INF-005 Secure Network Architecture and Defence
Description
Network architecture is documented, including trust zones, data flows, and perimeter boundaries. Defence-in-depth controls — including firewalls, intrusion detection or prevention systems, and egress filtering — are deployed at network boundaries. The architecture is reviewed at defined intervals.
Rationale
Documented architecture supports threat modelling and audit verification. Layered network defences reduce exposure to external and internal network-based attacks.
Framework Mappings (7)
| I&S-03 | Network Security | full |
| I&S-08 | Network Architecture Documentation | full |
| I&S-09 | Network Defense | full |
| 8.20 | Networks security | full |
| 8.21 | Security of network services | full |
| SC-5 | Denial-of-service Protection | full |
| SC-7 | Boundary Protection | full |
Evidence (2)
Firewall, IDS/IPS, and egress filtering configuration deployed at network boundaries, evidencing defence-in-depth controls.
Example: AWS WAF rule group export, GCP Cloud Armor policy, or equivalent firewall and IDS/IPS configuration showing boundary control rules for production network perimeters
Test: Export boundary control configurations (WAF, firewall, IDS/IPS). Verify: (1) ingress traffic is restricted to defined permitted ports and sources; (2) egress filtering is configured to restrict outbound traffic to known destinations or service endpoints; (3) IDS or IPS rules are current and enabled; (4) rules are reviewed on the documented schedule.
Network architecture document including trust zone definitions, data flow diagrams, and documented review schedule.
Example: Network Architecture Design or Security Architecture document with current data flow diagrams, showing perimeter boundaries, trust zones, and last review date
Test: Request the network architecture document and the last scheduled review record. Verify: (1) trust zones and data flows are documented; (2) the document reflects the current production architecture; (3) a review was completed within the defined interval (typically annually); (4) the document is approved by a named owner.
Questions (2)
Is your production network architecture documented, including trust zones, data flows, and perimeter boundaries, and are defence-in-depth controls deployed at network boundaries?
Documentation should include current data flow diagrams and a network diagram showing trust zones. Defence controls should include at minimum a firewall or WAF and egress filtering.
Which network defence controls are deployed at production network boundaries?
A WAF and egress filtering are baseline expectations for a SaaS provider. IDS/IPS and DDoS protection indicate a more mature defence-in-depth posture.