CIS Control 12: Network Infrastructure Management

DEEP DIVE

Best practices for managing network devices and architecture. Updating to ensure clear navigation back to the CIS Critical Security Controls v8 master page.

Updated 4/12/2026cis, controls, network-security, infrastructure, v8

Network infrastructure is the primary conduit for all enterprise data. If physical or virtual network devices (routers, switches, firewalls, load balancers) are compromised, attackers can bypass perimeter defenses, intercept sensitive traffic, or disrupt operations. CIS Control 12: Network Infrastructure Management focuses on actively establishing, securing, and maintaining these foundational network components.

Navigation Note: This article is part of the broader CIS Critical Security Controls Version 8 framework.

The Foundation of Network Security

Effective infrastructure management begins with visibility. Just as CIS Control 1: Inventory and Control of Enterprise Assets demands an accounting of all devices, Control 12 requires a detailed understanding of how those devices connect.

An up-to-date network architecture diagram—including specific security architecture diagrams—is a non-negotiable foundation. These diagrams must be reviewed and updated at least annually, or immediately following any significant enterprise changes. Beyond static diagrams, enterprises must continuously monitor infrastructure versions and configurations for vulnerabilities, applying the principles of CIS Control 7: Continuous Vulnerability Management specifically to network components.

Key Safeguards and Practices

1. Maintaining Up-to-Date Infrastructure (12.1)

Network devices must run the latest stable, supported release of their respective software. Organizations should review network software versions monthly (or more frequently) to ensure they are fully supported by the vendor for security patches and feature upgrades.

Handling Edge Cases (End-of-Life Components): When a network device reaches End-of-Life (EOL), it will no longer receive vendor support. Enterprises must either:

  • Upgrade the EOL components before their out-of-support date.
  • Apply strict mitigating controls to logically isolate the unsupported hardware if immediate replacement is impossible.

2. Secure Network Architecture (12.2 & 12.4)

A robust network architecture must address three core pillars:

  • Segmentation: Separating user networks, guest networks, and critical data environments.
  • Least Privilege: Ensuring traffic is restricted on a strict "default deny" basis.
  • Availability: Ensuring redundancy and resilience to prevent outages.

3. Secure Administration and Tooling (12.3 & 12.8)

Network administration should never occur over clear-text protocols.

  • Implement secure network protocols such as SSH and HTTPS for management interfaces, strictly disabling legacy protocols like Telnet and HTTP.
  • Treat infrastructure configurations as code. Version-controlled-infrastructure-as-code (IaC) ensures that changes are tracked, auditable, and easily reversible.

For highly mature organizations (Implementation Group 3), administrative work should be isolated. Administrators should use dedicated computing resources—either physically or logically separated from the enterprise’s primary network—that are explicitly denied internet access to prevent drive-by compromises.

4. Centralized Authentication, Authorization, and Auditing (AAA) (12.5, 12.6 & 12.7)

Network device access must be strictly controlled, aligning heavily with CIS Control 5: Account Management and CIS Control 6: Access Control Management.

  • Centralize AAA: Do not rely on local accounts scattered across hundreds of switches or firewalls. Tie network access into centralized identity providers.
  • Strong Authentication: Enforce Multi-Factor Authentication (MFA) for Privileged Access Management (PAM).
  • Secure Communications: Utilize enterprise-grade network management and communication protocols (e.g., 802.1X, WPA2 Enterprise or greater).
  • Remote Access: Require users on remote end-user devices to authenticate to enterprise-managed VPNs and authentication services prior to accessing internal enterprise resources.

5. Automated Rule Set Evaluation

Over time, firewall rules and router Access Control Lists (ACLs) become bloated, leading to conflicting rules or accidental exposures (e.g., a broad "allow" rule superseding a strict "deny" rule).

Organizations should deploy commercial network filtering evaluation tools. These tools automate the sanity-checking of network filters, searching for logic errors or shadowed rules that might allow unintended services through the perimeter. These tools should be executed every time significant changes are made to firewall rule sets, router ACLs, or other filtering technologies.

Integration with Logging and Monitoring

Complete infrastructure management requires comprehensive logging. Network devices generate critical telemetry regarding access attempts, configuration changes, and traffic flows. Ensure that all AAA events, management access logs, and firewall traffic logs are ingested into a centralized SIEM, acting as the foundation for CIS Control 8: Audit Log Management and CIS Control 13: Network Monitoring and Defense.