IG3

Deploy a Network Intrusion Prevention Solution

Control Group: 13. Network Monitoring and Defense

Asset Type: Network

Security Function: Protect

Description

Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

Tool Recommendations

Palo Alto Networks NGFW Gartner MQ Leader, Network Firewalls 2024

Next-generation firewall platform with application-aware policies, threat prevention, URL filtering, and SD-WAN

Palo Alto Networks · Appliance + subscription

Zscaler Internet Access Gartner MQ Leader, SSE 2024

Cloud-native secure web gateway with inline inspection, URL filtering, sandboxing, and DLP for web traffic

Zscaler · Per-user subscription

Cisco Secure Firewall Gartner MQ Leader, Network Firewalls 2024

Enterprise firewall with application visibility, IPS, malware defense, and encrypted traffic analytics

Cisco · Appliance + subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Network-Level Exploit Delivery Targeting Vulnerable Services

Integrity

An attacker exploits a known vulnerability in an exposed network service by sending crafted packets that a firewall permits as legitimate traffic, succeeding because no network intrusion prevention system inspects payload content.

Automated Worm Propagation Across Network Boundaries

Availability

A network worm exploits a vulnerability in a common protocol and propagates across VLANs and subnets, as no inline network intrusion prevention system exists to detect and drop exploit traffic.

SQL Injection Attack Traversing Network to Database Tier

Confidentiality

An attacker sends SQL injection payloads through the network to a backend database server, and without an inline NIPS to inspect and block malicious query patterns, the attack succeeds.

Vulnerabilities (When Safeguard Absent)

No Inline Network Traffic Blocking for Exploit Payloads

Without a NIPS, known exploit signatures and malicious payloads traversing the network cannot be automatically dropped, allowing successful exploitation even when attack patterns are well-documented.

Network-Level Attacks Not Prevented in Real Time

Absence of network intrusion prevention means attacks are only detected after the fact rather than blocked inline, giving attackers time to complete exploitation before any response occurs.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Network Access Control Policy

Control 13

Network Monitoring Policy

Control 13

Related Safeguards in Control 13

13.1 Centralize Security Event Alerting

13.2 Deploy a Host>Based Intrusion Detection Solution

13.3 Deploy a Network Intrusion Detection Solution

13.4 Perform Traffic Filtering Between Network Segments

13.5 Manage Access Control for Remote Assets

13.6 Collect Network Traffic Flow Logs

13.7 Deploy a Host>Based Intrusion Prevention Solution

13.9 Deploy Port>Level Access Control

13.10 Perform Application Layer Filtering

13.11 Tune Security Event Alerting Thresholds