Original release date: September 10, 2018

When your computer is accessible through an internet connection or Wi-Fi network, it is susceptible to attack. However, you can restrict outside access to your computer—and the information on it—with a firewall.
​
What do firewalls do?
Firewalls provide protection against outside attackers by shielding your computer or network from malicious or unnecessary network traffic. Firewalls can also prevent malicious software from accessing a computer or network via the internet. Firewalls can be configured to block data from certain locations (i.e., computer network addresses), applications, or ports while allowing relevant and necessary data through. 

What type of firewall is best?
Categories of firewalls include hardware and software. While both have advantages and disadvantages, the decision to use a firewall is more important than deciding which type you use.

• Hardware – Typically called network firewalls, these physical devices are positioned between your computer and the internet (or other network connection). Many vendors and some internet service providers (ISPs) offer integrated small office / home office routers that also include firewall features. Hardware-based firewalls are particularly useful for protecting multiple computers and controlling the network activity that attempts to pass through them. The advantage of hardware-based firewalls is that they provide an additional line of defense against attacks reaching desktop computing systems. The disadvantage is that they are separate devices that require trained professionals to support their configuration and maintenance.
• Software – Most OSs include a built-in firewall feature that you should enable for added protection, even if you have an external firewall. Firewall software is also available separately from your local computer store, software vendor, or ISP. If you download firewall software from the internet, make sure it is from a reputable source (i.e., an established software vendor or service provider) and offered via a secure site.  The advantage of software firewalls is their ability to control the specific network behavior of individual applications on a system. A significant disadvantage of a software firewall is that it is typically located on the same system that is being protected. Being located on the same system can hinder the firewall’s ability to detect and stop malicious activity. Another possible disadvantage of software firewalls is that—if you have a firewall for each computer on a network—you will need to update and manage each computer’s firewall individually.

How do you know what configuration settings to apply?
Most commercially available firewall products, both hardware and software based, come pre-configured and ready to use. Since each firewall is different, you will need to read and understand the documentation that comes with it to determine whether the default firewall settings are sufficient for your needs. This is particularly concerning because the “default” configuration is typically less restrictive, which could make your firewall more susceptible to compromise. Alerts about current malicious activity  sometimes include information about restrictions you can implement through your firewall.
Though properly configured firewalls may effectively block some attacks, do not be lulled into a false sense of security. Firewalls do not guarantee that your computer will not be attacked. Firewalls primarily help protect against malicious traffic, not against malicious programs (i.e., malware), and may not protect you if you accidentally install or run malware on your computer. However, using a firewall in conjunction with other protective measures (e.g., anti-virus software and safe computing practices) will strengthen your resistance to attacks. 

Ask us about our Sophos XG Firewall

This product is provided subject to this Notification and this Privacy & Use policy.

 What is enterprise network security?
Enterprise network security is the protection of a network that connects systems, mainframes, and devices―like smartphones and tablets―within an enterprise. Companies, universities, governments, and other entities use enterprise networks to help connect their users to information and people. As networks grow in size and complexity, security concerns also increase.

What security threats do enterprise wireless networks face?
Unlike wired networks, which have robust security tools—such as firewalls, intrusion prevention systems, content filters, and antivirus and anti-malware detection programs—wireless networks (also called Wi-Fi) provide wireless access points that can be susceptible to infiltration. Because they may lack the same protections as wired networks, wireless networks and devices can fall victim to a variety of attacks designed to gain access to an enterprise network. An attacker could gain access to an organization’s network through a wireless access point to conduct malicious activities—including packet sniffing, creating rouge access points, password theft, and man-in-the-middle attacks. These attacks could hinder network connectivity, slow processes, or even crash the organization’s system. (See Securing Wireless Networks for more information on threats to wireless networks.)

How can you minimize the risks to enterprise Wi-Fi networks?
Network security protocols have advanced to offset the constant evolution of attacks. Wi-Fi Protected Access 2 (WPA2) incorporates Advanced Encryption Standard (AES) and is the standard employed today to secure wireless enterprises. In June 2018, the Wi-Fi Alliance began certifying devices that support Wi-Fi Protected Access 3 (WPA3), which replaces WPA2. Users should employ the new standards as WPA3 devices become available. IT security professionals and network administrators should also consider these additional best practices to help safeguard their enterprise Wi-Fi networks:

• Deploy a wireless intrusion detection system (WIDS) and a wireless intrusion prevention system (WIPS) on every network.
• Ensure existing equipment is free from known vulnerabilities by updating all software in accordance with developer service pack issuance.
• Use existing equipment that can be securely configured.
• Ensure all equipment meets Federal Information Processing Standards (FIPS) 140-2 compliance for encryption.
• Ensure compliance with the most current National Institute of Standards and Technology. (See Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i.)
• Establish multifactor authentication for access to your network. If this is not possible, consider other secure authentication means beyond a single shared password, such as Active Directory service authentication or an alternative method (e.g., tokens) to create multifactor authentication into your network.
• Use Extensible Authentication Protocol-Transport Layer Security certificate-based methods (or better) to secure the entire authentication transaction and communication.
• Use Counter Mode Cipher Block Chaining Message Authentication Code Protocol, a form of AES encryption used by Wireless Application Protocol 2 (WAP) enterprise networks sparingly. If possible, use more complex encryption technologies that conform to FIPS 140-2 as they are developed and approved.
• Implement a guest Wi-Fi network that is separate from the main network. Employ routers with multiple Service Set Identifiers (SSIDs) or engage other wireless isolation features to ensure that organizational information is not accessible to guest network traffic or by engaging other wireless isolation features.

What else can you do to secure your network?
Employing active WIDS/WIPS enables network administrators to create and enforce wireless security by monitoring, detecting, and mitigating potential risks. Both WIDS and WIPS will detect and automatically disconnect unauthorized devices. WIDS provides the ability to automatically monitor and detect the presence of any unauthorized, rogue access points, while WIPS deploys countermeasures to identified threats. Some common threats mitigated by WIPS are rogue access points, misconfigured access points, client misassociation, unauthorized association, man-in-the-middle attacks, ad-hoc networks, Media Access Control spoofing, honeypot/evil twin attacks, and denial-of-service attacks.
​
The following list includes best practices to secure WIDS/WIPS sensor networks. Administrators should tailor these practices based on  local considerations and applicable compliance requirements. For more in-depth guidance, see A Guide to Securing Networks for Wi-Fi (IEEE 802.11 Family).

• Use a rogue detection process capability. This capability should detect Wi-Fi access via a rogue client or WAP, regardless of the authentication or encryption techniques used by the offending device (e.g., network address translation, encrypted, soft WAPs).
• Set the WIDS/WIPS sensors to
  • detect 802.11a/b/g/n/ac devices connected to the wired or wireless network and
  • detect and block multiple WAPs from a single sensor device over multiple wireless channels.
• Enforce a “no Wi-Fi” policy per subnet and across multiple subnets.
• Provide minimal secure communications between sensor and server, and identify a specific minimum allowable Kbps―the system shall provide automatic classification of clients and WAPs based upon enterprise policy and governance.
• Provide automated (event-triggered) and scheduled reporting that is customizable.
• Segment reporting and administration based on enterprise requirements.
• Produce event logs and live packet captures over the air and display these directly on analyst workstations.
• Import site drawings for site planning and location tracking requirements.
• Manually create simple building layouts with auto-scale capability within the application.
• Place sensors and WAPs electronically on building maps to maintain accurate records of sensor placement and future locations.
• Have at least four different levels of permissions allowing WIPS administrators to delegate specific view and administrator privileges to other administrators.
• Meet all applicable standards and, if Federal Government, comply with the Federal Acquisition Regulation.