Skip to content ↓ | Skip to navigation ↓

Today, I will be going over Control 12 from version 7 of the CIS top 20 Critical Security Controls – Boundary Defense. I will go through the 12 requirements and offer my thoughts on what I’ve found.

Key Takeaways from Control 12

  • Quick and powerful wins available. Use tools at your disposal to quickly address some of the network scanning and logging requirements. To go for more impact, implement boundary decryption raise your awareness and remote multi-factor authentication to reduce your attack surface.
  • Use premium feeds. There are recommendations for threat intelligence as well as IDS/IPS signature-based tools throughout control 12. A paid-for and/or curated feed is highly recommended. You will get what you pay for when it comes to using free versus premium feeds.

Requirement Listing from Control 12

1. Maintain an Inventory of Network Boundaries

Description: Maintain an up-to-date inventory of all of the organization’s network boundaries.

Notes: This should be a quick win with tools readily available in every organization. Using something like NMAP can not only identify your devices but also alert if something new pops up. Scan both from the internal and external sides to make sure an incorrect configuration didn’t poke a hole through your perimeter.

2. Scan for Unauthorized Connections across Trusted Network Boundaries

Description: Perform regular scans from outside each trusted network boundary to detect any unauthorized connections which are accessible across the boundary.

Notes: I have seen a new ESX server that re-used an IP address from a retired web server. Since the organization did not have great asset and configuration management in place, the ESX server was exposed directly to the internet. Only by following this recommendation would you be able to automatically detect this.

3. Deny Communications with Known Malicious IP Addresses

Description: Deny communications with known malicious or unused Internet IP addresses and limit access only to trusted and necessary IP address ranges at each of the organizations network boundaries.

Notes: Threat intelligence, especially IP addresses, can go stale very quickly. Make sure the lists are updated regularly to avoid blocking benign websites and allowing new malicious ones in.

4. Deny Communication over Unauthorized Ports

Description: Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization’s network boundaries.

Notes: The list for allowing in will always be more controlled than the list of ports allowed out. Leverage the SIEM in order to help detect anomalous traffic as well. An example would be a server communicating with a previously unknown public DNS server.

5. Configure Monitoring Systems to Record Network Packets

Description: Configure monitoring systems to record network packets passing through the boundary at each of the organization’s network boundaries.

Notes:  This is going to generate a tremendous amount of data and as such will cost a lot of money to fully implement. That being said, having this data when going back to review an incident will be invaluable. I would recommend making sure you start out by having this functionality ready to turn on in case you need it for analyzing a potential outbreak. Then move on to collecting on a full time basis.

6. Deploy Network-based IDS Sensors

Description: Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack mechanisms and de3tect compromise of these systems at each of the organization’s network boundaries.

Notes: I am a huge fan of network security monitoring tools. The amount of data that you can gather from a NSM is incredible. Using signature based detection is going to help identify some threats, but make sure the signatures are updating on a regular basis. Paying for a premium subscription is recommended so the signatures are available as soon as possible.

7. Deploy Network-Based Intrusion Prevention Systems

Description: Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each of the organization’s network boundaries.

Notes: The next step beyond an IDS is an IPS to proactively block the traffic. The IPS needs to be monitored and tuned so that false negatives do not interrupt business productivity.

8. Deploy NetFlow Collection on Networking Boundary Devices

Description: Enable the collection of NetFlow and logging data on all network boundary devices.

Notes: My thoughts are the same for this as they are for section 5. This will generate a ton of data which can be costly to store for long periods of time.

9. Deploy Application Layer Filtering Proxy Server

Description: Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections.

Notes: Beyond being able to see the packets is being able to understand what is happening in them. An application layer tool will be able to identify attacks against specific applications rather than trying to match what is happening at a protocol level. This is a higher level maturity when implementing network security, so this will come at a later time than implementing some of the other requirements in this control.

10. Decrypt Network Traffic at Proxy

Description: Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic.

Notes: Organizations that have implemented decryption technologies have uncovered massive data breaches in the process. Criminals are using encryption to their advantage, so make sure you also have the ability to see what they are up to.

11. Require All Remote Logins to Use Multi-factor Authentication

Description: Require all remote login access to the organization’s network to encrypt data in transit and use multi-factor authentication.

Notes: While section 10 will help uncover a potential breach, this section will prevent it from happening. High profile data breaches of the past could have been prevented if MFA had been enabled for remote logins. While this isn’t trivial to implement, it is one of the more valuable requirements in the whole set of controls.

12. Manage All Devices Remotely Logging into Internal Network

Description: Scan all enterprise devices remotely logging into the organization’s network prior to accessing the network to ensure that each of the organization’s security policies has been enforced in the same manner as local network devices.

Notes: Roaming devices can pick up all sorts of infections from the various networks they connect to (ex: hotels, airports, coffee shops). Make sure they have the proper antivirus installed and up to date with recent OS level patches can help reduce the risk of allowing infected devices through the perimeter.


See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.

Read more about the 20 Critical Security Controls here:

Control 20 – Penetration Tests and Red Team Exercises

Control 19 – Incident Response and Management

Control 18 – Application Software Security

Control 17 – Implement a Security Awareness and Training Program

Control 16 – Account Monitoring and Control

Control 15 – Wireless Access Control

Control 14 – Controlled Access Based on the Need to Know

Control 13 – Data Protection

Control 12 – Boundary Defense

Control 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

Control 10 – Data Recovery Capabilities

Control 9 – Limitation and Control of Network Ports, Protocols, and Services

Control 8 – Malware Defenses

Control 7 – Email and Web Browser Protections

Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs

Control 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

You can also learn more about the CIS security controls here.

<!-- -->