Inter-zone communications logged
Demonstrate that all network devices enforcing zone boundaries are configured to log inter-zone traffic and that logs are captured, retained, and available for security analysis.
Description
What this control does
Inter-zone communications logging captures and records network traffic that crosses defined security boundaries or zones within a network architecture (e.g., DMZ to internal, trust to untrust, production to development). This control requires firewall, router, or next-generation firewall (NGFW) devices to generate logs for each session or flow that traverses zone boundaries, capturing metadata such as source/destination IP, port, protocol, timestamp, action taken, and user or application identity. Logging inter-zone traffic provides visibility into lateral movement, data exfiltration attempts, and policy violations that occur when attackers or insiders traverse network segmentation controls.
Control objective
What auditing this proves
Demonstrate that all network devices enforcing zone boundaries are configured to log inter-zone traffic and that logs are captured, retained, and available for security analysis.
Associated risks
Risks this control addresses
- Lateral movement by attackers between network zones goes undetected, allowing privilege escalation and access to sensitive systems without forensic evidence
- Data exfiltration from high-security zones to lower-trust zones or external networks occurs without audit trail or alerting
- Unauthorized access between development, staging, and production environments bypasses change control without detection
- Insider threats exploiting trust relationships between zones cannot be reconstructed during incident investigations due to missing logs
- Compliance violations and policy exceptions for inter-zone traffic remain unidentified during security reviews
- Compromised devices in one zone communicating with command-and-control infrastructure via other zones evade detection
- Forensic investigations following security incidents lack sufficient network context to determine attack paths and scope of compromise
Testing procedure
How an auditor verifies this control
- Obtain and review the current network segmentation diagram identifying all defined security zones and boundary enforcement points (firewalls, routers, NGFWs, cloud security groups).
- Select a representative sample of network devices that enforce zone boundaries, ensuring coverage across different device types, vendors, and criticality levels.
- Export and review logging configurations from each sampled device, verifying that inter-zone rule bases or policies have logging enabled for both allowed and denied traffic.
- Retrieve actual firewall or router logs from a 24-hour period and identify entries corresponding to inter-zone communications, confirming logs include source IP, destination IP, port, protocol, timestamp, action, and session metadata.
- Trace log forwarding paths from network devices to centralized log collection systems (SIEM, log aggregator, or syslog server) and verify successful receipt and parsing.
- Review log retention policies and storage configurations to confirm inter-zone logs are retained for the required duration per policy or regulatory requirements.
- Simulate or identify a recent legitimate inter-zone communication event and confirm corresponding log entries exist in the centralized logging system with complete metadata.
- Interview network and security operations teams to verify processes for monitoring, alerting, and investigating anomalous inter-zone traffic patterns using collected logs.
Where this control is tested