A complete network security audit checklist for IT professionals, security auditors, and compliance teams. This checklist covers firewall configuration, network segmentation, access control, wireless security, VPN hardening, monitoring, and endpoint protection -- mapped to CIS Controls v8 where applicable.
Use this checklist for internal audits, client assessments, compliance preparation (CMMC, HIPAA, PCI DSS, SOC 2), or as a baseline for your organization's security program.
- How to Use This Checklist
- 1. Firewall and Perimeter Security
- 2. Network Segmentation
- 3. Access Control
- 4. Wireless Security
- 5. VPN and Remote Access
- 6. Monitoring and Logging
- 7. DNS Security
- 8. Email Security
- 9. Endpoint Protection
- 10. Patch Management
- 11. Physical Network Security
- 12. Incident Response Readiness
- Audit Summary Template
- Assign an auditor to each section (or complete all sections yourself)
- Check each item -- mark as Compliant, Non-Compliant, N/A, or Partial
- Document evidence for each finding (screenshots, configs, policies)
- Prioritize remediations using the risk ratings provided (Critical, High, Medium, Low)
- Re-audit after remediation to verify fixes
- Schedule recurring audits -- quarterly for critical infrastructure, annually for the full checklist
Status Key:
[x]= Compliant[ ]= Not checked / Non-compliant[N/A]= Not applicable[P]= Partial -- requires remediation
CIS Control 4: Secure Configuration of Enterprise Assets and Software CIS Control 13: Network Monitoring and Defense
- Default deny (implicit deny all) rule is in place on all firewalls
- Inbound rules allow only explicitly required traffic
- Outbound rules restrict unnecessary egress traffic
- No "any/any" rules exist in the rule base
- Rules are documented with business justification, owner, and expiration date
- Unused and expired rules have been removed (review within last 90 days)
- Rule ordering is optimized (most-hit rules first, deny rules appropriately placed)
- Firewall firmware is current and within vendor support lifecycle
- Intrusion Detection/Prevention System (IDS/IPS) is deployed at the perimeter
- IDS/IPS signatures are updated at least weekly
- DDoS mitigation is in place (hardware, cloud-based, or ISP-provided)
- All public-facing services are inventoried and authorized
- External vulnerability scan completed within the last 30 days
- No unnecessary ports are open on public IP addresses
- Administrative interfaces are not accessible from the internet
- GeoIP blocking is enabled for countries with no business need
- Firewall management interface uses HTTPS/SSH only (no HTTP/Telnet)
- Management access restricted to specific IP addresses/subnets
- Firewall admin accounts use MFA
- Firewall configuration is backed up automatically (at least weekly)
- Configuration changes go through a change management process
- Firewall logs are forwarded to a centralized SIEM/log management system
Risk Rating: CRITICAL -- Firewall misconfigurations are involved in the majority of breaches.
CIS Control 12: Network Infrastructure Management
- Production and development/test environments are on separate VLANs
- PCI cardholder data environment (CDE) is isolated in its own segment
- Guest network is completely isolated from internal resources
- IoT devices are on a dedicated, restricted VLAN
- Management/admin network (iLO, IPMI, switch management) is isolated
- VLAN hopping mitigations are in place (disable DTP, set native VLAN to unused)
- Server-to-server communication is restricted to required flows only
- Database servers do not accept connections from end-user workstations directly
- Lateral movement between segments requires authentication
- East-west traffic is monitored and logged
- Critical assets (domain controllers, backup servers) have additional access controls
- Current network diagram exists and was updated within the last 90 days
- All network segments are documented with purpose and access requirements
- IP address management (IPAM) records are accurate
- Inter-VLAN routing rules are documented and reviewed quarterly
Risk Rating: HIGH -- Flat networks allow attackers to move laterally with minimal effort.
CIS Control 5: Account Management CIS Control 6: Access Control Management
- 802.1X port-based authentication is enabled on all switch ports
- RADIUS/TACACS+ is used for centralized network device authentication
- Default credentials on all network devices have been changed
- Shared/generic accounts on network devices are eliminated
- Network device accounts use role-based access control (RBAC)
- Service accounts have minimum required privileges
- NAC solution is deployed to validate devices before granting access
- Unknown/unauthorized devices are quarantined or blocked
- Guest device onboarding process is defined and enforced
- Device health checks (patch level, AV status) are performed at connection
- MAC address filtering is used as a supplementary control (not sole control)
- Network admin access requires MFA
- Privileged sessions are logged and auditable
- Admin access is time-limited (just-in-time access where possible)
- Emergency access ("break glass") accounts exist with monitored usage
- Access reviews are conducted quarterly for all network device accounts
Risk Rating: CRITICAL -- Compromised network device credentials give attackers full infrastructure control.
CIS Control 12: Network Infrastructure Management
- WPA3-Enterprise (or WPA2-Enterprise minimum) is enforced on all corporate SSIDs
- Open networks and WEP are completely disabled
- Corporate SSID uses 802.1X with RADIUS authentication
- Guest wireless is on an isolated VLAN with bandwidth limits
- Hidden SSIDs are used for management networks (defense in depth, not sole control)
- Wireless access points run current firmware
- Rogue AP detection is enabled and monitored
- AP physical security prevents unauthorized reset or removal
- Wireless controller/management interface is not reachable from wireless clients
- Wireless network is included in regular vulnerability scans
- RF coverage is managed to minimize signal leakage outside facility
Risk Rating: HIGH -- Wireless networks expand the attack surface beyond physical boundaries.
CIS Control 12: Network Infrastructure Management CIS Control 13: Network Monitoring and Defense
- VPN uses modern protocols (IKEv2/IPSec, WireGuard, or OpenVPN)
- Legacy protocols (PPTP, L2TP without IPSec) are disabled
- VPN requires MFA for all connections
- Split tunneling is disabled (or risk-assessed and documented if enabled)
- VPN concentrator firmware is current and patched
- VPN logs include source IP, user identity, connection time, and bytes transferred
- Idle VPN sessions time out after a defined period (e.g., 30 minutes)
- VPN uses strong cipher suites (AES-256, SHA-256 or higher)
- RDP is not exposed directly to the internet (3389/TCP)
- Remote access goes through a jump server or bastion host
- Jump server access is logged, monitored, and requires MFA
- Session recording is enabled for privileged remote sessions
- NLA (Network Level Authentication) is required for all RDP connections
Risk Rating: CRITICAL -- Exposed RDP and weak VPN configurations are top ransomware entry vectors.
CIS Control 8: Audit Log Management CIS Control 13: Network Monitoring and Defense
- All network devices forward logs to a centralized SIEM or log management platform
- Firewall logs include both allowed and denied traffic
- VPN authentication logs are collected
- DNS query logs are collected
- DHCP lease logs are collected
- Switch port authentication events (802.1X) are logged
- Wireless AP logs (associations, disassociations, rogue detection) are collected
- Log timestamps are synchronized via NTP across all devices
- Logs are retained for at least 90 days online, 1 year in archive (or per regulatory requirement)
- Log storage is sized to avoid premature rotation
- Logs are tamper-protected (write-once storage, separate log server)
- Log integrity monitoring detects unauthorized modification
- Alerts are configured for: failed login attempts (threshold), firewall rule changes, new admin accounts, VPN anomalies
- Alert fatigue is managed -- alerts are tuned to reduce false positives
- After-hours alerts route to an on-call responder
- Network traffic baseline exists for anomaly detection
- NetFlow or sFlow data is collected for traffic analysis
Risk Rating: HIGH -- Without monitoring, breaches go undetected for months (industry average: 204 days).
- Internal DNS servers are separated from external DNS
- DNS over HTTPS (DoH) or DNS over TLS (DoT) is configured for outbound queries
- DNSSEC is enabled for owned domains
- DNS sinkholing blocks known malicious domains
- DNS query logging is enabled and forwarded to SIEM
- Unauthorized DNS resolvers are blocked (only approved DNS servers allowed)
- DNS cache poisoning protections are in place (randomized source ports, DNSSEC validation)
Risk Rating: MEDIUM -- DNS is a common exfiltration and C2 channel.
CIS Control 9: Email and Web Browser Protections
- SPF records are published and enforced (
-allor~all) - DKIM signing is enabled for outbound email
- DMARC policy is set to
p=quarantineorp=reject - Email gateway scans attachments and URLs
- Macro-enabled Office documents are blocked or sandboxed
- External email is tagged with a visual warning banner
- Email authentication failures are logged and monitored
- Anti-phishing training is conducted at least quarterly
Risk Rating: CRITICAL -- Phishing remains the number one initial access vector.
CIS Control 10: Malware Defenses
- EDR (Endpoint Detection and Response) is deployed on all endpoints
- Antivirus/anti-malware definitions update at least daily
- Host-based firewall is enabled on all workstations and servers
- USB device control restricts unauthorized removable media
- Application whitelisting is enforced on critical systems
- Endpoints are encrypted (BitLocker, FileVault, LUKS)
Risk Rating: HIGH -- Endpoints are the most common initial compromise point.
CIS Control 7: Continuous Vulnerability Management
- Critical OS patches are applied within 14 days of release
- Network device firmware is patched within 30 days for critical vulnerabilities
- Third-party application patches are included in the patch cycle
- Patch compliance is tracked and reported monthly
- Emergency patching process exists for zero-day vulnerabilities
- End-of-life systems are documented with risk acceptance or migration plan
Risk Rating: CRITICAL -- Unpatched systems are the easiest targets for attackers.
- Server room/data center requires badge access
- Network closets and wiring cabinets are locked
- Security cameras monitor critical infrastructure areas
- Unused network ports are disabled at the switch
- Visitor access to network areas requires escort
- Environmental controls (temperature, humidity, water detection) are monitored and alarmed
Risk Rating: MEDIUM -- Physical access bypasses most logical security controls.
- Network incident response procedures are documented
- Network team has practiced incident scenarios (tabletop exercises)
- Network isolation procedures can be executed within 15 minutes
- Out-of-band management access exists for emergency scenarios
- Forensic tools are available for packet capture and analysis
- Contact information for ISP abuse teams and law enforcement is on file
Risk Rating: HIGH -- Response time directly correlates with breach impact and cost.
Complete this after finishing the checklist:
| Section | Total Items | Compliant | Non-Compliant | Partial | N/A | Score |
|---|---|---|---|---|---|---|
| 1. Firewall/Perimeter | % | |||||
| 2. Segmentation | % | |||||
| 3. Access Control | % | |||||
| 4. Wireless | % | |||||
| 5. VPN/Remote Access | % | |||||
| 6. Monitoring/Logging | % | |||||
| 7. DNS Security | % | |||||
| 8. Email Security | % | |||||
| 9. Endpoint Protection | % | |||||
| 10. Patch Management | % | |||||
| 11. Physical Security | % | |||||
| 12. Incident Response | % | |||||
| TOTAL | % |
Auditor: [Name]
Date: [Date]
Next Audit Due: [Date]
| Finding | Section | Risk | Remediation | Owner | Due Date | Status |
|---|---|---|---|---|---|---|
[Finding] |
[#] |
Critical | [Action] |
[Name] |
[Date] |
Open |
[Finding] |
[#] |
High | [Action] |
[Name] |
[Date] |
Open |
Need expert help securing your infrastructure? Petronella Technology Group provides:
- Managed IT Services - 24/7 monitoring and management
- Cybersecurity Assessments - Comprehensive security audits
- Network Security - Firewall, IDS/IPS, segmentation
- AI-Powered Security - Next-gen threat detection
Petronella Technology Group is a CMMC-RP certified cybersecurity firm in Raleigh, NC. Contact us or call (919) 348-4912.
Created and maintained by Petronella Technology Group - a cybersecurity and managed IT services firm based in Raleigh, NC. With 23+ years of experience and zero client breaches, we help businesses secure their infrastructure and achieve compliance.
- Website: petronellatech.com
- Phone: (919) 348-4912
- Free Assessment: Book a consultation
MIT License - See LICENSE for details.