IG2 IG3

Perform Traffic Filtering Between Network Segments

Control Group: 13. Network Monitoring and Defense

Asset Type: Network

Security Function: Protect

Description

Perform traffic filtering between network segments, where appropriate.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Review and document current network architecture

7

Define segmentation zones and trust boundaries

8

Implement segmentation controls

9

Test that segmentation is effective

Tool Recommendations

Palo Alto Networks NGFW Gartner MQ Leader, Network Firewalls 2024

Next-generation firewall platform with application-aware policies, threat prevention, URL filtering, and SD-WAN

Palo Alto Networks · Appliance + subscription

Fortinet FortiGate Gartner MQ Leader, Network Firewalls 2024

Enterprise firewall and security fabric with NGFW, SD-WAN, IPS, and integrated security services

Fortinet · Appliance + subscription

Cisco Secure Firewall Gartner MQ Leader, Network Firewalls 2024

Enterprise firewall with application visibility, IPS, malware defense, and encrypted traffic analytics

Cisco · Appliance + subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Unrestricted Lateral Movement Between Network Segments

Confidentiality

An attacker who compromises a workstation in the general user segment can directly access database servers and critical infrastructure because no traffic filtering exists between network segments.

Malware Propagation Across Flat Network

Availability

A worm or ransomware variant rapidly spreads from an infected endpoint to servers across all segments because inter-segment traffic is not filtered or restricted.

Unauthorized Access to Sensitive Segments from Compromised IoT Device

Confidentiality

A compromised IoT device on the corporate network gains direct access to PCI or sensitive data segments because no inter-segment traffic filtering policies restrict communication paths.

Vulnerabilities (When Safeguard Absent)

Flat Network Architecture Without Segmentation Enforcement

Without traffic filtering between segments, all network zones can communicate freely, eliminating containment boundaries and allowing compromises to spread across the entire network.

No Access Control Between Trust Zones

Absence of inter-segment filtering means high-security zones like payment processing or database tiers are reachable from lower-trust zones such as guest Wi-Fi or general workstations.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Network Security Policy

Control 12, Control 13

Network Access Control Policy

Control 13

Related Safeguards in Control 13

13.1 Centralize Security Event Alerting

13.2 Deploy a Host>Based Intrusion Detection Solution

13.3 Deploy a Network Intrusion Detection Solution

13.5 Manage Access Control for Remote Assets

13.6 Collect Network Traffic Flow Logs

13.7 Deploy a Host>Based Intrusion Prevention Solution

13.8 Deploy a Network Intrusion Prevention Solution

13.9 Deploy Port>Level Access Control

13.10 Perform Application Layer Filtering

13.11 Tune Security Event Alerting Thresholds