Security

Any time your company needs/wants to review Security, we should be looking at all the options. Depending on the network architecture and employee needs, a cloud-based firewall can be a great option to centralize security and provide NGFW services.

Additionally, we can design a network in a hybrid solution where larger sites leverage on-premise security solutions, and remote locations can connect through to a cloud-based firewall for Internet egress. 

A zone-based firewall is a solution that relies on port type access and Access Control Lists. These are being replaced by next-generation firewalls. 

A next-generation firewall is a firewall that looks through to the application layer of the OSI-model with deep packet inspection.

It can typically include advanced features like URL/content filtering, anti-malware protection, and intrusion prevention. 

Depending on the company cloud posture and other applications in the environment, it is never a bad time to look at options to better secure your network.

You have multiple options, depending on your company needs — on-premise security or cloud-based security.

Additional security solutions are also available for endpoint and mobile device management, offering visibility and protection for the users and/or network.

Several components can make up a secure cloud environment, but you should start with a virtualized firewall in the cloud infrastructure. This can protect the infrastructure similar to how you would secure a physical location (locks, cameras, etc.).

Additionally, you need to look at how you connect to the cloud; secure connections (cloud connect, direct connect or express routes) can be added if you do not currently have them in place. 

When it comes to remote users, you should include identity access management (IAM) to ensure that the remote users connecting are whom they say they are, and you should also ensure that users only have access to files/folders that relate to their roles. 

Many people leverage VPN connections; however, it is best to use express routes or direct connects to maximize security.  

Intrusion Detection Service – This feature spots malicious files/attacks and will sound an alarm but will not stop the file. Think of this like a mall cop. 

Intrusion Prevention Service- This feature typically includes IDS, identifies threats and prevents them from passing into the network. The service relies on signatures to know if a file is a threat and does not tend to perform well with zero-day attacks. Think of this as a local police department.  

Two main options: active or passive DDoS Mitigation. The alternative is to not have a public IP address/web presence.

Active DDoS Mitigation—This is a service, typically paid monthly/under contract, that will automatically redirect traffic through a scrubbing location and only pass the ‘good’ traffic through to your site and dropping the ‘bad’ traffic.

Passive DDoS Mitigation—This service is activated after an attack begins and requires the customer to call in to activate. Once active, it too will redirect traffic to a scrubbing location.  

Yes, the answer is always yes. However, it is also important to note that a firewall is only one component of your overall security posture.