IG2 IG3

Maintain and Enforce Network>Based URL Filters

Control Group: 9. Email and Web Browser Protections

Asset Type: Network

Security Function: Protect

Description

Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

Tool Recommendations

Palo Alto Networks NGFW Gartner MQ Leader, Network Firewalls 2024

Next-generation firewall platform with application-aware policies, threat prevention, URL filtering, and SD-WAN

Palo Alto Networks · Appliance + subscription

Zscaler Internet Access Gartner MQ Leader, SSE 2024

Cloud-native secure web gateway with inline inspection, URL filtering, sandboxing, and DLP for web traffic

Zscaler · Per-user subscription

Fortinet FortiGate Gartner MQ Leader, Network Firewalls 2024

Enterprise firewall and security fabric with NGFW, SD-WAN, IPS, and integrated security services

Fortinet · Appliance + subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Drive-By Download from Compromised Legitimate Websites

Integrity

Users visit legitimate but compromised websites that redirect to malicious URLs hosting exploit kits, and without network-based URL filtering these malicious redirects succeed in delivering malware payloads.

Credential Harvesting via Category-Spoofed Phishing Sites

Confidentiality

Sophisticated phishing campaigns use newly created domains that mimic corporate login portals, and without URL reputation filtering and category-based blocking these sites are accessible to all enterprise users.

Data Exfiltration via Uncategorized Cloud Storage URLs

Confidentiality

Attackers or malicious insiders upload sensitive data to personal cloud storage, file-sharing services, or paste sites, and without URL filtering by category these data exfiltration channels remain unblocked.

Vulnerabilities (When Safeguard Absent)

No Network-Based URL Filtering or Secure Web Gateway

The organization does not enforce URL filtering at the network level, allowing enterprise assets to connect to any website regardless of its reputation, category, or known threat status.

URL Filter Policies Not Updated with Current Threat Intelligence

URL filtering exists but block lists and category databases are not regularly updated with current threat intelligence, allowing recently identified malicious URLs to bypass filtering controls.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Email Security Policy

Control 9

Web Browser Security Policy

Control 9

Related Safeguards in Control 9

9.1 Ensure Use of Only Fully Supported Browsers and Email Clients

9.2 Use DNS Filtering Services

9.4 Restrict Unnecessary or Unauthorized Browser and Email Client Extensions

9.5 Implement DMARC

9.6 Block Unnecessary File Types

9.7 Deploy and Maintain Email Server Anti>Malware Protections