CMMC Practice SC.L1-3.13.1 – Boundary Protection: Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
Links to Publicly Available Resources
This document provides assessment guidance for Level 1 of the Cybersecurity Maturity Model Certification (CMMC). This sample document serves as an example network firewall implementation policy to help protect internal networks and manage traffic in and out of the network. Web Content Filtering (WCF) provides protection at the application layer for web traffic by blocking access to suspicious websites, preventing malware from running on systems and networks, and detecting and blocking phishing attempts as well as malicious web content. This article covers the design, deployment, and use of both network and host-based firewalls. This module helps you to select a suitable firewall product for your organization's perimeter network. This NIST Special Publication provides information to organizations about firewall technologies and policies. The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. This SANS checklist provides a generic listing of security considerations to be used when auditing the technical aspects of a firewall. This whitepaper from SANS discusses firewall and perimeter protections focusing on defense-in-depth. This sample policy defines the essential rules regarding the management and maintenance of firewalls at Texas Wesleyan. This site provides a listing of Web Content Filtering solutions. WCF solutions comprise appliances and software for censoring or preventing access to restricted web content deemed offensive or inappropriate.
Discussion [NIST SP 800-171 R2]
Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses.
Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. NIST SP 800-41 provides guidance on firewalls and firewall policy. NIST SP 800-125B provides guidance on security for virtualization technologies.
Further Discussion
Fences, locks, badges, and key cards help keep non-employees out of your physical facilities. Similarly, your company’s IT network or system has boundaries that must be protected. Many companies use a web proxy and a firewall.
When an employee uses a company computer to go to a website, a web proxy makes the request on the user’s behalf, looks at the web request, and decides if it should let the employee go to the website.
A firewall controls access from the inside and outside, protecting valuable information and resources stored on the company’s network. A firewall stops unwanted traffic on the internet from passing through an outside “fence” to the company’s networks and information systems. Internal boundaries determine where data can flow, for instance a software development environment may have its own boundary controlling, monitoring, and protecting the data that can leave that boundary.
You may want to monitor, control, or protect one part of the company network from another. This can also be accomplished with a firewall and limits the ability of attackers and disgruntled employees from entering sensitive parts of your internal network and causing damage.