By Jim Mundy, Director of Security Operations, Segra
Most business owners may be aware of cybersecurity defenses such as firewall, DDoS prevention, or various endpoint protection solutions, and assume some form of each may be included in the security package sold to them by a carrier or managed IT service provider. However, due to the advancement of IoT, a more remote workforce, and increases in the sheer number and complexity of cyberattacks, there are next generation versions of each of these forms of protection available to owners and IT leaders that are now table stakes security services to protect their business.
Last year, 61% of small to medium sized businesses admitted they experienced a cyberattack, according to Verizon’s 2022 Data Breach Investigations report. As we enter 2023, small and medium sized businesses will need to make sure they (and their stakeholders, customers, etc.) are protected against traditional attacks such as DDoS and phishing along with more current and sophisticated attacks such as ransomware.
General Firewall vs Next Generation Firewall
When we are talking about cyber security in a business, people think about a firewall. Firewall has gone from a simple box that essentially did much what a router did in the past, plus some extra security features, but the industry has now moved to a more robust solution called next generation firewall.
Next generation firewall picks up some additional functionality that can happen in the device or firewall service including web filtering, antivirus services, and intrusion prevention, which are all cybersecurity solutions that any business would need.
Web Filtering: This function gives business owners the ability to block websites or allow them with some limitations. Categories can also be included to filter out the types of content allowed. Web filtering was a separate box in the past but now it’s functioning inside the next generation firewall.
Network Antivirus: Another function that the next generation firewall can perform is the antivirus protection. In most cases people are used to using software such as Norton or McAfee separately. These security applications live on the end user’s device or the network server. The problem with this is that these antivirus solutions only target things that arrive at the device after traversing the network. An example of this would be if someone was to open a web page and click something leading to a virus. Network antivirus will monitor the network traffic as it enters the firewall, detect the virus, and stop it. This firewall-based network antivirus feature does not replace antivirus software running on devices but rather compliments it.
Intrusion Prevention: In this case, a firewall would block the same way it would a virus but instead of a specific virus file targeting a machine, it goes after attacks that are targeted to a particular operating system or application that lives on one’s network. If there is a main file server that lives in one’s office and it runs a certain version of a program that’s known to have a vulnerability, this is where intrusion prevention would be helpful. As traffic comes in, intrusion prevention looks at what appears to be an effort to exploit a vulnerability, detects and stops it.
When looking at web filtering, network antivirus, or intrusion prevention services, it’s important to remember that these threats change constantly. Protection should not be purchased only once because a single installation of software won’t provide a stream of constant updates. What will allow updates are subscribing to more evergreen, managed services solutions such as hosted or cloud-based firewall capabilities delivered as a service.
Physical vs Hosted/Cloud Based Firewall Capabilities
Firewall is essentially available in two formats. One is a physical box that is placed into a location that would typically sit between the internet and the rest of someone’s network. The hosted or cloud-based firewall sits in the cloud, taking the internet with it.
Cloud firewall can be built with geodiversity, where multiple cloud-based firewall platforms operate and allow continued secure connection to the internet even if one of the cloud platforms should suffer a connectivity or device failure. If a company with many locations were headquartered in Charlotte and had a physical firewall at that data center, and there was an issue with the fiber going into that data center, all the offices that are connected would be down because the Internet lived at the corporate headquarters. This level of diversity and availability is difficult to duplicate with a premise-based firewall solution.
Cloud-based firewall solutions are particularly beneficial for businesses and enterprises with multiple locations, as they eliminate the need for multiple boxes and receive constant updates if the firewall is hosted on the cloud. Cloud-based firewalls bring multiple capabilities such as not worrying about the capital expenditures of buying a box, having high availability, and geodiversity.
DDoS Protection vs Carrier-based DDoS Solutions
The next table stakes security issue is paying attention to DDoS attacks, which is an attack from multiple locations around the internet all coming into a central point with the goal to overwhelm the protection that sits there, the firewall at the end, or to overwhelm a web or application server. DDoS attacks usually intend to either take a company out of service or for some type of a political statement.
A firewall itself can prevent DDoS, but if the firewall is busy worrying about throwing away the trash that’s coming in with an attack, it would become overwhelmed, causing the end goal of a DDoS attack to be achieved since the firewall stops doing its primary function.
The best way to combat a DDoS attack is to let a carrier deploy protection in their network, preferably at the very edges of a network, which is known as carrier-based DDoS solutions. The value of that is if multiple businesses are located in the same general market and one of those is attacked, it could impact everyone, not just the targeted business due the overall network being overwhelmed. By pushing that mitigation of the attack as far out as possible, such as to the edge, nobody sees it and the attack is prevented by the carrier.
DDoS protection should be considered regardless, but the more optimal way to deploy it would be to use carrier-based DDoS solutions as they gain the benefits of being able to push it out to the edge.
A carrier deployed DDoS protection solution may also benefit from threat intelligence related to attacks around the country or the globe. This intelligence allows an attacker’s signature to be known even before the attack spreads to the carrier’s edge.
Endpoint Protection vs Holistic Endpoint Protection Solutions
The next thing that would be considered table stakes is protection of the end points in a network, known as endpoint protection or EPP. When you go online to a secure website, such as an online banking login page, you would most likely see that little lock on the left side of the address bar, which basically means that traffic is being encrypted.
Encryption is a good thing, but as more and more Internet traffic becomes encrypted, firewall itself can’t see what’s going on as traffic passes through, so threats are going to get through to the end user’s computer. Something may look normal to the user but could contain a virus or malware.
And just like the firewall needs to have those regular updates, it’s terribly critical that endpoint protection software is updated continuously, also. Buying EPP individually and putting it on individual computers is good, but it’s not ideal. What you want is a holistic endpoint protection solution for a company. A holistic approach could allow business owners to apply the company policies down to the computers, be alerted when someone’s computer is faulty or get an alert to quarantine a threat.
Zero Trust Access Policy
As attackers get more sophisticated and are able to hide in a network and impersonate legitimate users it is table stakes to implement a zero trust solution. The solution is not a single device or application but applying the zero trust principal to all users and all traffic. This principle states that no user or network connection should be allowed access to a network or application without first confirming who is connecting, what their role is, and if their role had a need and the authority to access the network or resource. Zero trust policy is implemented in firewalls, network devices, applications, and end point protection.
Overall, downtime due to data breaches or non-compliance can cripple a business, causing financial issues and impacting one’s business operations. Relying on firewalls and antivirus software is no longer enough to protect an organization against threats – a holistic approach to cybersecurity needed. The solutions mentioned above will help provide a well-rounded approach for small and medium sized business owners to have a more effective and safer network by looking for threats at the endpoint, firewall, or out into the edge of the carrier’s network.
About the Author
Jim Mundy is the Director, Security Operations at Segra. Jim leads the security operations center team of cyber security engineers and analysts who are responsible for the full lifecycle of Segra managed security from policy review and implementation, upgrades and changes, and repair support for Segra’s customers. The SOC team at Segra also manages the daily care and sustainment of the firewall platforms and security applications used to deliver the managed security services. Jim and the team are actively involved in the development and roll out of new cyber security services and continuous improvement of the products and processes within the area of customer managed security.
Prior to joining Segra, Jim worked as a Sales Engineer, Sales Engineering Manager and Product Manager for companies in the telecommunications and managed service provider space. Jim is a Certified Information Systems Security Professional (CISSP) and has recently held Cisco professional level network and voice certifications. Jim has also worked as an entrepreneur – starting PaxNet, an ISP in Greenville South Carolina, which he later sold to NewSouth Communications. Jim began his telecommunications career in a family-owned cable television company and has more than 20 years of experience in the industry.
For more information about Segra, go to www.segra.com.