SC-7 BOUNDARY PROTECTION

Page last updated:

PCF Compliance

The PCF PAS reference architecture documents provide the technical guidance deployers need in order to satisfy any boundary protection requirements. When deployed in accordance with the recommended reference architecture, the PCF PAS deployment is compliant with this requirement.

For more information on the system boundaries of PCF see: https://docs.pivotal.io/pivotalcf/concepts/security.html#system-boundaries

Beyond the boundary protections provided by the IaaS network architecture, additional PAS flow control is provided using the following mechanisms:

a) Ingress to the platform is permitted only via the Cloud Foundry Router.
In addition, the Cloud Foundry Router provides Route Services which can be used to do application-level traffic shaping. The PAS inherits any network isolation protections defined by the IaaS administrator.
In addition, Isolation Segments can be used to separate workloads and thereby limit east-west traffic.

b) Egress from the platform is controlled by the use of Application Security Groups (ASG). For more information about ASGs, see Understanding Application Security Groups.

c) Intra-platform application traffic may be controlled via container-to-container networking policies. These policies are default deny, with option for allowing connectivity between applications. For more information on C2C networking see Container-to-Container Networking.

The Cloud Foundry Loggregator logging subsystem provides monitoring of all inbound and outbound network communications.

The deployer is responsible for ensuring that all connections to external third-party systems are done in accordance with the organization’s approved security architecture.

Prevention of split tunnels from remote devices is out of scope for PCF and is a deployer responsibility.


Control Description

The information system:

  1. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
  2. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
  3. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

Supplemental Guidance

Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.