1.3.2 Outbound traffic from the CDE is restricted to only traffic that is necessary and all other traffic is specifically denied.

Defined Approach Requirements

1.3.2 Outbound traffic from the CDE is restricted as follows:

• To only traffic that is necessary.
• All other traffic is specifically denied.

Defined Approach Testing Procedures

1.3.2.a Examine configuration standards for NSCs to verify that they define restricting outbound traffic from the CDE in accordance with all elements specified in this requirement.

1.3.2.b Examine configurations of NSCs to verify that outbound traffic from the CDE is restricted in accordance with all elements specified in this requirement.

Purpose

This requirement aims to prevent malicious individuals and compromised system components within the entity's network from communicating with an untrusted external host.

Good Practice

All traffic outbound from the CDE, regardless of the destination, should be evaluated to ensure it follows established, authorized rules. Connections should be inspected to restrict traffic to only authorized communications-for example, by restricting source/destination addresses and ports, and blocking of content.

Implementing a rule that denies all inbound and outbound traffic that is not specifically needed-for example, by using an explicit "deny all" or implicit deny after allow statement-helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic.