IG2 IG3

Establish and Maintain a Secure Network Architecture

Control Group: 12. Network Infrastructure Management

Asset Type: Network

Security Function: Protect

Description

Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Review and document current network architecture

7

Define segmentation zones and trust boundaries

8

Implement segmentation controls

9

Test that segmentation is effective

Tool Recommendations

Palo Alto Networks NGFW Gartner MQ Leader, Network Firewalls 2024

Next-generation firewall platform with application-aware policies, threat prevention, URL filtering, and SD-WAN

Palo Alto Networks · Appliance + subscription

Fortinet FortiGate Gartner MQ Leader, Network Firewalls 2024

Enterprise firewall and security fabric with NGFW, SD-WAN, IPS, and integrated security services

Fortinet · Appliance + subscription

Cisco Secure Firewall Gartner MQ Leader, Network Firewalls 2024

Enterprise firewall with application visibility, IPS, malware defense, and encrypted traffic analytics

Cisco · Appliance + subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Lateral Movement Through Flat Network Architecture

Confidentiality

Attackers who compromise a single endpoint move freely across the entire network because no segmentation exists, accessing databases, file servers, and critical systems that should be isolated from general user traffic.

Widespread Ransomware Propagation Across Unsegmented Network

Availability

Ransomware spreads to every reachable system on the network because the lack of segmentation provides no barriers to propagation, turning a single-host infection into an enterprise-wide encryption event.

Privilege Escalation via Network Architecture Flaws

Integrity

A network architecture that does not enforce least privilege allows users and systems to access network resources far beyond their operational needs, enabling attackers to reach high-value targets from any compromised entry point.

Vulnerabilities (When Safeguard Absent)

Flat Network with No Segmentation

The network architecture provides no segmentation between user workstations, servers, databases, management interfaces, and critical infrastructure, allowing unrestricted lateral communication between all network zones.

No Network Architecture Based on Least Privilege

Network access rules do not enforce least privilege principles, allowing systems and users to communicate with any network resource rather than only those required for their specific business function.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Secure Configuration Management Policy

Control 4, Control 9, Control 12

Network Security Policy

Control 12, Control 13

Related Safeguards in Control 12

12.1 Ensure Network Infrastructure is Up>to>Date

12.3 Securely Manage Network Infrastructure

12.4 Establish and Maintain Architecture Diagram(s)

12.5 Centralize Network Authentication, Authorization, and Auditing (AAA)

12.6 Use of Secure Network Management and Communication Protocols

12.7 Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure

12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work