Requirement
Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-5-2 – The cybersecurity requirements for network security management must be implemented.
Understanding the Requirement
Understanding the Requirement
This control requires your organization to implement a collection of network security measures that together protect network infrastructure, services, and users. Following the Essential Cybersecurity Controls (ECC – 2 : 2024) framework, the expectation is practical network segmentation, perimeter and internal protections (firewalls, IDS/IPS), safe internet browsing, wireless security, DNS protection, and ongoing procedures to keep these protections effective and aligned with law and policy.
Technical Implementation
Technical Implementation
- Segment networks and enforce separation: Create logical or physical network zones (e.g., production, development, office, guest) using VLANs, separate subnets, or physically distinct switches. Put sensitive assets (production controllers, payment systems) in isolated segments and restrict cross-zone traffic via firewall rules or router ACLs. Document and minimize allowed flows using a simple allowlist approach.
- Deploy and configure perimeter and internal firewalls: Use a next-generation firewall (NGFW) or unified threat management (UTM) device at your edge and consider internal firewalls between zones. Implement least-privilege rules, block unknown inbound connections, enable application-aware filtering, and schedule regular rule reviews to remove stale or overly permissive entries.
- Implement defense-in-depth: Layer protections — endpoint protection (EDR/antivirus), network IDS/IPS (e.g., Suricata or managed detection), secure web gateway or URL filtering, and centralized logging. Where possible combine complementary controls (email filtering, DNS filtering, endpoint hardening) so attackers must breach multiple controls to succeed.
- Protect internet browsing and defend against APTs: Enforce web filtering or DNS-based filtering to block malicious and high-risk sites; deploy browser hardening (disable legacy plugins, enforce modern browsers), and ensure secure TLS/HTTPS inspection where necessary. Consider browser isolation or sandboxing for high-risk browsing and enable exploit mitigation and EDR to detect post-exploit activity.
- Secure wireless and port/protocol management: Use WPA2-Enterprise or WPA3 with strong authentication for corporate Wi‑Fi and a separate guest SSID on an isolated VLAN. Disable unused physical ports and services, restrict management interfaces to dedicated management networks, and block unnecessary protocols at the firewall (e.g., SMB over internet-facing interfaces).
- Detect intrusions and secure DNS: Deploy IDS/IPS sensors (open-source or managed) tuned to reduce false positives and integrate alerts into a logging/monitoring system. Harden DNS by preventing unauthorized zone transfers, using DNS filtering services or DNSSEC where supported, and clearly define trusted DNS resolvers. Maintain logs for forensic analysis and compliance.
- Operations and continuous governance: Publish and maintain procedures that ensure continuous enforcement—patching network device firmware, regularly reviewing configurations, conducting quarterly segmentation and access reviews, and maintaining compliance with relevant laws. If internal expertise is limited, consider an MSSP for monitoring and rule tuning.
Example in a Small or Medium Business
Example in a Small or Medium Business
A 60-person manufacturing SMB separates its networks into four VLANs: office, engineering/development, production control (PLCs), and guest Wi‑Fi. The company places a NGFW at the perimeter to control internet traffic and a second internal firewall to restrict traffic between the office and production VLANs so only specific maintenance hosts can reach PLCs. Web filtering and DNS-based blocking are applied at the edge to stop known malicious sites, and all endpoints run an EDR agent to detect post-exploitation activity. The wireless network uses WPA3 for employees and a captive-portal guest SSID tied to the guest VLAN; management of access points is restricted to a management subnet accessible only via VPN. The SMB deploys an open-source IDS on a span port and routes alerts to a centralized log server monitored weekly; critical alerts trigger an on-call response from an external MSSP. Finally, the IT manager maintains a short procedures document that mandates monthly patching, quarterly firewall-rule reviews, and an annual tabletop exercise to validate isolation between development and production environments.
Summary
Summary
By combining clear network segmentation and hardened perimeter devices with layered detection and browsing protections, SMBs can meet the network security management requirements of the ECC control. Practical technical measures (firewalls, VLANs, IDS/IPS, DNS and web filtering, secure Wi‑Fi) backed by documented procedures for continuous operation, reviews, and lawful compliance create a resilient, maintainable posture that limits exposure and speeds response to incidents.
