Network access limited to need-to-know subnets
Demonstrate that network access controls restrict connectivity between subnets to only those pathways explicitly required by business or technical function, preventing unauthorized lateral movement.
Description
What this control does
This control enforces network segmentation such that systems and users can only access network subnets required for their authorized functions, preventing lateral movement and limiting the blast radius of compromised credentials or systems. Implementation typically involves VLAN segregation, firewall rulesets, access control lists (ACLs) on routers and switches, and software-defined network policies that permit traffic only between specific source and destination subnets based on role, function, or data classification. This principle of least privilege at the network layer reduces the attack surface by denying unnecessary connectivity between workstations, servers, development environments, production zones, and administrative segments.
Control objective
What auditing this proves
Demonstrate that network access controls restrict connectivity between subnets to only those pathways explicitly required by business or technical function, preventing unauthorized lateral movement.
Associated risks
Risks this control addresses
- Compromised workstation or server allows attacker to pivot freely across flat network and access sensitive databases, file shares, or administrative systems
- Malware infection spreads rapidly across multiple subnets due to unrestricted broadcast domains or SMB/RDP connectivity
- Insider threat actor accesses payroll, HR, or financial systems from standard user network segments without technical enforcement
- External attacker who gains foothold in DMZ directly reaches internal corporate network or OT/ICS segments
- Development or test environments with weaker security posture serve as springboard into production subnets
- Unauthorized network scanning or reconnaissance activities go undetected due to lack of inter-subnet traffic monitoring
- Compliance violations occur when cardholder data, PHI, or other regulated data environments remain accessible from non-compliant network zones
Testing procedure
How an auditor verifies this control
- Obtain current network topology diagrams showing subnet boundaries, VLAN assignments, security zones, and trust boundaries
- Export firewall rulesets, router ACLs, and switch port security configurations governing inter-subnet traffic flows
- Identify a representative sample of subnets spanning user workstations, application servers, databases, management networks, and DMZ segments
- For each sampled subnet, trace permitted ingress and egress rules to identify which other subnets are reachable and the protocols/ports allowed
- Interview network administrators and system owners to document the business or technical justification for each permitted inter-subnet pathway
- Conduct network connectivity tests from sampled source hosts attempting to reach systems in subnets that should be blocked (e.g., workstation to database VLAN, guest WiFi to internal servers)
- Review change management records for network ACL and firewall rule modifications to verify approval and need-to-know justification documentation
- Examine SIEM or network flow logs to identify any unauthorized traffic patterns between subnets that should be segregated
Where this control is tested