>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-7(8)Boundary Protection | Route Traffic to Authenticated Proxy Servers

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Route organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers at managed interfaces.

>DoD Impact Level Requirements

FedRAMP Parameter Values

SC-7 (8)-2 [any network outside of organizational control and any network outside the authorization boundary]

>Discussion

External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services.

Client requests established through a connection to a proxy server are assessed to manage complexity and provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers that provide access to the Internet. Proxy servers can support the logging of Transmission Control Protocol sessions and the blocking of specific Uniform Resource Locators, Internet Protocol addresses, and domain names.

Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for man-in-the-middle attacks (depending on the implementation).

>Programmatic Queries

Beta

Related Services

Network Load Balancer
EC2 Proxy
Route53

CLI Commands

Create Network Load Balancer for authenticated proxy traffic
aws elbv2 create-load-balancer --name authenticated-proxy-nlb --subnets subnet-12345678 subnet-87654321 --type network
Launch EC2 proxy instances with authentication enabled
aws ec2 run-instances --image-id ami-12345678 --instance-type t3.medium --security-group-ids sg-proxy --iam-instance-profile Name=proxy-profile --user-data file://proxy-config.sh
Configure Route53 DNS records to point to authenticated proxy
aws route53 change-resource-record-sets --hosted-zone-id Z12345678 --change-batch file://proxy-dns.json
Setup CloudWatch monitoring for proxy authentication events
aws logs create-log-group --log-group-name /aws/proxy/authentication
Open AWS ConsoleDocumentation

>Related Controls

AC-3

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of route traffic to authenticated proxy servers?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-7(8)?

Technical Implementation:

  • How is route traffic to authenticated proxy servers technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that route traffic to authenticated proxy servers remains effective as the system evolves?
  • What network boundary protections are in place (firewalls, gateways, etc.)?
  • How are session timeouts and termination controls configured?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-7(8)?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you provide network architecture diagrams and firewall rulesets?
  • Can you show session management configuration settings?

Ask AI

Configure your API key to use AI features.