Safeguards
Firewall
What is a firewall?
A firewall is a control point between your company network and the internet that permits or blocks every connection according to fixed rules. It decides which services can be reached from the internet and which connections are allowed to leave your network.
In a small business the firewall usually sits inside the internet provider's router or in a separate appliance in the server cabinet. Out of the box a simple rule applies: nothing comes in from outside, everything may go out from inside. The difficulty lies in the exceptions added over the years, so that the owner can reach the server from home, so that a service company can connect to a machine, or so that the CCTV can be viewed from a mobile phone.
Such exceptions are called port forwardings. A port forwarding is a door in the outer wall that anyone on the internet can see. Remote maintenance services, cameras and the web interfaces of network storage devices behind such a door are found continuously by automated scanners. If a weak password or outdated software waits behind it, the way in stands open. For remote access to the company network a VPN is the appropriate route, meaning an encrypted connection into the company network that opens the path only after a successful login with a second proof of identity alongside the password.
A firewall inspects connections. A phishing email carrying a forged invoice passes through it as ordinary mail, and an employee who types her password into a cloned login page is not stopped by it. The firewall forms the outer shell of the building. Inside that shell, endpoint protection, two-factor authentication, meaning confirmation with a second proof such as a code on a mobile phone, and the trained attention of your staff do the work.
The warning signs of a firewall that needs attention are easy to name. Nobody in the company can say which forwardings are active. The firmware, meaning the control software of the device, has not been updated for years. The firewall's administration interface can be reached from the internet. The login password dates back to the initial installation. The rule set still contains entries for servers that were decommissioned long ago.
The first sensible step is a printed list of every rule and forwarding, for which you seek a justification line by line. Any line without a justification is switched off and the effect observed. The IT-Check examines from outside which services of your connection are visible on the internet and reviews the rule set on site. Data collection is read-only and causes no interruption to day-to-day operations.
All terms in the knowledge base
Note: This entry reflects the state of knowledge to the best of our understanding and serves as general orientation. It is not legal advice. What counts is always the version currently in force at the responsible body, for example dsb.gv.at, nis.gv.at or enisa.europa.eu.
From the term to practice
Where does your business actually stand?
The IT Check reviews your IT across 8 audit areas with more than 100 individual checks and delivers documented findings with a prioritised action plan. From 1,299 € excl. VAT. The first call takes 20 minutes and carries no charge.