Next-Generation Firewalls (NGFWs)
Traditional firewalls, also called stateful firewalls, attempt to filter out bad traffic based on the “state” of a connection. This means that they track a connection and analyze it in progress to make sure it is not doing anything it is not supposed to. With the predominance of cloud computing, this technique is not as reliable at filtering out bad traffic, since applications can be run through a web browser and appear as regular web traffic. Next-Generation Firewalls (NGFWs) can inspect packets at the application layer, which means they can check for malicious code, like an anti-malware program would, as the packet travels across the network. This makes Next-Generation Firewalls much more effective at catching threats in this era of computing. Another feature many NGFWs contain is application awareness and control. Specific applications can be allowed or blocked, such as a game on Facebook, while still allowing end users to access Facebook itself. As with traditional firewalls, content filtering can also be set, which regulates access to certain types of sites, such as adult or gaming sites. Cloud-delivered threat intelligence is another feature of many NGFWs. This allows for zero-day threats, which are threats not yet known, to be discovered and updated in real time to everyone in the firewall community.
Infrastructure Security
In addition to securing the interface between the perimeter of your network and the internet, a company’s internal network must be secured as well. This can be achieved by using networking devices and protocols that allow end-user devices onto a network based on certain criteria such as if the user has privileges, if the operating system is up to date, or if antivirus software is installed on the device. Logs of events can be stored in case the network is compromised or for troubleshooting purposes if the network is having issues. For this to work properly, Network Time Protocol (NTP) should be set up on each device to make sure their clocks are synchronized properly. The wireless network should use an encryption protocol that is not yet known to be easily broken. For hardwired devices, port security can be set on switches to only allow certain devices to access the network. Virtual Private Networks (VPNs) can be set up across the internet to encrypt traffic between company sites, or they can even be set up between employees and the company network. Virtual Local Area Networks (VLANs) can be used to virtually divide the company’s internal network, so certain groups of employees have their own network, such as the executive department or employees on the second story of a building. This can keep each department from accessing resources on another department’s network, help in organizing the network, and help in troubleshooting the network. Different rules and policies can be applied to each VLAN, as well, to help regulate what employees on each VLAN can do. Other examples of securing a network include disabling advertisements of certain underlying network protocols to end-user devices, using authentication and encryption on underlying network protocols when necessary, making sure to set passwords on networking devices, and limiting how to access administration of the networking devices, just to name a few.
Physical Security
Most networking devices have the ability to set passwords on them to keep people from accessing administrative abilities on the device, but most devices allow for bypassing passwords or completely resetting the devices if a person has physical access to those devices. Gaining administrative access to a networking device would be a huge security breach, not only for the device that is compromised, but for the entire network. Therefore, it is important to make sure certain networking devices are physically secured, so no one can tamper with them. Devices can either be locked away in a network closet/room or stored in a cabinet designed for networking equipment.