IG2 IG3

Securely Manage Network Infrastructure

Control Group: 12. Network Infrastructure Management

Asset Type: Network

Security Function: Protect

Description

Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

Tool Recommendations

Palo Alto Networks NGFW Gartner MQ Leader, Network Firewalls 2024

Next-generation firewall platform with application-aware policies, threat prevention, URL filtering, and SD-WAN

Palo Alto Networks · Appliance + subscription

Fortinet FortiGate Gartner MQ Leader, Network Firewalls 2024

Enterprise firewall and security fabric with NGFW, SD-WAN, IPS, and integrated security services

Fortinet · Appliance + subscription

Cisco Secure Firewall Gartner MQ Leader, Network Firewalls 2024

Enterprise firewall with application visibility, IPS, malware defense, and encrypted traffic analytics

Cisco · Appliance + subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Network Device Compromise via Insecure Management Protocols

Confidentiality

Attackers intercept network device management traffic using insecure protocols (Telnet, HTTP, SNMPv1/v2) to capture administrative credentials, then use those credentials to reconfigure devices, create backdoor access, or disrupt network services.

Unauthorized Network Configuration Changes via Uncontrolled Access

Integrity

Network device configurations are modified without version control, change management, or audit trails, and unauthorized changes create security gaps such as opened firewall rules, disabled logging, or new route entries that redirect traffic.

Network Infrastructure Backdoor via Unmonitored Management Plane

Confidentiality

Attackers establish persistent access to network devices through unmonitored management interfaces, creating backdoor accounts or modifying device configurations in ways that persist across reboots and remain undetected.

Vulnerabilities (When Safeguard Absent)

Insecure Network Management Protocols in Use

Network devices are managed using unencrypted protocols (Telnet, HTTP, SNMPv1/v2c) that transmit credentials and configuration data in cleartext, allowing network-positioned attackers to intercept administrative access.

No Version Control or Change Management for Network Configurations

Network device configurations are not managed through version-controlled infrastructure-as-code or change management processes, making it impossible to detect unauthorized changes, roll back misconfigurations, or audit who changed what.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Secure Configuration Management Policy

Control 4, Control 9, Control 12

Network Change Management Policy

Control 12

Related Safeguards in Control 12

12.1 Ensure Network Infrastructure is Up>to>Date

12.2 Establish and Maintain a Secure Network Architecture

12.4 Establish and Maintain Architecture Diagram(s)

12.5 Centralize Network Authentication, Authorization, and Auditing (AAA)

12.6 Use of Secure Network Management and Communication Protocols

12.7 Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure

12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work