GRCWatch
Sign inStart free trial

CIS Control 13.4: Perform Traffic Filtering Between Network Segments

Network segmentation without traffic filtering is like building walls with open doors. CIS Control 13.4 requires organizations to actively filter traffic between network segments, preventing lateral movement and containing breach scope. This foundational control significantly reduces your attack surface and demonstrates mature network security to auditors.

What this means

Traffic filtering between network segments means implementing and enforcing rules that control what data and connections can move between different network zones. Rather than allowing all internal traffic to flow freely, you establish explicit allow/deny policies at segment boundaries—typically using firewalls, access control lists, or next-generation network security tools. This prevents compromised systems in one segment from automatically accessing sensitive resources in another.

How to comply

  1. 1.Identify and document your network segments (e.g., DMZ, internal servers, user workstations, IoT devices, payment processing)
  2. 2.Map traffic flows between segments and determine business-required connections
  3. 3.Establish explicit firewall rules that allow only identified necessary traffic between segments
  4. 4.Deny all other traffic by default ('deny-all' rule) with exceptions for documented business needs
  5. 5.Implement stateful inspection and advanced filtering capabilities (protocol analysis, application-level filtering)
  6. 6.Review and test firewall rules before deployment in production
  7. 7.Log and monitor traffic filtering events for anomalies and policy violations
  8. 8.Conduct quarterly reviews of traffic filtering policies to remove obsolete rules and tighten controls

Evidence auditors look for

  • Firewall configuration documentation showing explicit allow rules between network segments
  • Network diagram illustrating segment boundaries and traffic filtering points
  • Firewall logs demonstrating blocked traffic attempts and policy enforcement
  • Change management records for firewall rule additions and modifications
  • Access control list (ACL) documentation for routers and switches
  • Policy documentation defining authorized traffic between segments
  • Penetration test or vulnerability assessment results confirming segmentation effectiveness
  • Quarterly rule review records with dates and approvals

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically inventories your firewall rules and network segments, comparing them against CIS 13.4 requirements and flagging overly permissive policies—eliminating manual rule audits and reducing compliance assessment time from weeks to days.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 13.1 — Establish and Maintain a Secure Network ArchitectureCIS 13.2 — Establish and Maintain a Secure Network Architecture for Limiting Unauthorized Network AccessCIS 13.3 — Establish and Maintain Firewall RulesCIS 13.5 — Manage Access Control for Remote AssetsCIS 14.4 — Protect Information System Assets from Unauthorized Access