800-53|SC-7(8)

Title

ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS

Description

The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.

Supplemental

External networks are networks outside of organizational control. A proxy server is a server (i.e., information system or application) that acts as an intermediary for clients requesting information system resources (e.g., files, connections, web pages, or services) from other organizational servers. Client requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-3,AU-2

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: BOUNDARY PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.19.2 (L1) Ensure 'Do not allow proxy settings to be changed' is set to 'Enabled'	Windows	CIS Mozilla Firefox ESR GPO v1.0.0 L1
1.1.22.2 (L1) Ensure 'Do not allow tracking protection preferences to be changed' is set to 'Enabled'	Windows	CIS Mozilla Firefox ESR GPO v1.0.0 L1
1.2.14 Ensure that the admission control plugin NodeRestriction is set	Unix	CIS Kubernetes v1.10.0 L2 Master
1.2.15 Ensure that the admission control plugin NodeRestriction is set	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.15 Ensure that the admission control plugin NodeRestriction is set	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.16 Ensure that the admission control plugin NodeRestriction is set	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.3.4 Ensure that the --root-ca-file argument is set as appropriate	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
2.17 Ensure 'Proxy settings' is set to 'Enabled' and does not contain 'ProxyMode': 'auto_detect'	Windows	CIS Google Chrome L1 v3.0.0
3.1.1.2 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected	microsoft_azure	CIS Microsoft Azure Foundations v3.0.0 L2
4.4.1 Block high risk categories on Application Control	FortiGate	CIS Fortigate 7.0.x v1.3.0 L1
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - Deny By Concurrent Requests	Windows	CIS IIS 10 v1.2.1 Level 1
4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - maxConcurrentRequests	Windows	CIS IIS 10 v1.2.1 Level 1
5.1.1 Ensure allow and deny filters limit access to specific IP addresses	Unix	CIS NGINX Benchmark v2.1.0 L2 Webserver
5.1.1 Ensure allow and deny filters limit access to specific IP addresses	Unix	CIS NGINX Benchmark v2.1.0 L2 Loadbalancer
5.1.1 Ensure allow and deny filters limit access to specific IP addresses	Unix	CIS NGINX Benchmark v2.1.0 L2 Proxy
5.1.3 Ensure 'identityAssertionEnabled' is set to 'true' within the CSIv2 Attribute Layer	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
5.2.2 Minimize the admission of containers wishing to share the host process ID namespace	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
5.2.3 Ensure 'identityAssertionTypes' is specified to the correct identity tokens in CSIv2 Attribute Layer - review/Zech	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
5.2.3 Minimize the admission of containers wishing to share the host IPC namespace	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
5.2.3 Minimize the admission of containers wishing to share the host process ID namespace	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
5.2.3 Minimize the admission of containers wishing to share the host process ID namespace	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
5.2.3 Minimize the admission of containers wishing to share the host process ID namespace	Unix	CIS Kubernetes v1.10.0 L1 Master
5.17 Ensure HTTP Header Referrer-Policy is set appropriately	Unix	CIS Apache HTTP Server 2.4 v2.2.0 L2
5.18 Ensure HTTP Header Permissions-Policy is set appropriately	Unix	CIS Apache HTTP Server 2.4 v2.2.0 L2
7.1 Ensure the 'hostNameExcludeList' attribute is set to a whitelist of host names	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
7.2 Ensure SSLv2 is Disabled	Windows	CIS IIS 10 v1.2.1 Level 1
10.6 Enable strict servlet Compliance	Unix	CIS Apache Tomcat 9 L2 v1.2.0 Middleware
10.6 Enable strict servlet Compliance	Unix	CIS Apache Tomcat 10 L2 v1.1.0
10.6 Enable strict servlet Compliance	Unix	CIS Apache Tomcat 9 L2 v1.2.0
10.6 Enable strict servlet Compliance	Unix	CIS Apache Tomcat 10 L2 v1.1.0 Middleware
10.6 Enable strict servlet Compliance	Unix	CIS Apache Tomcat 10.1 v1.0.0 L2
18.10.56.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2022 v3.0.0 L1 Domain Controller
18.10.56.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2019 Stand-alone v2.0.0 L1 MS
18.10.56.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2019 v3.0.1 L1 DC
18.10.56.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2022 v3.0.0 L1 Member Server
18.10.56.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2016 v3.0.0 L1 DC
18.10.56.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2019 v3.0.1 L1 MS
18.10.56.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2016 v3.0.0 L1 MS
18.10.56.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 L1 Domain Controller
18.10.56.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS
18.10.56.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 DC
18.10.56.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC
18.10.56.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2022 STIG v2.0.0 L1 Domain Controller
18.10.56.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 L1 MS
18.10.56.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG DC
18.10.56.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
18.10.56.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG MS
18.10.56.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS
18.10.56.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2022 STIG v2.0.0 L1 Member Server
18.10.56.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS

Detections

Analytics