Detections
Analytics

800-53|SC-7(11)

Title

RESTRICT INCOMING COMMUNICATIONS TRAFFIC

Description

The information system only allows incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations].

Supplemental

This control enhancement provides determinations that source and destination address pairs represent authorized/allowed communications. Such determinations can be based on several factors including, for example, the presence of source/destination address pairs in lists of authorized/allowed communications, the absence of address pairs in lists of unauthorized/disallowed pairs, or meeting more general rules for authorized/allowed source/destination pairs.

Reference Item Details

Related: AC-3

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: BOUNDARY PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.5.2.7 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.11 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device managementPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device managementPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.2.5 Set 'access-class' for 'line vty'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.4 SNMP Security - b) SNMP serverZTE_ROSNGTenable ZTE ROSNG
2.1 Protection Policy for the CPS Control EngineZTE_ROSNGTenable ZTE ROSNG
2.2 NTP Security Protection - b) NTP access-groupZTE_ROSNGTenable ZTE ROSNG
2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabledPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabledPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
2.5.5 Ensure allowed-client is set to those necessary for device managementCheckPointCIS Check Point Firewall L2 v1.1.0
2.7 Ensure internal sources are blocked on external networksJuniperCIS Juniper OS Benchmark v2.1.0 L2
2.7 Ensure the SharePoint Central Administration site is not accessible from Extranet or Internet connectionsWindowsCIS Microsoft SharePoint 2019 OS v1.0.0
2.7.4 - SNMP - restrict public community access - 'all communities have IP access restrictions'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zonesPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zonesPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
2.8 Ensure the SharePoint Central Administration site is not accessible from Extranet or Internet connectionsWindowsCIS Microsoft SharePoint 2016 OS v1.1.0
3.2 Configure a Default Drop/Cleanup RuleCheckPointCIS Check Point Firewall L2 v1.1.0
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Default deny configured'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 0.0.0.0'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 10.0.0.0'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 127.0.0.0'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 169.254.0.0'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 172.16.0.0'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 192.0.2.0'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 192.168.0.0'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 224.0.0.0'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny host 255.255.255.255'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny internal networks'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks -'External interface has ACL applied'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.2.2 Set inbound 'ip access-group' on the External InterfaceCiscoCIS Cisco IOS 12 L2 v4.0.0
6.4 Ensure Geo-Restriction is enabled within Cloudfront Distributionamazon_awsCIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
6.17 Use a Web-Tier ELB Security Group to accept only HTTP/HTTPSamazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
6.19 Create the Web tier Security Group and ensure it allows inbound connections from Web tier ELB Security Group for explicit portsamazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
6.20 Ensure Web tier Security Group has no inbound rules for CIDR of 0 (Global Allow)amazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
6.21 Create the App tier ELB Security Group and ensure only accepts HTTP/HTTPSamazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
6.22 Create the App tier Security Group and ensure it allows inbound connections from App tier ELB Security Group for explicit portsamazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
6.23 Ensure App tier Security Group has no inbound rules for CIDR of 0 (Global Allow)amazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
6.24 Create the Data tier Security Group and ensure it allows inbound connections from App tier Security Group for explicit portsamazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
6.25 Ensure Data tier Security Group has no inbound rules for CIDR of 0 (Global Allow)amazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
7.1 Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zonePalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
7.1 Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zonePalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
7.2 Ensure 'Service setting of ANY' in a security policy allowing traffic does not existPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
7.2 Ensure 'Service setting of ANY' in a security policy allowing traffic does not existPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'WindowsCIS Windows 7 Workstation Level 1 v3.2.0