What should be considered in selecting the right firewalls What are the best practices for firewalls?

Why is it Critical that your Organization have a Firewall?

A firewall is a network security device that continually monitors incoming and outgoing traffic and decides whether to allow or block specific traffic based on a specific set of security rules. A firewall is the first line of perimeter defense for your organization’s computer network against a cyber-attack by establishing a protective barrier between secured and controlled internal networks that can be trusted and untrusted outside networks such as the Internet. A firewall can be hardware, software, or a combination of both. A good firewall will provide a high level of protection and a wide range of options. Many routers and switches have basic security features, and while they may provide Internet access for your network, they most likely will not provide your network adequate protection against the sophisticated level of attacks and threats prevalent in today’s Internet-based computing world. Without a firewall in place, your organization’s network will be very susceptible to threats including security breaches and dangerous malware. Ultimately, these security threats could cost your organization time and money and potentially compromise the security of your internal/client data.

What Factors should your Organization take into Consideration when Selecting a Firewall?

Beyond the level of protection provided, the most important and many times overlooked factor that should be taken into consideration when selecting a firewall is sizing. Sizing should be based on the number of users on your network along with the number of remote users. By failing to take this into consideration, you could end up with an expensive piece of hardware that isn’t capable of providing the bandwidth and throughput needed by your end users. As a result, the efficiency and productivity of your end users is negatively impacted. Often, the features an organization will need most will be bundled with less relevant functionality and offered at a higher price point. This pricing model leaves the buyer with the unappealing options of either buying something that may be out of budget or buying something that may not meet the government’s or non-profit’s needs. Fortunately, there are vendors that offer solutions with baseline functionality that can be customized with modules to meet your specific needs. Different devices have different prices – depending on the functionality they have and how much traffic they can handle. Typically for a governmental or non-profit agency, the budget is often the most significant consideration. However, you should determine the most important features you will need based on your organization’s current and future requirements and resources. Due to the complexity, and range of choices, it is often best to engage an outside technology consultant to assist you in selecting the firewall best for the size and complexity of your network. You will also need to determine whether your organization has the in-house expertise to properly configure and manage it or whether it will require an external technology support provider. In order to get the most out of this investment, a properly trained and experienced security technician is critical to a successful deployment. The technician should also be engaged for ongoing support when updates are released and when issues inevitably arise.

What are the Basic Security Features of a Firewall?

• Border Security – The first level of protection is considered border security. This minimum or baseline form of protection will be offered by all firewalls and will constantly monitor both inbound and outbound network traffic for threats.
• DMZ – Does your organization operate a web server or email server on its premises? If so, you might want to dedicate a certain area of your network as a ‘demilitarized zone’ or DMZ. This type of networking configuration protects the servers in the DMZ and checks traffic to and from these servers along with isolating these servers from the rest of the local area network as much as possible.
• VLANS – If your organization is a large or sprawling network, you should give strong consideration to implementing VLANs (Virtual Local Area Networks). VLANs allow you to group and segregate devices in the same subnet even if the devices aren’t connected on the same router or switch. This is primarily done to contain network data traffic for performance and security reasons.
• ACL – Access Control Lists serve as a filtering mechanism to control and anticipate unwanted traffic by analyzing characteristics such as source, destination or port.
• IDS – An IDS or Intrusion Detection System is a technology that detects potential malicious data traffic in and out of your network. This technology only detects the presence of this type of traffic, but it cannot stop it. For protection, see IPS below in the next section.
• Logging and Alerts – Every type of firewall should have a feature where you can monitor the types of traffic the device is blocking and the kinds of traffic that is permitted through. Also, the notification methods will vary – some will send alerts via SMS while others will rely on email or network broadcast messages. All firewalls should have the capability to alert network administrators in the event of a security breech, attack, or inappropriate/unauthorized use of Internet resources.

What are the Advanced Security Features of a Firewall?

For large governmental or non-profit agencies, there are
more advanced security features that should be implemented:

• VPN or a Virtual Private Network – A VPN encrypts data sent between two or more locations when that data is sent over the Internet or other public network. VPN’s are typically used for staff members working remotely to gain secure access to files and programs on the office network. If your organization has multiple office locations, you can configure a firewall at each location to provide a ‘site to site’ VPN in order to encrypt communications between those locations. Oftentimes, a ‘site to site’ VPN is a more cost-effective option to connect physically separate sites instead of leasing private dedicated point to point connections.
• IPS – An IPS or Intrusion Prevention System is a technology that relies on algorithmic analysis of the data coming in and out of the network to prevent security breaches. Data traffic detected by this technology will be dropped and will never reach the protected network.
• Web/Content Filtering – Through web filtering, policies are established to enable specific websites, URLs, and web content to be accessible by the network’s users. Most firewalls include default web filtering policies that reflect industry best practices.
• E-Mail Protection – Through this feature, the firewall enables the scanning of email attachments and the filtering out of spam emails.
• Malware Protection – Data traffic is analyzed to detect the presence of malware prior to passing the data or web content through to the end user.
• Endpoint Security – Through this type of security, end-user devices on your network such as mobile devices, laptops/desktops and servers are protected via a software package that is managed at the firewall level.
• Application Filtering – This option provides the capability of defining applications that are allowed to traverse the firewalls zones and ones that are not. This is mainly implemented for productivity reasons. For example, you may choose to block all forms of Instant Messaging to the outside world, or you may want to prevent bit torrent applications from downloading content to your network.

In summary, selecting the right firewall is one of the most critical IT purchases your organization will make. You should carefully take into your consideration your organization’s size, structure, security

needs and staffing capacity in making this decision.

Firewalls used to be pretty simple devices. They would inspect rudimentary information about incoming network data – where it came from, where it’s going, what protocols it’s using, and so on. In the infancy of the web, that was more than enough. In those days, there wasn’t much differentiation in the firewall market – a firewall was a firewall was a firewall.

But as the internet has become more and more a part of our lives, the threat of cybercrime has grown to suit. Firewalls nowadays have to do a lot more to keep us safe. As firewalls have grown more complex, choosing the right one for your business’s needs has become a brain-fryingly tricky decision – especially if you’re not very techy.

But fear not! We’ve identified 8 simple questions that should help pair you with the perfect firewall for your needs.

8 Questions to Consider When Choosing Your Next Business Firewall

How Large is Your Team?

We’ll start you off with an easy one. Think – how many people use your network when it’s at its busiest? Your network size and load are a crucial deciding factor when choosing the right firewall solution.

Picking the wrong firewall for your size can be an expensive mistake. For example, a team of three working from a garage simply won’t need an enterprise-grade, rack-mountable enterprise firewall. Though it does allow for growth, they may never come close to needing the amount of bandwidth that device is designed for.

On the flipside, a large enterprise firm would risk slowing productivity to a crawl if they choose a firewall that’s designed for a small team. The sheer amount of traffic trying to squeeze through such a low-spec device would be like trying to suck rice pudding through a straw.

Also consider the internet speeds that you currently get from your ISP or leased line. What kind of bandwidth will your firewall need in order to uphold the same internet speeds your team are used to?

Where Are Your Team Based?

Taking stock of how distributed your team are is also an important consideration. For example, a company whose staff are all required at a single site between 9am and 5pm, Monday to Friday, with no possibility of remote working are naturally going to have very different firewall needs to a global team who work completely remotely.

When a team are all based at one location with no way of working outside of the office, they will likely be best served by a hardware firewall commensurate with their size, with any additional security packages to suit their needs.

However, a team who work partially remotely may be better served by a hardware firewall with remote access VPN functionality. This will allow those outside the network to securely dial in and access networked resources.

It also pays to remember that there are other cybersecurity implications when working remotely, so distributed companies should also look into multi-factor authentication tools and good cybersecurity training for their team.

What Is Your Level of In-House IT Expertise?

Do you have dedicated IT staff on your payroll? And do they have the space in their workload to acquaint themselves with a new firewall system? If the answer to either of these is “no”, then you’ll need to pair with a firewall supplier who is willing to be more hands-on, providing a “managed-for-you” service.

Thankfully, security automation is on the rise – and for good reason. A single cybersecurity incident can spread through a network in zero seconds flat – making it impossible for even the most highly caffeinated human technician to react in time. Automation tools like WatchGuard’s Automation Core can independently handle urgent or repetitive tasks, taking the strain away from those responsible for your IT security.

As an aside – we encourage you to regularly reassess your company’s entire relationship with IT. If you’re happy dealing with suppliers directly then that’s great, but as workloads expand it may be worth looking into some kind of service level agreement or managed IT services.

What Cybersecurity Products Do You Already Use?

Take a look at the online security tools already in your arsenal. Do their manufacturers have their own firewall solutions? Cybersecurity vendors usually provide a suite of different security tools, all designed to be seamlessly intercompatible with each other. Therefore, choosing a matching firewall can put you at an advantage.

For example, if you already use Sophos’s Intercept X antivirus software, you can be sure that it will dovetail nicely with their XG range of firewalls. If you’re already using WatchGuard’s WIPS or Guest Wi-Fi systems, a WatchGuard firewall will be the most compatible option.

Yet on the other hand, it’s important to not get too caught up in brand loyalty. We recommend you upgrade your firewall every 5 years – a business can change beyond all recognition in that time. You need to choose a firewall that is going to future-proof you through the next 5 years, so leaning towards “what’s worked up until now” may not be the best answer. Making the swap to a new cybersecurity brand may seem daunting, but the right reseller or supplier should take your concerns on board and put your mind at ease (we certainly will!).

What Functionality Do You Need from Your Firewall?

What exactly do you need your firewall to do, aside from “keep my network safe”? As mentioned above, there are numerous different extras that firewall manufacturers can offer nowadays aside from basic firewall protection.

Naturally, the firewall you choose needs to suit your company’s size and required bandwidth, but you need to make sure it inspects encrypted HTTPS traffic too. This is the kind of traffic that flows to and from websites with an SSL security certificate – a practice that most websites are now adopting. Because this traffic is encrypted, many (often cheaper) firewalls tend to pass it by, along with all of the nasties that may be hidden within; hence why we recommend you choose a firewall with HTTPS inspection as standard.

With that essential stipulation out of the way, we generally recommend any firewalls that also include some kind of gateway antivirus, deep packet inspection (DPI) functionality, sandboxing, and flood protection. If you have remote working policies, then remote access VPNs and multi-factor authentication are a must as well.

As prices continue to drop, there’s little reason to not invest in other security services too, like content filtering, intrusion prevention, data loss prevention, security automation, and more.

Do You Want to Own, Rent, or Lease-to-Own Your Firewall?

You don’t have to own your firewall in order to have one. Many businesses assume that you have to buy a firewall outright, but it’s not your only option.

Ownership may seem the most straightforward – you aren’t tied into any lengthy contracts and the hardware is yours to do with as you wish – but owning your firewall isn’t always the best choice. It’s a large capital outlay – and one that will happen every 5 years if you upgrade as frequently as we recommend. Plus, if you outgrow that firewall or it becomes obsolete, then you’re kind of stuck with it.

Renting can seem less desirable on the surface, but it does come with some quite significant benefits. Firstly, renting accommodates business growth. We will happily switch out a rented firewall for another model should your company grow or your needs change. Rental charges are simple, budget-able OpEx costs, not a pricey CapEx investment with diminishing value. Rental agreements can also protect you in case of breakdown or obsolescence.

How Will Each Supplier Support You?

Regardless of what kind of firewall you choose, choosing the right provider is just as important. Speak to each company you’re thinking about purchasing/renting from and “listen between the lines”; do they take an active role in answering your queries and making sure you’re making the right decisions for your business? Do you get the impression that they’re “just on the other end of the phone” if something were to go wrong? What levels of support do each supplier offer?

Any reputable firewall provider should care enough about your custom to listen to any concerns, talk you through your options, and be available in case things go wrong. You’ll be glad to hear that our team do all three – and more!

So speak to Just Firewalls today! Our friendly experts are on hand to provide jargon-free, down-to-earth advice about all of your online security needs. It’s our aim to pair the UK’s businesses with the best security solutions for their needs, and if something goes wrong – we’ll put it right. Our technicians are located throughout the UK and are available 24/7. Talk to us – call 0808 1644414 for an informal chat or drop us a line to request a call back.