II.C.9     Network Controls

Action Summary

Management should secure access to computer networks through multiple layers of access controls by doing the following:

  • Establishing zones (e.g., trusted and untrusted) according to the risk profile and criticality of assets contained within the zones and appropriate access requirements within and between each security zone.
  • Maintaining accurate network diagrams and data flow charts.
  • Implementing appropriate controls over wired and wireless networks.

Networks should be protected by a secure boundary, identifying "trusted" and "untrusted" zones. Internal zones, typically trusted, should segregate various components into distinct areas, each with the level of controls appropriate to the content and function of the assets within the zone. The institution's trusted network should be protected through appropriate configuration and patch management, privileged access controls, segregation of duties, implementation of effective security policies, and use of perimeter devices and systems to prevent and detect unauthorized access. Tools used to enforce and detect perimeter protection include routers, firewalls, intrusion detection systems (IDS) and intrusion prevention systems, proxies, gateways, jump boxes,A jump box, or jump server, provides administrators with access to or control of other servers or devices in the network. Because of this capability, additional security measures should be implemented. demilitarized zones, virtual private networks (VPN), virtual LANs (VLAN), log monitoring and network traffic inspecting systems, data loss prevention (DLP) systems, and access control lists.

The trusted network should be further segregated into internal layers, including production, staging, and development environments. Within those environments, management should consider segregating sensitive traffic, by using Voice Over Internet ProtocolVOIP is the transmission of voice telephone conversations using the Internet or IP networks. (VOIP) and network management (such as virtualization infrastructure that carries server boot images between storage devices and hosts). Each zone should have a security policy appropriate to its use, ensuring that zone restrictions are defined by risk, sensitivity of data, user roles, and appropriate access to application systems. Access to zones should be controlled according to the principle of least privilege and segregation of duties. To ensure appropriate network security, management should maintain accurate network and data flow diagrams, and store them securely, providing access only to essential personnel. These diagrams should identify hardware, software, and network components, internal and external connections, and types of information passed between systems to facilitate the development of a defense-in-depth security architecture.


Previous Section
II.C.8 Physical Security
Next Section
II.C.9(a) Wireless Network Considerations