Security

Best practices for securing small businesses with next-gen firewalls

The pillar of availability's principle suggests that when data isn’t accessible in the moment of need, that your organization is not operating securely.

Brian Scheewe

Thursday, October 13, 2022

Best practices for securing small businesses with next-gen firewalls

There are three pillars that support all cyber security efforts:

  1. Confidentiality
  2. Integrity
  3. Availability

Before covering the practical tips for securing your firewall, let’s review the oft under-appreciated pillar: availability.

Building a foundation with availability

The pillar of availability's principle suggests that when data isn’t accessible in the moment of need, that your organization is not operating securely. Most small businesses feel like their tolerance for downtime is higher than their larger siblings, but as more SMB production is pushed to the cloud, a highly available network is more important than ever before.

Take the time to educate the stakeholders in your organization about the true costs of downtime and review with them the recovery times required for ISP and hardware failures. Feel free to share with them how most small businesses are configured. A single ISP, a single firewall, a single switch, and some servers. Single points of failure on all counts!

Downtime in a network full of single points of failure is bound to happen.
Downtime in a network full of single points of failure is bound to happen.

All businesses have experienced an internet outage and typically afterwards, the demand for a backup internet connection is raised. As a result, the network progresses to this.

Multiple ISPs provide more reliability, but it's not nearly enough.
Multiple ISPs provide more reliability, but it's not nearly enough.

As the business grows, the ethernet port count increases and more switches are added to increase the capacity. Too often however, we find switches are daisy-chained together without consideration for increasing reliability and throughput. The best practice is to use a stacking technology or virtual port-channel implementation. These features allow multiple switches to act in a more unified manner; allowing redundant links, while not interfering with the loop prevention provided by spanning-tree protocol.

Things are starting to look pretty good, but it can still be improved upon.
Things are starting to look pretty good, but it can still be improved upon.

When a link aggregation (LAG) is created between multiple instances of devices, then we’ve created an MC-LAG, meaning multi-chassis link aggregation. An MC-LAG provides layer 2, active-active links with node-level redundancy! It’s fast, redundant, and reduces downtime in a major way. A big win!

As a tip, use the fastest uplinks possible between the firewall and switches. 10 and 25 Gbit ports (SFP+ and SFP28) are becoming common in SMB gear.

The final step in improving the network’s availability is to create a high availability (HA) cluster of the firewall itself. Each vendor has their own mechanism for handling this aggregation. There are a few gateway redundancy protocols to choose from (VRRP, HSRP, GLBP) however none of these combine the management and data planes like a true HA clustering implementation.

Check with your firewall vendor if they support true clustering of their devices. Keep in mind that often security licenses will need to be purchased for each unit even though they act as one!

A network with high availability is a happy network.
A network with high availability is a happy network.

The topology has gone from two network devices to six, and all single points of failure in the path have been eliminated. Now that the firewalls have their configs and sessions synced up, you’re ready to provide the highest level of network availability to your organization!

Next up we’ll cover the pillars of confidentiality and integrity by leveraging the firewall to tighten up what traffic is allowed in and out of the network.

Level: Simplify IT Management

At Level, we understand the modern challenges faced by IT professionals. That's why we've crafted a robust, browser-based Remote Monitoring and Management (RMM) platform that's as flexible as it is secure. Whether your team operates on Windows, Mac, or Linux, Level equips you with the tools to manage, monitor, and control your company's devices seamlessly from anywhere.

Ready to revolutionize how your IT team works? Experience the power of managing a thousand devices as effortlessly as one. Start with Level today—sign up for a free trial or book a demo to see Level in action.