|“||[is the] monitoring and control of communications at the external boundary of an information system to prevent and detect malicious and other unauthorized communications, through the use of boundary protection devices (e.g., proxies, gateways, routers, firewalls, guards, encrypted tunnels).||”|
|“||controls logical connectivity into and out of networks and controls connectivity to and from network connected devices.||”|
Boundary protection demarcates logical or physical boundaries between unknown users and protected information and systems. Unnecessary connectivity to an organization's network increases not only the number of access paths that must be managed and the complexity of the task, but the risk of unauthorized access in a shared environment.
Best practices dictate that organizations allocate publicly accessible information system components to separate subnetworks with separate physical network interfaces and that key components within private networks are also adequately segregated as subnetworks. Any connections to the Internet or to other [[external network|external and internal networks or information systems should occur through controlled interfaces (for example, proxies, gateways, routers and switches, firewalls, and concentrators). Unnecessary connectivity to an organization's network increases not only the number of access paths that must be managed and the complexity of the task, but also the risk of unauthorized access in a shared environment.
NIST guidance states that boundary protection devices should monitor and control communications at the external boundary of the system and at key internal boundaries within the system. Organizations use boundary protection devices such as proxies, gateways, routers, and firewalls to monitor and control such communications and to separate network segments that require a higher level of control than other segments of the network. NIST guidance states that information systems should establish a trusted communications path between remote users, that firewalls should control both outgoing and incoming network traffic, and that boundary mechanisms separate computing systems and network infrastructures.
- ↑ NIST Special Publication 800-39, at B-2.
- ↑ Information Security: Weaknesses Continue Amid New Federal Efforts to Implement Requirements, at 13.