Vis/Attrib: Design and implement network perimeters so that all outgoing web, ftp, and ssh traffic to the Internet must pass through at least one proxy on a DMZ network. The proxy should support logging individual TCP sessions; blocking specific URLs, domain names, and IP addresses; and being able to be configured with white lists of allowed sites to be accessed through the proxy.
Vis/Attrib: Require all remote access (including VPN, dial-up, and other forms) to use two-factor authentication.
Config/Hygiene: Conduct periodic penetration tests against DMZs from the Internet to determine whether the attacks are detected and/or thwarted.
Config/Hygiene: Periodically scan for back-channel connections to the Internet that bypass the DMZ.
Config/Hygiene: To limit access by an insider or malware spreading on an internal network, organizations should devise internal network segmentation schemes to limit traffic to only those services needed for business use across the internal network.
Config/Hygiene: Organizations should develop plans for rapidly deploying filters on internal networks to help stop the spread of malware or an intruder.
Advanced: Force outbound traffic to the Internet through an authenticated proxy server on the enterprise perimeter. Most organizations already use domain authentication to traverse these routes, and could implement additional authentication through external proxy servers that require a daily password.
Advanced: To help identify covert channels exfiltrating data through a firewall, built-in firewall session tracking mechanisms included in many commercial firewalls should be configured to identify long-term TCP sessions that last over one hour, alerting personnel about the source and destination addresses associated with these long-term sessions.
Advanced: Require all authentication, both internal and external, to use two-factor authentication.
Procedures and tools for implementing this control:
One element of this control can be implemented using free or commercial intrusion detection systems (IDSs) and sniffers to look for attacks from external sources directed at DMZ and internal systems, as well as attacks originating from internal systems against the DMZ or Internet. Security personnel should regularly test these sensors