3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

By wnoble2005@gmail.com (William Noble) 📅 2024-03-03

NIST 800-171 control 3.13.5 mandates creating isolated subnetworks, called DMZs, for publicly accessible systems. This safeguards internal networks by limiting the attack surface and potential damage from breaches. It also simplifies security controls and network segmentation. System owners are responsible for securing their DMZs, while the security team oversees monitoring and enforcing segmentation policies. Implementation involves identifying publicly accessible systems and network resources.

Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies.

Benefits:

Reduced Attack Surface: Limiting access points for external users minimizes the potential attack surface for malicious actors attempting to breach internal systems.

Contained Damage: In case of a successful breach of the DMZ, the impact is mostly confined to publicly accessible systems, protecting sensitive internal data and resources.

Improved Security Monitoring: By monitoring traffic entering and leaving the DMZ, it's easier to detect and respond to suspicious activity targeted at publicly accessible systems.

Accountability:

Senior Management: Ensure compliance with control 3.13.5, monitor its effectiveness, and address any identified gaps. Responsibility: Establish and enforce security policies and procedures related to network segmentation, including budgets and resource allocation.

IT Security Team: Conduct vulnerability assessments and penetration testing to verify the effectiveness of segmentation, and report findings to senior management. Responsibility: Design, implement, and maintain the network segmentation infrastructure, including DMZs and firewalls.

System Owners: Implement and enforce security controls specific to their systems within the DMZ, ensuring compliance with relevant policies. Responsibility: Identify systems requiring public access and collaborate with the IT security team on their placement within the segmented network.

Individual Users: Use systems within the assigned network segment according to established policies and report any suspicious activity to the IT security team. Responsibility: Be aware of the network segmentation and avoid actions that compromise its integrity, such as unauthorized access attempts or data transfers between different segments.

Implementation:

Physical vs. Logical Separation: DMZs can be implemented physically using separate hardware or logically through software-based segmentation tools.

Control Devices: Firewalls, routers, and other security controls are placed at the boundaries of the DMZ to manage traffic flow and restrict unauthorized access.

Secure Configuration: All systems within the DMZ must be securely configured with minimal functionality and access granted only to authorized users.

Go to docs.google.com

☰

Back

About "3.13.5 Implement subnetwo...works" 🡃

Category:Cybersecurity Maturity Model
Family:System and Communications Protection (AC 3.13)
Type:Derived Security Requirements

#CybersecurityMaturityModel #DerivedSecurityRequirements

⬅ Back to 3.13 SYSTEM AND COMMUNICATIONS PROTECTION

3.13 SYSTEM AND COMMUNICATIONS PROTECTION

3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

Benefits:

Accountability:

Implementation:

More on q4q.com

Q4Q Technical Solutions