Network & Perimeter Security — Canadian Baseline Control BC.9

What Network & Perimeter Security Means

Network and perimeter security refers to the controls and technologies used to protect an organization's computer network from unauthorized access, misuse, and attacks. Under the Canadian Centre for Cyber Security's Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089), control BC.9 addresses the need for organizations to establish and maintain defences at the boundaries of their networks and to monitor network traffic for signs of malicious activity.

Your network is the infrastructure that connects your computers, servers, printers, and other devices to each other and to the internet. Without proper controls, this infrastructure becomes a pathway for attackers to access business data, disrupt operations, or move laterally through your environment after an initial compromise.

This page provides educational information based on publicly available Canadian Centre for Cyber Security guidance. It is not professional cybersecurity advice. Organizations should consult qualified professionals for advice tailored to their specific circumstances.

What the Canadian Centre for Cyber Security Recommends

The CCCS Baseline Controls (ITSM.10.089) recommend that organizations implement network security measures to protect against unauthorized access and to detect and respond to network-based threats. The guidance covers both boundary protection and internal network controls.

Key recommendations from the CCCS include:

• Deploy and configure firewalls at the network perimeter to control inbound and outbound traffic. Firewalls should be configured to deny traffic by default and allow only traffic that is explicitly needed.
• Segment the network to separate different zones based on sensitivity and function, limiting the ability of an attacker to move laterally after compromising one system.
• Use encrypted connections such as VPNs for remote access to internal business systems, protecting data in transit between remote workers and the organization's network.
• Secure wireless networks using strong encryption (WPA3 or WPA2 at minimum) and unique, complex passwords. Separate guest Wi-Fi from the business network.
• Monitor network traffic for unusual activity that may indicate a compromise, such as unexpected data transfers, connections to known malicious addresses, or unusual patterns of access.
• Use DNS security to block connections to known malicious domains. The Canadian Internet Registration Authority (CIRA) operates the Canadian Shield DNS service, a free tool that provides DNS-level protection for Canadians.

Why This Matters for Canadian Businesses

Network-based attacks are a persistent threat to Canadian organizations of all sizes. Attackers routinely scan the internet for poorly configured firewalls, exposed services, and vulnerable network devices. Small and medium businesses are frequently targeted because they often have fewer dedicated resources to monitor and defend their networks.

The risks of inadequate network security include:

• Unauthorized access to internal systems, business data, and customer information by external attackers.
• Lateral movement — once an attacker gains access to one system, a flat (unsegmented) network allows them to reach other systems, databases, and file shares with minimal additional effort.
• Data exfiltration — without network monitoring, large volumes of data can be copied out of the organization without detection.
• Ransomware deployment — ransomware operators frequently move through a network to compromise as many systems as possible before deploying encryption, maximizing the impact and the ransom demand.
• Regulatory exposure — under PIPEDA and provincial privacy laws, organizations that fail to implement reasonable safeguards to protect personal information may face regulatory consequences in the event of a breach.

The CCCS National Cyber Threat Assessment notes that internet-connected infrastructure is routinely targeted by both cybercriminals and state-sponsored actors, making network defence a priority for all Canadian organizations.

How to Get Started

Implementing effective network security is achievable for SMBs with appropriate planning. The following steps provide a practical starting point.

1. Understand Your Network

Before you can secure your network, you need to understand it. Document your network topology, including:

• All devices connected to the network (computers, servers, printers, IoT devices)
• How your network connects to the internet
• Any remote access points or VPN connections
• Wireless access points and their configurations
• Cloud services that connect to your network

Our free cybersecurity assessment can help identify gaps across all 13 Baseline Controls, including network security.

2. Configure Your Firewall Properly

A firewall is the primary boundary defence for your network. Whether you use a hardware appliance or a software-based firewall, ensure it is configured according to these principles:

• Default deny — Block all traffic by default and create explicit rules to allow only necessary traffic.
• Limit inbound access — Only open ports that are required for legitimate business purposes.
• Filter outbound traffic — Restrict outbound connections to prevent compromised systems from communicating with attacker-controlled servers.
• Keep firmware updated — Firewalls themselves have vulnerabilities that are addressed through firmware updates. Apply these promptly.
• Review rules regularly — Firewall rules accumulate over time. Review and remove unnecessary rules at least annually.
• Change default credentials — Ensure the firewall's administrative password has been changed from the manufacturer's default, following secure configuration principles.

3. Segment Your Network

Network segmentation divides your network into separate zones, limiting the blast radius of a compromise. Even basic segmentation provides meaningful benefit:

• Separate guest Wi-Fi from the business network so that visitors and personal devices cannot access internal systems.
• Isolate sensitive systems such as servers containing financial data, customer information, or proprietary business data.
• Separate IoT devices (printers, security cameras, smart devices) from the main business network, as these devices often have limited security capabilities.

Many modern business-grade routers and firewalls support VLANs (Virtual Local Area Networks) that enable segmentation without requiring separate physical infrastructure.

4. Secure Remote Access

If employees access business systems remotely, secure those connections:

• Use a VPN for connections to internal network resources, ensuring data is encrypted in transit.
• Require multi-factor authentication for VPN and remote access connections, integrating with your authentication controls.
• Limit remote access to only the systems and data each employee needs, following the principle of least privilege.
• Monitor remote connections for unusual access patterns, such as connections from unexpected locations or at unusual times.

5. Secure Your Wireless Network

Wireless networks require specific security measures:

• Use WPA3 encryption if your equipment supports it, or WPA2 at minimum. Never use WEP or open (unencrypted) networks for business purposes.
• Use strong, unique passwords for wireless networks and change them periodically.
• Disable WPS (Wi-Fi Protected Setup), which has known vulnerabilities.
• Hide your business SSID if appropriate, though this provides only minimal additional security.
• Position access points to minimize signal coverage outside your premises where practical.

6. Implement DNS Security

DNS security provides a layer of protection by blocking connections to known malicious domains. The CIRA Canadian Shield is a free DNS security service operated by the Canadian Internet Registration Authority that blocks malware, phishing, and botnet domains at the DNS level. Configuring your network to use a protective DNS service is one of the simplest and most cost-effective network security improvements available.

7. Monitor Network Activity

Monitoring your network for unusual activity helps detect compromises early:

• Enable logging on your firewall and review logs regularly for blocked connection attempts and unusual patterns.
• Consider intrusion detection or intrusion prevention systems (IDS/IPS) if your budget and technical capability permit.
• Watch for signs of compromise such as unexpected outbound connections, large data transfers, or connections at unusual hours.
• Many business-grade firewalls and routers include basic monitoring and alerting capabilities that should be enabled and configured.

Common Mistakes to Avoid

Network security implementations frequently suffer from common oversights that reduce their effectiveness.

Default Firewall Configurations

Many organizations deploy firewalls but leave them in their default configuration, which may be more permissive than appropriate. A firewall is only as effective as its rule set. Take the time to configure it according to your specific needs and the default-deny principle.

Flat Networks

A flat network where all devices share the same network segment means that a compromise of any single device can potentially reach every other device. Even basic segmentation, such as separating servers from workstations and guest access from business access, meaningfully reduces this risk.

Forgotten Network Devices

Routers, switches, access points, and firewalls are themselves computers that require updates, strong passwords, and secure configuration. Organizations frequently deploy these devices and then neglect to update their firmware or review their configurations. Include network devices in your secure configuration and patch management processes.

Overly Permissive Firewall Rules

Over time, firewall rules accumulate as temporary exceptions become permanent and broad rules are added for convenience. Regularly review your firewall rules and remove or tighten any that are no longer necessary. Each unnecessary open port or permissive rule increases your attack surface.

No Outbound Filtering

Many organizations focus only on blocking inbound threats while allowing all outbound traffic. This means a compromised internal system can freely communicate with attacker-controlled servers. Implementing outbound filtering helps detect and prevent data exfiltration and command-and-control communications.

Connecting Network Security to Other Controls

Network security works in concert with other Baseline Controls:

• Secure Configuration (BC.4) — Network devices must be securely configured with strong passwords, unnecessary services disabled, and firmware kept up to date.
• Cloud Services Security (BC.10) — As business services move to the cloud, network security must extend to cover connections between your network and cloud environments.
• Web Application Security (BC.11) — Network perimeter controls such as web application firewalls and DNS security help protect web-facing applications from attack.

For a complete view of how all 13 Baseline Controls work together, visit the controls overview page or take the free assessment to evaluate your organization's current posture.

Additional Resources

• CCCS Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089)
• CIRA Canadian Shield — Free DNS Security for Canadians
• Cybersecurity Canada Resources Page
• Free Cybersecurity Baseline Assessment