Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

15) Does your organisation keep a list of approved network connections (such as site to site VPNs) between your corporate network and third parties?

August 30, 2022
Network and Cloud Security
Approved Network Connection List

Answer yes if your organisation keeps a list of approved network connections between its own network and any third party networks.

What is the control?

You may have connections from your internal network to third-parties for a number of reasons. For example, an outside company may be processing data for an internal process, or handling transactions for your e-commerce site’s back end.

It’s important that these connections are well documented as the information is needed to support a number of security processes (typically those focused on limiting access to only what is needed).

Why should I have it?

Without a detailed inventory of network connections, what traffic is expected over them, and what business purpose they serve, it would not be possible to apply a “deny all” policy on the network as the accepted exceptions wouldn’t be known.

Nor would it be possible to configure the network firewalls to allow only the needed ports, or your intrusion detection systems to be configured with the right rules to discern anomalous outside traffic from normal traffic.

Finally, if the functions requiring the outside connections are terminated (due to a change in service or a contract termination) there would be no way of associating what access and configuration should be allowed or disallowed as a result.

All of these things would lead to a lack of understanding of what network connections are active and justified, which each unaccounted connection adding potential security risks over time that could result in unauthorised traffic and a breach of your internal corporate network.

How to implement the control

You should maintain a register of all third-party connections that is fed by your change and/or procurement processes and referred to any time a service is provisioned, changed, or terminated. This register should then feed into your networking, firewall rule, security configuration update (for things such as IDS, EDR, SIEM, etc.), and other relevant processes.

There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements. Please message us if you would like a recommendation.

If you would like to contribute to this article or provide feedback, please email Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.