Skip to main content

5.4 Network Security

5.4 Network Security

  • a. All remote access is delivered via a Console Remote Access Solution or Network Remote Access solution (i.e., overlay network tunnels) with a Multi-Factor Authentication (MFA) enforcement feature for each end user.

  • b. DTC considers authentication using a one-time code via email for users in an access-approved group, in combination with a separate user credential, sufficient to meet multi-factor authentication (MFA) requirements. Stricter MFA policies may be developed in collaboration with clients.

  • c. Boundary controls are implemented per Local Area Network (LAN). At minimum, the following are separated via VLANs:

    • Network devices

    • Infrastructure components (e.g., backup appliances, hypervisors, container runtime hosts, traditional servers)

    • Workstation environments

    Additional segmentation is available via custom client-developed policies.

  • d. All VLAN and LAN boundaries default to a “drop all” policy from LAN-to-LAN traffic. However, return traffic from established connections is allowed on all interfaces. LAN-to-Internet traffic is allowed unless explicitly filtered. LAN-to-LAN traffic has a default permit rule, though the “drop all” policy is specific to inter-LAN communications.

Technical Controls

Control ID Description Tools/Methods
a Deliver all remote access through overlay network tunnels or console-based remote access solutions, enforcing MFA per user. Cloudflare ZTNA, ZeroTier, NinjaRMM Remote
b MFA policy includes email OTP + credentials for access group members. Can be made stricter with client input. Entra ID, Google Workspace, Cloudflare ZTNA OTP Email Code, ZeroTier Peer Authorization
c Enforce VLAN separation between workstations, servers, and infrastructure by default. Expandable with client-coauthored policies. Ubiquiti Managed Switches, Ubiquiti Firewalls, Ubiquiti Wireless Access Points, OPNSense Firewalls, PFSense Firewalls, Junper All Products, Cisco Meraki Managed Switches, Cisco Meraki Wireless Access Points, Cisco Meraki Firewalls, SonicWall Firewalls, Palo Alto Firewalls
d Default network rule sets enforce "drop all" for LAN-to-LAN; allow return traffic and LAN-to-Internet access. Firewall Rules in firewall products supported by DTC inc., Cloudflare ZTNA, ZeroTier, ACL Rules in switch and wireless access point products supported by DTC inc.

No comments to display

Back to top