💼 SC-7 BOUNDARY PROTECTION

• ID: /frameworks/nist-sp-800-53-r4/sc/07

Description

The information system: SC-7a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; SC-7b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and SC-7c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

Similar

• Internal
  • ID: dec-c-537a8fb7

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events		18	63		no data
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		10	44		no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91		no data
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		10	44		no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 SC-7 (1) PHYSICALLY SEPARATED SUBNETWORKS					no data
💼 SC-7 (2) PUBLIC ACCESS					no data
💼 SC-7 (3) ACCESS POINTS					no data
💼 SC-7 (4) EXTERNAL TELECOMMUNICATIONS SERVICES					no data
💼 SC-7 (5) DENY BY DEFAULT _ ALLOW BY EXCEPTION					no data
💼 SC-7 (6) RESPONSE TO RECOGNIZED FAILURES					no data
💼 SC-7 (7) PREVENT SPLIT TUNNELING FOR REMOTE DEVICES					no data
💼 SC-7 (8) ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS					no data
💼 SC-7 (9) RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFIC					no data
💼 SC-7 (10) PREVENT UNAUTHORIZED EXFILTRATION					no data
💼 SC-7 (11) RESTRICT INCOMING COMMUNICATIONS TRAFFIC					no data
💼 SC-7 (12) HOST-BASED PROTECTION					no data
💼 SC-7 (13) ISOLATION OF SECURITY TOOLS _ MECHANISMS _ SUPPORT COMPONENTS					no data
💼 SC-7 (14) PROTECTS AGAINST UNAUTHORIZED PHYSICAL CONNECTIONS					no data
💼 SC-7 (15) ROUTE PRIVILEGED NETWORK ACCESSES					no data
💼 SC-7 (16) PREVENT DISCOVERY OF COMPONENTS _ DEVICES					no data
💼 SC-7 (17) AUTOMATED ENFORCEMENT OF PROTOCOL FORMATS					no data
💼 SC-7 (18) FAIL SECURE					no data
💼 SC-7 (19) BLOCKS COMMUNICATION FROM NON-ORGANIZATIONALLY CONFIGURED HOSTS					no data
💼 SC-7 (20) DYNAMIC ISOLATION _ SEGREGATION					no data
💼 SC-7 (21) ISOLATION OF INFORMATION SYSTEM COMPONENTS					no data
💼 SC-7 (22) SEPARATE SUBNETS FOR CONNECTING TO DIFFERENT SECURITY DOMAINS					no data
💼 SC-7 (23) DISABLE SENDER FEEDBACK ON PROTOCOL VALIDATION FAILURE					no data

Policies (31)

Policy	Logic Count	Flags	Compliance
🛡️ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MongoDB🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS🟢	1	🟢 x6	no data
🛡️ AWS S3 Bucket is not configured to block public access🟢	1	🟢 x6	no data
🛡️ AWS S3 Bucket Policy is not set to deny HTTP requests🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Instance External Authorized Networks whitelists all public IP addresses🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Instance SSL Connections are not enforced🟢	1	🟢 x6	no data
🛡️ Google GCE Instance has a public IP address🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted CiscoSecure/WebSM traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted DNS traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted FTP traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted HTTP traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted LDAP traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted NetBIOS traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted POP3 traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted SMTP traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted SSH traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to Cassandra🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to Directory services"🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to Elasticsearch🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to Memcached🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to MongoDB🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to MySQL🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to OracleDB🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to PostgreSQL🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to Redis🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted Telnet traffic🟢	1	🟢 x6	no data
🛡️ Google GKE Cluster Network policy is disabled.🟢	1	🟢 x6	no data
🛡️ Google GKE Cluster Node Pool uses default Service account🟢	1	🟢 x6	no data
🛡️ Google HTTPS or SSL Proxy Load Balancer permits SSL policies with weak cipher suites🟢⚪		🟢 x2, ⚪ x1	no data

Internal Rules

Rule	Policies	Flags
✉️ dec-x-63737248	1
✉️ dec-x-bcae85fb	2
✉️ dec-x-d5fbfc40	1
✉️ dec-x-ec547a7c	1
✉️ dec-z-c82c9f97	1