NET — Network Security
98 controls in the Network Security domain
NET-01Network Security Controls (NSC)
NET-01.1Zero Trust Architecture (ZTA)
NET-02Layered Network Defenses
NET-02.1Denial of Service (DoS) Protection
NET-02.2Guest Networks
NET-02.3Cross Domain Solution (CDS)
NET-03Boundary Protection
NET-03.1Limit Network Connections
NET-03.2External Telecommunications Services
NET-03.3Prevent Discovery of Internal Information
NET-03.4Personal Data (PD)
NET-03.5Prevent Unauthorized Exfiltration
NET-03.6Dynamic Isolation & Segregation (Sandboxing)
NET-03.7Isolation of System Components
NET-03.8Separate Subnet for Connecting to Different Security Domains
NET-04Data Flow Enforcement – Access Control Lists (ACLs)
NET-04.1Deny Traffic by Default & Allow Traffic by Exception
NET-04.2Object Security Attributes
NET-04.3Content Check for Encrypted Data
NET-04.4Embedded Data Types
NET-04.5Metadata
NET-04.6Human Reviews
NET-04.7Policy Decision Point (PDP)
NET-04.8Data Type Identifiers
NET-04.9Decomposition Into Policy-Related Subcomponents
NET-04.10Detection of Unsanctioned Information
NET-04.11Approved Solutions
NET-04.12Cross Domain Authentication
NET-04.13Metadata Validation
NET-04.14Application Proxy
NET-05Interconnection Security Agreements (ISAs)
NET-05.1External System Connections
NET-05.2Internal System Connections
NET-06Network Segmentation (macrosegementation)
NET-06.1Security Management Subnets
NET-06.2Virtual Local Area Network (VLAN) Separation
NET-06.3Sensitive / Regulated Data Enclave (Secure Zone)
NET-06.4Segregation From Enterprise Services
NET-06.5Direct Internet Access Restrictions
NET-06.6Microsegmentation
NET-06.7Software Defined Networking (SDN)
NET-07Network Connection Termination
NET-08Network Intrusion Detection / Prevention Systems (NIDS / NIPS)
NET-08.1DMZ Networks
NET-08.2Wireless Intrusion Detection / Prevention Systems (WIDS / WIPS)
NET-08.3Host Containment
NET-08.4Resource Containment
NET-09Session Integrity
NET-09.1Invalidate Session Identifiers at Logout
NET-09.2Unique System-Generated Session Identifiers
NET-10Domain Name Service (DNS) Resolution
NET-10.1Architecture & Provisioning for Name / Address Resolution Service
NET-10.2Secure Name / Address Resolution Service (Recursive or Caching Resolver)
NET-10.3Sender Policy Framework (SPF)
NET-10.4Domain Registrar Security
NET-11Out-of-Band Channels
NET-12Safeguarding Data Over Open Networks
NET-12.1Wireless Link Protection
NET-12.2End-User Messaging Technologies
NET-13Electronic Messaging
NET-14Remote Access
NET-14.1Automated Monitoring & Control
NET-14.2Protection of Confidentiality / Integrity Using Encryption
NET-14.3Managed Access Control Points
NET-14.4Remote Privileged Commands & Sensitive Data Access
NET-14.5Work From Anywhere (WFA) - Telecommuting Security
NET-14.6Third-Party Remote Access Governance
NET-14.7Endpoint Security Validation
NET-14.8Expeditious Disconnect / Disable Capability
NET-15Wireless Networking
NET-15.1Authentication & Encryption
NET-15.2Disable Wireless Networking
NET-15.3Restrict Configuration By Users
NET-15.4Wireless Boundaries
NET-15.5Rogue Wireless Detection
NET-16Intranets
NET-17Data Loss Prevention (DLP)
NET-18DNS & Content Filtering
NET-18.1Route Internal Traffic to Proxy Servers
NET-18.2Visibility of Encrypted Communications
NET-18.3Route Privileged Network Access
NET-18.4Protocol Compliance Enforcement
NET-18.5Domain Name Verification
NET-18.6Internet Address Denylisting
NET-18.7Bandwidth Control
NET-18.8Authenticated Proxy
NET-18.9Certificate Denylisting
NET-19Content Disarm and Reconstruction (CDR)
NET-20Email Content Protections
NET-20.1Email Domain Reputation Protections
NET-20.2Sender Denylisting
NET-20.3Authenticated Received Chain (ARC)
NET-20.4Domain-Based Message Authentication Reporting and Conformance (DMARC)
NET-20.5User Digital Signatures for Outgoing Email
NET-20.6Encryption for Outgoing Email
NET-20.7Adaptive Email Protections
NET-20.8Email Labeling
NET-20.9User Threat Reporting