800-53|SC-7(8)

Title

ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS

Description

The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.

Supplemental

External networks are networks outside of organizational control. A proxy server is a server (i.e., information system or application) that acts as an intermediary for clients requesting information system resources (e.g., files, connections, web pages, or services) from other organizational servers. Client requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-3,AU-2

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: BOUNDARY PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.19.2 (L1) Ensure 'Do not allow proxy settings to be changed' is set to 'Enabled'	Windows	CIS Mozilla Firefox ESR GPO v1.0.0 L1
1.1.22.2 (L1) Ensure 'Do not allow tracking protection preferences to be changed' is set to 'Enabled'	Windows	CIS Mozilla Firefox ESR GPO v1.0.0 L1
4.4.1 Block high risk categories on Application Control	FortiGate	CIS Fortigate 7.0.x v1.3.0 L1
5.2.2 Minimize the admission of containers wishing to share the host process ID namespace	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
5.2.3 Ensure 'identityAssertionTypes' is specified to the correct identity tokens in CSIv2 Attribute Layer - review/Zech	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
5.2.3 Minimize the admission of containers wishing to share the host process ID namespace	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
5.2.3 Minimize the admission of containers wishing to share the host process ID namespace	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
5.2.3 Minimize the admission of containers wishing to share the host process ID namespace	Unix	CIS Kubernetes v1.10.0 L1 Master
7.1 Ensure the 'hostNameExcludeList' attribute is set to a whitelist of host names	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
7.2 Ensure the 'hostNameIncludeList attribute' is set to a whitelist of host names	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
7.3 Ensure the 'addressExcludeList' attribute is set to a whitelist of hostnames	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
7.4 Ensure the 'addressIncludeList' attribute is set to a whitelist of IP addresses	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
9.1 Ensure the TimeOut Is Set to 10 or Less	Unix	CIS Apache HTTP Server 2.4 L1 v2.1.0 Middleware
9.1 Ensure the TimeOut Is Set to 10 or Less	Unix	CIS Apache HTTP Server 2.4 L1 v2.1.0
9.2 Configure 'Disable changing Automatic Configuration settings'	Windows	CIS IE 9 v1.0.0
9.3 Configure 'Disable changing connection settings'	Windows	CIS IE 9 v1.0.0
9.4 Configure 'Disable changing proxy settings'	Windows	CIS IE 9 v1.0.0
9.5 Configure 'Make proxy settings per-machine (rather than per-user)'	Windows	CIS IE 11 v1.0.0
9.5 Configure 'Make proxy settings per-machine (rather than per-user)'	Windows	CIS IE 10 v1.1.0
9.7 Set 'Prevent changing proxy settings' to 'Enabled'	Windows	CIS IE 10 v1.1.0
9.7 Set 'Prevent changing proxy settings' to 'Enabled'	Windows	CIS IE 11 v1.0.0
9.8 Configure 'Disable changing Automatic Configuration settings'	Windows	CIS IE 10 v1.1.0
9.11 Configure 'Disable changing connection settings'	Windows	CIS IE 10 v1.1.0
10.6 Enable strict servlet Compliance	Unix	CIS Apache Tomcat 9 L2 v1.2.0 Middleware
10.6 Enable strict servlet Compliance	Unix	CIS Apache Tomcat 10 L2 v1.1.0
10.6 Enable strict servlet Compliance	Unix	CIS Apache Tomcat 9 L2 v1.2.0
10.6 Enable strict servlet Compliance	Unix	CIS Apache Tomcat 10 L2 v1.1.0 Middleware
DTBI305 - Automatic configuration of Internet Explorer must be disallowed.	Windows	DISA STIG Microsoft Internet Explorer 9 v1r15

Detections

Analytics