Firewall Between Perimeters

The CyberSecure Canada firewall requirements mandate that organizations deploy a firewall between two distinct network perimeters. This CSC 5.7.3.1 firewall between perimeters must explicitly control the amount and types of traffic allowed to cross the boundary, acting as a primary defense against unauthorized access.

In this context, 'two perimeters' refers to the boundary between distinct network zones with different trust levels, such as the public internet and a private corporate network. Proper network segmentation uses a perimeter firewall to separate these perimeters, ensuring untrusted traffic cannot directly reach sensitive internal assets.

To learn how to control traffic between network perimeters effectively, organizations should adopt a defense-in-depth strategy using a Demilitarized Zone (DMZ). By placing public-facing servers in the DMZ and applying strict network firewall configuration rules, you ensure that external users can only access necessary services without exposing the internal network.

A firewall between security zones should follow a 'default deny' principle, blocking all traffic unless explicitly authorized. DMZ firewall configuration best practices dictate allowing specific inbound web or email traffic to the DMZ, while severely restricting the DMZ's ability to initiate connections into the trusted internal network.

To provide evidence for firewall controls during audit, organizations should present a current network architecture diagram and an export of the active firewall ruleset. Auditors will check these documents to confirm that the perimeter firewall is actively blocking unauthorized traffic and separating perimeters. Tools like WatchDog Security's Compliance Center can help teams centralize these artifacts, record review dates, and maintain an audit-ready evidence trail.

Organizations should use a formal change management system where every new rule request is justified, reviewed, and approved before implementation. Keeping a log of these approvals provides clear evidence that you know how to design firewall rules between zones securely and maintain configuration control.

While the standard does not specify an exact timeframe, a best practice is to conduct a firewall rule review process for compliance at least annually. Regular reviews ensure that obsolete or overly permissive rules are removed, keeping the network firewall configuration tight and secure.

A perimeter firewall sits at the edge of the organization's network, filtering traffic between the internal network and the outside world. Conversely, internal segmentation firewall requirements focus on deploying firewalls inside the corporate network to separate distinct departments, guest networks, or sensitive databases, limiting lateral movement.

Yes, provided they enforce strict access control and inspect traffic crossing the boundary. While traditional hardware firewalls are common, well-configured Access Control Lists (ACLs) on routing equipment or software-based microsegmentation can fulfill the requirement to control traffic between network perimeters.

Many organizations ask, can cloud security groups replace a firewall for compliance? Yes, cloud-native security groups and virtual firewalls serve the exact same function as physical firewalls by explicitly controlling traffic flows between virtual networks, subnets, and the internet.

Auditors typically want consistent evidence that firewall boundaries exist, rules are reviewed, and changes are approved. Tools like WatchDog Security's Compliance Center can map this control to required artifacts (e.g., firewall ruleset exports, review records, and network diagrams), track evidence collection, and highlight gaps when expected documentation or review cadence is missing.

Firewall controls often fail in practice due to stale rules, undocumented exceptions, and unclear ownership for remediation. Tools like WatchDog Security's Risk Register can link firewall findings to risks, assign owners and due dates, document accepted exceptions and treatment plans, and provide reporting that shows progress on rule cleanup and segmentation improvements.