800-53|SC-7(11)

Title

RESTRICT INCOMING COMMUNICATIONS TRAFFIC

Description

The information system only allows incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations].

Supplemental

This control enhancement provides determinations that source and destination address pairs represent authorized/allowed communications. Such determinations can be based on several factors including, for example, the presence of source/destination address pairs in lists of authorized/allowed communications, the absence of address pairs in lists of unauthorized/disallowed pairs, or meeting more general rules for authorized/allowed source/destination pairs.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-3

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: BOUNDARY PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.5.2.7 Set 'Inbound Connections' to 'Enabled:Block (default)'	Windows	CIS Windows 8 L1 v1.0.0
1.1.5.3.11 Set 'Inbound Connections' to 'Enabled:Block (default)'	Windows	CIS Windows 8 L1 v1.0.0
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.2.1.1.1.1.2 Configure 'Windows Firewall: Define inbound port exceptions'	Windows	CIS Windows 2003 DC v3.1.0
1.2.1.1.1.1.2 Configure 'Windows Firewall: Define inbound port exceptions'	Windows	CIS Windows 2003 MS v3.1.0
1.2.1.1.1.1.5 Configure 'Windows Firewall: Allow inbound remote administration exception'	Windows	CIS Windows 2003 DC v3.1.0
1.2.1.1.1.1.5 Configure 'Windows Firewall: Allow inbound remote administration exception'	Windows	CIS Windows 2003 MS v3.1.0
1.2.1.1.1.1.6 Configure 'Windows Firewall: Allow inbound Remote Desktop exceptions'	Windows	CIS Windows 2003 MS v3.1.0
1.2.1.1.1.1.6 Configure 'Windows Firewall: Allow inbound Remote Desktop exceptions'	Windows	CIS Windows 2003 DC v3.1.0
1.2.1.1.1.1.7 Configure 'Windows Firewall: Allow inbound UPnP framework exceptions'	Windows	CIS Windows 2003 MS v3.1.0
1.2.1.1.1.1.7 Configure 'Windows Firewall: Allow inbound UPnP framework exceptions'	Windows	CIS Windows 2003 DC v3.1.0
1.2.1.1.1.1.8 Configure 'Windows Firewall: Allow inbound file and printer sharing exception'	Windows	CIS Windows 2003 MS v3.1.0
1.2.1.1.1.1.8 Configure 'Windows Firewall: Allow inbound file and printer sharing exception'	Windows	CIS Windows 2003 DC v3.1.0
1.2.1.1.1.2.1 Configure 'Windows Firewall: Allow inbound UPnP framework exceptions'	Windows	CIS Windows 2003 MS v3.1.0
1.2.1.1.1.2.1 Configure 'Windows Firewall: Allow inbound UPnP framework exceptions'	Windows	CIS Windows 2003 DC v3.1.0
1.2.1.1.1.2.5 Configure 'Windows Firewall: Allow inbound remote administration exception'	Windows	CIS Windows 2003 DC v3.1.0
1.2.1.1.1.2.5 Configure 'Windows Firewall: Allow inbound remote administration exception'	Windows	CIS Windows 2003 MS v3.1.0
1.2.1.1.1.2.6 Configure 'Windows Firewall: Allow inbound file and printer sharing exception'	Windows	CIS Windows 2003 DC v3.1.0
1.2.1.1.1.2.6 Configure 'Windows Firewall: Allow inbound file and printer sharing exception'	Windows	CIS Windows 2003 MS v3.1.0
1.2.1.1.1.2.9 Configure 'Windows Firewall: Define inbound port exceptions'	Windows	CIS Windows 2003 DC v3.1.0
1.2.1.1.1.2.9 Configure 'Windows Firewall: Define inbound port exceptions'	Windows	CIS Windows 2003 MS v3.1.0
1.2.1.1.1.2.13 Configure 'Windows Firewall: Allow inbound Remote Desktop exceptions'	Windows	CIS Windows 2003 DC v3.1.0
1.2.1.1.1.2.13 Configure 'Windows Firewall: Allow inbound Remote Desktop exceptions'	Windows	CIS Windows 2003 MS v3.1.0
1.2.5 Set 'access-class' for 'line vty'	Cisco	CIS Cisco IOS 16 L1 v1.1.0
1.2.5 Set 'access-class' for 'line vty'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.2.5 Set 'access-class' for 'line vty'	Cisco	CIS Cisco IOS 15 L1 v4.0.1
1.4 SNMP Security - b) SNMP server	ZTE_ROSNG	Tenable ZTE ROSNG
1.5.15 Windows Firewall: Inbound connections (Domain)	Windows	CIS Windows 2008 Enterprise v1.2.0
1.5.15 Windows Firewall: Inbound connections (Domain)	Windows	CIS Windows 2008 SSLF v1.2.0
1.5.16 Windows Firewall: Inbound connections (Private)	Windows	CIS Windows 2008 Enterprise v1.2.0
1.5.16 Windows Firewall: Inbound connections (Private)	Windows	CIS Windows 2008 SSLF v1.2.0
1.5.17 Windows Firewall: Inbound connections (Public)	Windows	CIS Windows 2008 SSLF v1.2.0
1.5.17 Windows Firewall: Inbound connections (Public)	Windows	CIS Windows 2008 Enterprise v1.2.0
1.6.1 Ensure 'SSH source restriction' is set to an authorized IP address	Cisco	CIS Cisco Firewall ASA 8 L1 v4.1.0
1.6.4 Configure Web interface	Cisco	CIS Cisco IOS 16 L2 v1.1.0
2.1 Protection Policy for the CPS Control Engine	ZTE_ROSNG	Tenable ZTE ROSNG
2.2 NTP Security Protection - b) NTP access-group	ZTE_ROSNG	Tenable ZTE ROSNG
2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
2.5.5 Ensure allowed-client is set to those necessary for device management	CheckPoint	CIS Check Point Firewall L2 v1.1.0
2.7 Ensure internal sources are blocked on external networks	Juniper	CIS Juniper OS Benchmark v2.1.0 L2
2.7 Ensure the SharePoint Central Administration site is not accessible from Extranet or Internet connections	Windows	CIS Microsoft SharePoint 2019 OS v1.0.0
2.7.4 - SNMP - restrict public community access - 'all communities have IP access restrictions'	Unix	CIS AIX 5.3/6.1 L2 v1.1.0
2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
2.8 Ensure the SharePoint Central Administration site is not accessible from Extranet or Internet connections	Windows	CIS Microsoft SharePoint 2016 OS v1.1.0
3.2 Configure a Default Drop/Cleanup Rule	CheckPoint	CIS Check Point Firewall L2 v1.1.0
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Default deny configured'	Cisco	CIS Cisco IOS 12 L2 v4.0.0
3.10 Ensure inbound firewall filter is set for Loopback interface	Juniper	CIS Juniper OS Benchmark v2.0.0 L2

Detections

Analytics