Deploy Port>Level Access Control
Description
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as certificates, and may incorporate user and/or device authentication.
Implementation Checklist
Tool Recommendations
Zero trust network access platform replacing VPNs with application-level microsegmentation and identity-based access
Zscaler · Per-user subscription
Next-generation firewall platform with application-aware policies, threat prevention, URL filtering, and SD-WAN
Palo Alto Networks · Appliance + subscription
Network access control platform providing device profiling, posture assessment, guest access, and BYOD policy enforcement
Cisco · Per-endpoint subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Rogue Device Connected to Network Switch Port
ConfidentialityAn attacker or unauthorized visitor plugs a rogue device into an open Ethernet port in a conference room or office, gaining full network access because no 802.1X port-level authentication is enforced.
Unauthorized Wireless Access Point Bridging to Wired Network
ConfidentialityAn employee connects an unauthorized wireless access point to a network port, creating an uncontrolled bridge to the corporate network because port-level access control does not validate connecting devices.
Network Pivot Through Uncontrolled Physical Port
IntegrityAn attacker gains physical access to a building and connects a network implant device to an unprotected port, establishing a persistent backdoor for remote access because no port-level authentication exists.
Vulnerabilities (When Safeguard Absent)
No Physical Port Authentication
Without 802.1X or equivalent port-level access control, any device physically connected to a network port is granted access without identity verification, enabling unauthorized network connectivity.
Uncontrolled Network Edge Access Points
Open network ports in accessible locations like conference rooms, lobbies, and shared spaces allow any device to connect and communicate on the network without authentication or authorization.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Access review/recertification records with sign-off | Quarterly |
| Technical | Access control configuration evidence (RBAC settings, group memberships) | Reviewed quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |