IG2 IG3

Use of Secure Network Management and Communication Protocols

Control Group: 12. Network Infrastructure Management

Asset Type: Network

Security Function: Protect

Description

Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater).

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Inventory all wireless access points

7

Configure WPA3/WPA2-Enterprise authentication

8

Isolate guest wireless from corporate network

Tool Recommendations

Cisco Identity Services Engine Gartner MQ Leader, Network Access Control 2024

Network access control platform providing device profiling, posture assessment, guest access, and BYOD policy enforcement

Cisco · Per-endpoint subscription

Palo Alto Networks NGFW Gartner MQ Leader, Network Firewalls 2024

Next-generation firewall platform with application-aware policies, threat prevention, URL filtering, and SD-WAN

Palo Alto Networks · Appliance + subscription

Fortinet FortiGate Gartner MQ Leader, Network Firewalls 2024

Enterprise firewall and security fabric with NGFW, SD-WAN, IPS, and integrated security services

Fortinet · Appliance + subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Wireless Network Eavesdropping via Weak Protocols

Confidentiality

Attackers intercept wireless traffic using deprecated protocols (WEP, WPA1, or open networks) to capture credentials, session tokens, and sensitive data transmitted over the air, requiring only commodity hardware and freely available tools.

Rogue Device Connection via Unauthenticated Network Access

Integrity

Without 802.1X or equivalent port-based authentication, any device can connect to the network by plugging into an Ethernet port, allowing attackers to place rogue devices, packet sniffers, or attack platforms on the internal network.

Man-in-the-Middle Attack on Insecure Network Protocols

Confidentiality

Insecure network management and communication protocols allow attackers positioned on the network to intercept, modify, or inject traffic between network devices and management stations, compromising device configurations and data integrity.

Vulnerabilities (When Safeguard Absent)

Weak Wireless Security Protocols Deployed

Wireless networks use deprecated security protocols (WEP, WPA-Personal) instead of WPA2/WPA3 Enterprise, providing weak encryption and authentication that can be cracked with readily available tools.

No 802.1X Port-Based Network Access Control

Wired and wireless network access lacks 802.1X authentication, allowing any device to connect to the network without verifying its identity or authorization, bypassing network security policies entirely.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Network Security Policy

Control 12, Control 13

Related Safeguards in Control 12

12.1 Ensure Network Infrastructure is Up>to>Date

12.2 Establish and Maintain a Secure Network Architecture

12.3 Securely Manage Network Infrastructure

12.4 Establish and Maintain Architecture Diagram(s)

12.5 Centralize Network Authentication, Authorization, and Auditing (AAA)

12.7 Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure

12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work