CIS Control 12: Boundary Defense
Detect/prevent/correct the flow of information transferring across networks of different trust levels with a focus on security-damaging data.
12.1: Maintain an Inventory of Network Boundaries
- Maintain an up-to-date inventory of all of the organization’s network boundaries.
12.2: Scan for Unauthorized Connections Across Trusted Network Boundaries
- Perform regular scans from outside each trusted network boundary to detect any unauthorized connections which are accessible across the boundary.
12.3: Deny Communications With Known Malicious IP Addresses
- Deny communications with known malicious or unused Internet IP addresses and limit access only to trusted and necessary IP address ranges at each of the organization’s network boundaries.
12.4: Deny Communication Over Unauthorized Ports
- Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization’s network boundaries.
12.5: Configure Monitoring Systems to Record Network Packets
- Configure monitoring systems to record network packets passing through the boundary at each of the organization’s network boundaries.
12.6: Deploy Network-Based IDS Sensors
- Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack mechanisms and detect compromise of these systems at each of the organization’s network boundaries.
12.7: Deploy Network-Based Intrusion Prevention Systems
- Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each of the organization’s network boundaries.
12.8: Deploy NetFlow Collection on Networking Boundary Devices
- Enable the collection of NetFlow and logging data on all network boundary devices.
12.9: Deploy Application Layer Filtering Proxy Server
- Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections.
12.10: Decrypt Network Traffic at Proxy
- Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic.
12.11: Require All Remote Logins to Use Multi-Factor Authentication
- Require all remote login access to the organization’s network to encrypt data in transit and use multi-factor authentication.
12.12: Manage All Devices Remotely Logging Into Internal Network
- Scan all enterprise devices remotely logging into the organization’s network prior to accessing the network to ensure that each of the organization’s security policies has been enforced in the same manner as local network devices.
Figure: System Entity Relationship Diagram
- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises
