Ensuring Network Authentication via Gateways
IT devices must prove their identity to access networks through gateways.
Plain language
This control ensures that any IT devices trying to access your network through a gateway must first prove their identity. It’s crucial because if unauthorised devices can connect to your network without verification, they could steal data or cause harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for gatewaysSection
GatewaysOfficial control statement
IT equipment authenticates to other networks accessed via gateways.
Why it matters
Unauthorised devices authenticating through gateways can bypass access controls, enabling data exfiltration, malware entry and service disruption.
Operational notes
Enforce mutual authentication for devices crossing gateways (e.g., 802.1X/certificates), and review gateway auth logs for failed or unknown devices.
Implementation tips
- The IT team should set up authentication gateways: Make sure that any device connecting to your network goes through a system that checks its identity. This might involve configuring routers or other network devices to require a login or device certificate before allowing access.
- Managers should conduct training sessions: Educate staff about the importance of network security and the role gateways play in protecting the organisation. Explain how devices are authenticated and why they should report any issues or anomalies to the IT team immediately.
- The system owner should regularly review access logs: Check the records of which devices have connected to the network through the gateways to identify any unauthorised access attempts. Set a schedule to review these logs weekly.
- Procurement should ensure devices are compatible with authentication standards: When acquiring new IT equipment, confirm that they support the necessary authentication protocols with your gateways. Work closely with the IT team to identify suitable specifications.
- The IT team should regularly update authentication software: Keep the authentication systems up-to-date to defend against the latest threats. This might involve applying software patches or upgrades as soon as they're available.
Audit / evidence tips
-
Askthe device authentication policy document: Request a copy of the procedures that outline how devices are authenticated when accessing the network via gateways
Goodincludes a dated policy with named responsible roles and review dates
-
Askto see the access logs for gateway connections: Request logs that document device connections through your gateways over the past month
Goodshows detailed logs with timestamps and proper device identification
-
Askrecent training records: Request evidence of staff training sessions related to network security and device authentication
Goodis a record of recent sessions including attendance and outlined agenda points
-
Aska list of compatible devices: Request an inventory of devices currently authorised to access your network
Goodis a complete, up-to-date list with compatibility confirmation
-
Asksystem maintenance records: Request logs or documents detailing updates and patches to authentication systems
Goodshows evidence of regular updates and resolutions to any identified issues
Cross-framework mappings
How ISM-0622 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (4) expand_less | ||
| Annex A 5.15 | ISM-0622 requires IT equipment to prove its identity to networks reached through gateways, which is a specific logical access control req... | |
| Annex A 8.3 | ISM-0622 requires IT equipment authentication to other networks accessed via gateways, ensuring only identified devices can traverse the ... | |
| Annex A 8.5 | ISM-0622 requires IT equipment to authenticate when accessing other networks via gateways, addressing authentication at network boundaries | |
| Annex A 8.20 | ISM-0622 requires IT equipment to authenticate to other networks that are accessed via gateways, focusing on device-to-network identity a... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.