by hackers; (Information Security Program Bullet 3 Deployment of Protective Measures Against the Identified Threats and Vulnerabilities ¶ 1 Sub-bullet 4, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • Employ organizationally defined and tailored boundary protections in addition to commercially available solutions. (SC.5.208, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Protect the DISN via the BCAP. (Section 6.3 ¶ 1 Bullet 2, sub-bullet 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • With Impact Level 2 data, the overall value of the data is not mission critical or sensitive in nature, thus it may not warrant the same level of protections as higher impact level data, while still needing protection. Recognizing that the data at Impact Level 2 has minimal requirements for confiden… (Section 6.2 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Reliance on Internet access to reach the CSO management/service-ordering portal or API endpoints from either NIPRNet or from within the CSO. All such access must be via the CAP if from the NIPRNet or must remain on the CSP's/CSO's network if from within the CSO. These requirements must be minimally … (Section 5.1.7 ¶ 2 Bullet 8, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Impact Levels 2/4/5: Internal CAPs (ICAPs) will be implemented for on-premises commercially owned and operated CSO connectivity to the DISN, if the CSO management plane has connectivity to external networks that bypasses native NIPRNet enclave and external boundary protections. As such all NIPRNet (… (Section 5.10.1.2 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Defend all connections to the CSO, whether via BCAP, Virtual Private Network (VPN), Internet Access Point (IAP), direct internet access to public servers, or other. (Section 6.3 ¶ 1 Bullet 3, sub-bullet 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Mission Partner Environments that require access to NIPRNet services are required to connect to NIPRNet via the Internet, IAPs, and DoD DMZ or via a NIPRNet Federated Gateway (NFG) IAW JFHQ-DODIN TASKORD 16-0103 Establishment of the NIPRNET Federated Gateway (NFG). NIPRNet services are applications … (Section 5.10.1.5 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Impact Levels 4/5: All DoD traffic from NIPRNet (or other COI network) to and from off- premises CSP infrastructure serving Level 4 and level 5 missions and the mission virtual networks must traverse one or more NIPRNet BCAPs. No direct traffic is permitted to/from the Internet except via the NIPRNe… (Section 5.10.1.1.1 ¶ 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Application Layer Firewall (properly configured) and intrusion detection and/or prevention protection of the CSP's infrastructure supporting the SaaS application offering, as well as segmentation (logical or physical) from the CSP's other offerings and corporate networks. (Section 5.10.3.1 ¶ 2 Bullet 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Implement a secure (encrypted) connection or path (i.e., encrypted VPN) between the virtual firewall, the virtual IDS capabilities and the CSSP responsible for the mission system/application. See Section 6, Cyberspace Defense and Incident Response for more specific information. (Section 5.10.6 ¶ 1 Bullet 5, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Impact Level 2: DMZ boundary protection requirements (i.e., proxies and firewalls) must be implemented by the mission owner for their application(s) or leverage a common boundary service provided by a larger entity like DoD Component or the DoD enterprise. This will most likely occur on a CSP by CSP… (Section 5.10.6 ¶ 1 Bullet 3 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • DoD expects the CSO's commercial IP addresses used to access L4/5 DoD accounts, services, and applications in the CSO via the BCAP and private connection to be dedicated for DoD access. However, in the event the CSO must use the same IP addresses for access by all CSP/CSO customers, whether DoD or N… (Section 5.10.4.1 ¶ 8 Bullet 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • In the event Voice and/or Video over IP (VVoIP) traffic consisting of the SIP-TLS and SRTP protocols (or their unsecure versions which is not permitted) traverse the CAP, a Session Border Controller (SBC) capability must be implemented. The SBC capability must be implemented in a back-to-back-SIP us… (Section 5.10.1 ¶ 6 Bullet 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • IAW standard practice and security requirements, management interfaces on VMs and protective appliances (virtual or physical) located in a Mission Owner's virtual network, must not be exposed to direct access from the production network (e.g., Internet or NIPRNet/SIPRNet). To the extent possible, CS… (Section 5.10.2.3 ¶ 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. (Domain 3: Assessment Factor: Preventative Controls, INFRASTRUCTURE MANAGEMENT Baseline 1 ¶ 2, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Implementation of firewalls and port filtering. (App A Objective 13:3h Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The organization implements [FedRAMP Assignment: Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall] at [Assignment: organization-defined information system components]. (SC-7(12) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components]. (SC-7(12) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Implement [FedRAMP Assignment: Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall] at [Assignment: organization-defined system components]. (SC-7(12) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Implement [FedRAMP Assignment: Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall] at [Assignment: organization-defined system components]. (SC-7(12) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Network integrity is protected, incorporating network segregation where appropriate (PR.AC-5, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components]. (SC-7(12) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components]. (SC-7(12) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components]. (SC-7(12) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Segregate and protect the pipeline cyber assets from enterprise networks and the internet using physical separation, firewalls and other protections. (Table 2: Protective Technology Baseline Security Measures Cell 1, Pipeline Security Guidelines)
  • behind firewall protections and monitored by intrusion detection software; (¶ 4e-70(b)(4)(C), Connecticut General Statutes, Title 4e, Chapter 62a, Section 4e-70, Requirements for state contractors who receive confidential information)
  • The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components]. (SC-7(12) ¶ 1, TX-RAMP Security Controls Baseline Level 2)