pr-ir-1 critical Protect / Technology Infrastructure Resilience

Networks and environments are protected from unauthorized logical access

Network segmentation and access controls are the barriers that prevent a compromised endpoint from becoming a full breach. When everything is on a flat network with implicit trust, an attacker who compromises one system can move laterally to any other. Defense in depth at the network layer means that containing an attacker requires compromising additional barriers, giving defenders time to detect and respond.

Estimated effort: 6h

network-securityfirewallsegmentationzero-trustvpc

Implementation steps

1

Segment your network by trust level and function

Divide your network into security zones: corporate endpoint network, production environment, developer environments, guest/IoT network, and management network. Apply controls at zone boundaries: only permitted traffic flows should be able to cross. At minimum, production systems should not be reachable directly from the corporate endpoint network.

aws-vpccloudflare-accessciscopalo-alto
2

Implement network access control with least-privilege rules

Define firewall or security group rules on an allow-list basis: deny all, then explicitly permit only what is needed. Review firewall rules at least annually to remove stale entries. Use a zero-trust network access (ZTNA) tool for remote access rather than a traditional VPN that provides broad network access once connected.

aws-security-groupscloudflare-accesstailscalezscalerpalo-alto-prisma
3

Monitor for unauthorized network access attempts

Enable logging on network boundaries and configure alerts for: connection attempts to management ports from unexpected sources, successful connections on unexpected ports, and traffic between segments that should not be communicating. These alerts are the early warning signals for lateral movement.

aws-guarddutydatadogsplunkpalo-alto