CIS Control 13.4: Perform Traffic Filtering Between Network Segments
Network segmentation without traffic filtering is like building walls with open doors. CIS Control 13.4 requires organizations to actively filter traffic between network segments, preventing lateral movement and containing breach scope. This foundational control significantly reduces your attack surface and demonstrates mature network security to auditors.
What this means
Traffic filtering between network segments means implementing and enforcing rules that control what data and connections can move between different network zones. Rather than allowing all internal traffic to flow freely, you establish explicit allow/deny policies at segment boundaries—typically using firewalls, access control lists, or next-generation network security tools. This prevents compromised systems in one segment from automatically accessing sensitive resources in another.
How to comply
- 1.Identify and document your network segments (e.g., DMZ, internal servers, user workstations, IoT devices, payment processing)
- 2.Map traffic flows between segments and determine business-required connections
- 3.Establish explicit firewall rules that allow only identified necessary traffic between segments
- 4.Deny all other traffic by default ('deny-all' rule) with exceptions for documented business needs
- 5.Implement stateful inspection and advanced filtering capabilities (protocol analysis, application-level filtering)
- 6.Review and test firewall rules before deployment in production
- 7.Log and monitor traffic filtering events for anomalies and policy violations
- 8.Conduct quarterly reviews of traffic filtering policies to remove obsolete rules and tighten controls
Evidence auditors look for
- Firewall configuration documentation showing explicit allow rules between network segments
- Network diagram illustrating segment boundaries and traffic filtering points
- Firewall logs demonstrating blocked traffic attempts and policy enforcement
- Change management records for firewall rule additions and modifications
- Access control list (ACL) documentation for routers and switches
- Policy documentation defining authorized traffic between segments
- Penetration test or vulnerability assessment results confirming segmentation effectiveness
- Quarterly rule review records with dates and approvals
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically inventories your firewall rules and network segments, comparing them against CIS 13.4 requirements and flagging overly permissive policies—eliminating manual rule audits and reducing compliance assessment time from weeks to days.
See how GRCWatch handles this control automatically
Start free trial