Best practices for securing small businesses with next-gen firewalls

There are three pillars that support all cyber security efforts:

1. Confidentiality
2. Integrity
3. Availability

Before covering the practical tips for securing your firewall, let’s review the oft under-appreciated pillar: availability.

Building a foundation with availability

The pillar of availability's principle suggests that when data isn’t accessible in the moment of need, that your organization is not operating securely. Most small businesses feel like their tolerance for downtime is higher than their larger siblings, but as more SMB production is pushed to the cloud, a highly available network is more important than ever before.

Take the time to educate the stakeholders in your organization about the true costs of downtime and review with them the recovery times required for ISP and hardware failures. Feel free to share with them how most small businesses are configured. A single ISP, a single firewall, a single switch, and some servers. Single points of failure on all counts!

All businesses have experienced an internet outage and typically afterwards, the demand for a backup internet connection is raised. As a result, the network progresses to this.

As the business grows, the ethernet port count increases and more switches are added to increase the capacity. Too often however, we find switches are daisy-chained together without consideration for increasing reliability and throughput. The best practice is to use a stacking technology or virtual port-channel implementation. These features allow multiple switches to act in a more unified manner; allowing redundant links, while not interfering with the loop prevention provided by spanning-tree protocol.

When a link aggregation (LAG) is created between multiple instances of devices, then we’ve created an MC-LAG, meaning multi-chassis link aggregation. An MC-LAG provides layer 2, active-active links with node-level redundancy! It’s fast, redundant, and reduces downtime in a major way. A big win!

As a tip, use the fastest uplinks possible between the firewall and switches. 10 and 25 Gbit ports (SFP+ and SFP28) are becoming common in SMB gear.

The final step in improving the network’s availability is to create a high availability (HA) cluster of the firewall itself. Each vendor has their own mechanism for handling this aggregation. There are a few gateway redundancy protocols to choose from (VRRP, HSRP, GLBP) however none of these combine the management and data planes like a true HA clustering implementation.

Check with your firewall vendor if they support true clustering of their devices. Keep in mind that often security licenses will need to be purchased for each unit even though they act as one!

The topology has gone from two network devices to six, and all single points of failure in the path have been eliminated. Now that the firewalls have their configs and sessions synced up, you’re ready to provide the highest level of network availability to your organization!

Next up we’ll cover the pillars of confidentiality and integrity by leveraging the firewall to tighten up what traffic is allowed in and out of the network.