Back to Blog
Controls 6 min read

SOC 2 Network Security Controls: Firewalls and Segmentation

Implement network security controls for SOC 2. Covers firewall configuration, network segmentation, intrusion detection, and the evidence auditors expect.

Key Takeaways
  • Network security maps to CC6.6 (protection of data) and CC6.1 (access controls) in SOC 2.
  • Segment production, development, and corporate networks — never allow direct routing between them.
  • IDS/IPS tools (GuardDuty, Network Firewall) satisfy the intrusion detection component of CC7.2.
  • VPN or Zero Trust Network Access (ZTNA) is required for remote access to internal resources.
  • Firewall rule reviews should be conducted quarterly and documented as CC6.3 evidence.

In this guide

  1. Network Security in SOC 2
  2. Network Segmentation
  3. Firewall Configuration Best Practices
  4. Intrusion Detection and Prevention
  5. Remote Access: VPN and Zero Trust
  6. Network Security Evidence

Network Security in SOC 2

Network security controls prevent unauthorized network access to systems and data, detect network-based attacks, and limit lateral movement in the event of a breach. They map to CC6.1 (access controls), CC6.6 (information asset protection), and CC7.2 (anomaly detection).

For cloud-native SaaS companies, "network security" primarily means AWS VPC configuration (covered in the VPC Security article) plus corporate network controls for the office environment and remote access.

Network Segmentation

Network segmentation separates your network into zones with controlled traffic flows between them. For SOC 2, the key segments are: production (AWS production VPC), development (AWS dev/staging VPC), and corporate (office network and VPN). These should have no direct routing between them — all communication should be through authenticated, authorized channels.

Separate production and non-production AWS environments into different AWS accounts with no VPC peering between them. This prevents a compromised development environment from accessing production. Use AWS Organizations with separate OUs for production and non-production accounts, with SCPs that enforce the separation.

For the office corporate network: implement 802.1X authentication for wired connections, separate guest Wi-Fi from corporate Wi-Fi on a VLAN with internet-only access, and ensure production systems are not accessible from the corporate network without VPN/ZTNA.

Firewall Configuration Best Practices

For cloud environments, security groups and NACLs act as firewalls (see VPC Security article). For office environments, configure a physical or virtual firewall: deny all inbound from the internet by default, allow only specific outbound traffic needed for business operations (HTTPS, DNS, email), and log all traffic for review.

Conduct quarterly firewall rule reviews for CC6.3 access review compliance. Review every rule — verify it is still needed, still accurate, and doesn't have an overly broad source. Remove or tighten rules that fail review. Document the review results.

Use Infrastructure as Code for firewall rules to maintain version history and change review. Terraform or AWS CDK for security groups, and Palo Alto Panorama or equivalent for physical firewalls. Rule changes should go through the same change management process (CC8) as other infrastructure changes.

Intrusion Detection and Prevention

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) monitor network traffic for attack patterns and can block malicious traffic. For AWS workloads: AWS Network Firewall with Suricata rules provides IPS capability. AWS GuardDuty analyzes VPC Flow Logs for network-level anomalies.

For office networks: cloud-delivered security platforms like Cisco Umbrella or Cloudflare Gateway provide DNS-based security and threat intelligence, blocking connections to known malicious domains from the corporate network. These are lightweight controls that add significant detection coverage.

Configure IDS/IPS alerting to route to your incident response process — detections should be actionable, not just logged. Document the detection rules in use and the response procedures for each major rule category.

Remote Access: VPN and Zero Trust

Remote employees and contractors need secure access to internal resources. For SOC 2, remote access must require authentication, use encryption, and be logged. Options: (1) VPN (OpenVPN, WireGuard, AWS Client VPN) — traditional approach, connects users to the corporate network with full network access. (2) Zero Trust Network Access (ZTNA) — modern approach, grants access to specific applications based on identity and device posture, without network-level access.

ZTNA tools (Cloudflare Access, Zscaler Private Access, Tailscale, Teleport) are preferred for SOC 2 because they enforce least-privilege application access (CC6.1), integrate with your IdP for MFA (CC6.2), and log all access sessions (CC7.2) without the risk of full network compromise from a single VPN credential leak.

Network Security Evidence

(1) Network architecture diagram showing production, development, and corporate network segmentation. (2) Firewall rule sets for key security groups and NACLs. (3) Quarterly firewall rule review records. (4) AWS Network Firewall policy configuration (if deployed). (5) GuardDuty and VPC Flow Logs configuration demonstrating network-level monitoring. (6) VPN or ZTNA access logs showing authenticated remote access. (7) Remote access policy document.

Frequently Asked Questions

Do we need a physical firewall in our office for SOC 2?
If your office network has access to systems containing customer data, yes. The firewall doesn't have to be physical hardware — a cloud-based next-generation firewall (Palo Alto Prisma, Cisco Meraki) or a properly configured router with firewall rules satisfies the requirement. The key is that inbound and outbound traffic is controlled and logged.
Is Zero Trust required for SOC 2, or is a traditional VPN sufficient?
Traditional VPN is sufficient for SOC 2 if properly configured with MFA, limited network access (split tunneling with restricted access), and access logging. ZTNA is not required but is the modern best practice. Many auditors are now recommending ZTNA as it inherently enforces least privilege better than a full-network VPN.
How do we segment development and production at the AWS level?
Use separate AWS accounts for production and non-production environments, managed under AWS Organizations. Do not create VPC peering or Transit Gateway connections between production and non-production accounts. Use SCPs to enforce guardrails on non-production accounts (e.g., prevent them from accessing production S3 buckets). This is the AWS Well-Architected Framework recommendation for security.
What network logs are required for SOC 2?
At minimum: VPC Flow Logs (network layer), CloudTrail (API call layer), WAF logs (application layer), and VPN/ZTNA access logs (remote access). For office networks: firewall traffic logs. These collectively provide the network activity audit trail required by CC7.2 and CC7.3.
How should we handle the network security controls in our system description?
Your SOC 2 system description should identify the principal service commitments (security, availability) and describe how network security controls support them. Describe your VPC architecture, security group approach, monitoring tools, and remote access solution at a level of detail that a sophisticated reader can understand the design without seeing the raw configuration.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

Controls

VPC Security Controls for SOC 2 Compliance

Controls

SOC 2 WAF Requirements: Web Application Firewall Setup

Controls

CC6: Logical and Physical Access Controls for SOC 2