NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-7 — Boundary Protection
Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
Supplemental Guidance
Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).
Practitioner Notes
Boundary protection is about controlling what traffic flows in and out of your network and between internal network segments. Every connection point is a potential entry for attackers, so each one needs monitoring and filtering.
Example 1: Deploy a next-generation firewall (Palo Alto, Fortinet) at your network perimeter with rules that deny all traffic by default and only allow specific, documented flows. Enable logging for all allowed and denied connections and forward those logs to your SIEM.
Example 2: Segment your internal network into VLANs — one for workstations, one for servers, one for management, one for guests. Use access control lists on your layer-3 switches to restrict which VLANs can talk to each other. Your guest WiFi should never be able to reach your server VLAN.