IG3

Perform Application Layer Filtering

Control Group: 13. Network Monitoring and Defense

Asset Type: Network

Security Function: Protect

Description

Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Review and document current firewall rule sets

7

Define required firewall rules based on business needs

8

Implement and test firewall rules

9

Schedule periodic rule review and cleanup

Tool Recommendations

Zscaler Internet Access Gartner MQ Leader, SSE 2024

Cloud-native secure web gateway with inline inspection, URL filtering, sandboxing, and DLP for web traffic

Zscaler · Per-user subscription

Netskope Data Protection Gartner MQ Leader, SSE 2024; Forrester Wave Leader, Data Security 2023

Cloud-native DLP and CASB platform providing inline data protection for SaaS, IaaS, web, and endpoint

Netskope · Per-user subscription

Palo Alto Networks NGFW Gartner MQ Leader, Network Firewalls 2024

Next-generation firewall platform with application-aware policies, threat prevention, URL filtering, and SD-WAN

Palo Alto Networks · Appliance + subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Application-Layer Attack Bypassing Port-Based Firewall Rules

Integrity

An attacker delivers a web application exploit over port 443 that a traditional packet-filtering firewall permits, because no application layer filtering inspects HTTP request content for malicious payloads.

Data Exfiltration Tunneled Through Allowed Application Protocols

Confidentiality

An attacker tunnels data exfiltration through DNS queries or HTTPS traffic that port-based firewalls permit, succeeding because no application-layer inspection identifies the covert channel.

Malicious File Upload via Permitted Web Traffic

Integrity

An attacker uploads a web shell to a server through a legitimate HTTP POST request that passes through network firewalls, because no Layer 7 filtering or WAF inspects the content of allowed traffic.

Vulnerabilities (When Safeguard Absent)

No Deep Packet Inspection at Application Layer

Without application layer filtering, network security controls only evaluate traffic at the transport layer, allowing all forms of application-level attacks that use permitted ports and protocols.

Inability to Detect Protocol Abuse and Tunneling

Absence of Layer 7 inspection means attackers can abuse legitimate protocols for command-and-control communication, data exfiltration, and covert channels without detection.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Technical	Firewall rule set export and review documentation	Reviewed quarterly
Record	Firewall change request and approval records	Per change
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Network Monitoring Policy

Control 13

Related Safeguards in Control 13

13.1 Centralize Security Event Alerting

13.2 Deploy a Host>Based Intrusion Detection Solution

13.3 Deploy a Network Intrusion Detection Solution

13.4 Perform Traffic Filtering Between Network Segments

13.5 Manage Access Control for Remote Assets

13.6 Collect Network Traffic Flow Logs

13.7 Deploy a Host>Based Intrusion Prevention Solution

13.8 Deploy a Network Intrusion Prevention Solution

13.9 Deploy Port>Level Access Control

13.11 Tune Security Event Alerting Thresholds