CIS Control 12: Boundary Defense

Detect/prevent/correct the flow of information transferring across networks of different trust levels with a focus on security-damaging data.

Why is this CIS Control Critical?

Attackers focus on exploiting systems that they can reach across the Internet, including not only DMZ systems but also workstations and laptop computers that pull content from the Internet through network boundaries. Threats such as organized crime groups and nation-states use configuration and architectural weaknesses found on perimeter systems, network devices, and Internet-accessing client machines to gain initial access into an organization. Then, with a base of operations on these machines, attackers often pivot to get deeper inside the boundary to steal or change information or to set up a persistent presence for later attacks against internal hosts. Additionally, many attacks occur between business partner networks, sometimes referred to as extranets, as attackers hop from one organization’s network to another, exploiting vulnerable systems on extranet perimeters.

To control the flow of traffic through network borders and police content by looking for attacks and evidence of compromised machines, boundary defenses should be multi-layered, relying on firewalls, proxies, DMZ perimeter networks, and network-based IPS and IDS. It is also critical to filter both inbound and outbound traffic.

It should be noted that boundary lines between internal and external networks are diminishing as a result of increased interconnectivity within and between organizations as well as the rapid rise in deployment of wireless technologies. These blurring lines sometimes allow attackers to gain access inside networks while bypassing boundary systems. However, even with this blurring of boundaries, effective security deployments still rely on carefully configured boundary defenses that separate networks with different threat levels, sets of users, data and levels of control. And despite the blurring of internal and external networks, effective multi-layered defenses of perimeter networks help lower the number of successful attacks, allowing security personnel to focus on attackers who have devised methods to bypass boundary restrictions.

• 12.1: Maintain an Inventory of Network Boundaries
• 12.2: Scan for Unauthorized Connections Across Trusted Network Boundaries
• 12.3: Deny Communications With Known Malicious IP Addresses
• 12.4: Deny Communication Over Unauthorized Ports
• 12.5: Configure Monitoring Systems to Record Network Packets
• 12.6: Deploy Network-Based IDS Sensors
• 12.7: Deploy Network-Based Intrusion Prevention Systems
• 12.8: Deploy NetFlow Collection on Networking Boundary Devices
• 12.9: Deploy Application Layer Filtering Proxy Server
• 12.10: Decrypt Network Traffic at Proxy
• 12.11: Require All Remote Logins to Use Multi-Factor Authentication
• 12.12: Manage All Devices Remotely Logging Into Internal Network