IG2 IG3

Centralize Network Authentication, Authorization, and Auditing (AAA)

Control Group: 12. Network Infrastructure Management

Asset Type: Network

Security Function: Protect

Description

Centralize network AAA.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Select centralized management platform

7

Integrate all in-scope systems and data sources

8

Configure dashboards and reporting

Tool Recommendations

Palo Alto Networks NGFW Gartner MQ Leader, Network Firewalls 2024

Next-generation firewall platform with application-aware policies, threat prevention, URL filtering, and SD-WAN

Palo Alto Networks · Appliance + subscription

Fortinet FortiGate Gartner MQ Leader, Network Firewalls 2024

Enterprise firewall and security fabric with NGFW, SD-WAN, IPS, and integrated security services

Fortinet · Appliance + subscription

Zscaler Private Access Gartner MQ Leader, SSE 2024

Zero trust network access platform replacing VPNs with application-level microsegmentation and identity-based access

Zscaler · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Inconsistent Authentication Across Network Devices

Confidentiality

Without centralized AAA, each network device maintains its own local authentication database with inconsistent password policies, no MFA capability, and credentials that persist after employee termination, enabling unauthorized access.

Terminated Employee Retaining Network Device Access

Integrity

When employees leave the organization, their access to network devices persists because local accounts on routers, switches, and firewalls are not linked to centralized identity management and must be individually removed from each device.

No Audit Trail for Network Device Administrative Actions

Integrity

Without centralized accounting, administrative actions on network devices are not consistently logged or attributed to specific users, making it impossible to determine who made configuration changes or investigate suspicious activity.

Vulnerabilities (When Safeguard Absent)

Decentralized Network Device Authentication

Network devices rely on local user accounts rather than centralized authentication (RADIUS, TACACS+, Active Directory), creating hundreds of unmanaged local credentials with no centralized password policy, rotation, or lifecycle management.

No Centralized Authorization or Accounting for Network Management

Network device access lacks centralized authorization policies defining who can execute which commands, and no centralized accounting records administrative actions, preventing role-based access control and audit trail generation.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Network Security Policy

Control 12, Control 13

Related Safeguards in Control 12

12.1 Ensure Network Infrastructure is Up>to>Date

12.2 Establish and Maintain a Secure Network Architecture

12.3 Securely Manage Network Infrastructure

12.4 Establish and Maintain Architecture Diagram(s)

12.6 Use of Secure Network Management and Communication Protocols

12.7 Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure

12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work