Implementing Secure Network Gateways
Set up gateways to securely connect networks from different security levels.
Plain language
This control is about setting up secure gateways when connecting different networks, especially if those networks have different levels of security. Imagine a school network and a public library network needing to talk to each other - if you don't have something to filter and protect the data that passes between them, sensitive information from the school might accidentally be exposed.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Gateways are implemented between networks belonging to different security domains.
Why it matters
Without gateways between security domains, traffic can bypass boundary controls, enabling unauthorised cross-domain access and sensitive data leakage.
Operational notes
Review inter-domain gateway rules (allowlists, routing, filtering/inspection) and validate only approved cross-domain services can traverse the boundary; fix drift promptly.
Implementation tips
- Network Administrators should install a gateway device that acts as a secure bridge between networks. To do this, they need to set up a device like a router or firewall to manage and monitor data traffic carefully, ensuring each network only accesses what it needs.
- IT Security Teams should configure the gateway to enforce rules about what data can pass through it. This involves setting up filters on the gateway to block any unauthorized or suspicious traffic, keeping sensitive information safe.
- System Owners should work with IT staff to understand the security requirements of each connected network. They should review what types of information are shared and the potential risks, ensuring the gateway settings reflect these needs.
- Managers should ensure that there is a clear policy in place for managing these gateways. This includes regular checks and updates by the IT team to keep the gateways functioning properly and accommodating any changes in network security requirements.
- Organisation Leaders should involve external security experts to periodically review gateway configurations. They can do this by hiring consultants or leveraging government resources like the Australian Cyber Security Centre (ACSC) for assessments to ensure best practices are being followed.
Audit / evidence tips
- AskThe gateway configuration documentation: Request detailed records showing how the gateways are set up between networks GoodThe document includes rule sets that allow necessary traffic only and block potentially harmful interactions
- AskLogs of data traffic through gateways: Request recent logs that detail data moving through the gateways GoodLogs show controlled and filtered data flows with no unauthorised access attempts recorded
- AskIncident response records involving gateways: Request records that detail any security incidents involving gateways GoodThere's a clear record showing prompt responses to potential threats and subsequent policy adjustments
- AskReviews or assessments of gateway configurations: Request reports from any internal or external reviews GoodReports suggest robust controls in place, with improvements made based on reviews
- AskNetwork maps including gateways: Request visual or documented maps showing networks connected by gateways. Look to see that all gateways are accounted for and labelled GoodMaps clearly outline network layouts and the placements of each gateway
Cross-framework mappings
How ISM-0628 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.20 | ISM-0628 requires gateways between different security domains to enforce controlled and secure traffic flows across domain boundaries | |
| Annex A 8.22 | ISM-0628 requires gateways to be implemented between networks belonging to different security domains to control and mediate inter-domain... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.