Half of what makes cybersecurity so frustrating is the fact that there is no one-size-fits-all solution to any problem. The other half is that people use words with different meanings all the time.
Network security is the worst - there are many ways to define what a network is, and there are many ways to protect it from outside access. If you are a network or security engineer, I hope the next paragraphs won’t make you want to go away.
What is a network?
Simply put, a network is a group of devices that can share information with each other. The Internet is a network. Your home Wi-Fi is a network. Two computers joined by a cable can be a network.
Companies have devices and applications that run on physical appliances within their network. Smart bulbs, Wi-Fi routers, printers, servers, PCs and laptops all make up this network. Some parts of it may even be connected to the internet, making it part of the wider global network, while some parts may be isolated. Devices don’t even have to be in the same place to be part of the same network - as long as there is a communication channel between them, they can share information; think of a bank with multiple branches across the country, where every computer has access to the same data that is stored on a centralized server.
Generally speaking, the easiest way to secure a network from outside access is to pull out the cable connecting it to the outside world. However, that is not very practical - what if something in your network (such as your employees) needs access to the Internet? Or what if you want people to be able to work from home and still access company resources?
Introducing Firewalls
Firewalls are the first major line of defense in network security, and most people have at least heard the term before. Firewalls are specialized services that let you filter, block and allow incoming and outgoing traffic based on certain rules. Firewalls typically live at the boundaries (or edges) of network areas - which is why you might see people call them Edge Security devices. Firewalls are generally found in two variants: hardware firewalls, which are physical devices installed in your network (Google what the FortiGate 60F looks like); and software firewalls, which run on individual devices (such as laptops or WiFi routers). Good hardware firewalls are usually expensive, and many companies out there rely (often unknowingly) on various types of software firewalls running on their appliances.
In theory, firewalls can be used to block all external connections to the internal network and only allow known employee IPs to bypass the restrictions. However, this is not operationally efficient - employee IPs can change and traffic is not guaranteed to be encrypted.
VPNs to the rescue
Virtual Private Networks create a secure communication channel (a virtual, private, network) between your device and another device that is part of the same or different network. When people talk about VPNs outside of work, they typically refer to B2C digital privacy VPNs such as ExpressVPN, NordVPN or Proton. While the underlying technologies are almost the same, the way they work is very different:
- B2C VPNs are used to keep you anonymous; B2B VPNs don’t hide your identity from your employer, only from external parties
- B2C VPNs keep your traffic private; B2B VPNs often monitor and record your traffic, making it available to your employer
- both B2C and B2B VPNs provide data secrecy through advanced use of encryption
When using a VPN, your encrypted data is sent from your device to the VPN server. The VPN server decrypts the data, forwards it to the destination, encrypts the response and sends it back to you. In B2B scenarios, the destination is, usually, a resource within your company’s protected network. Sometimes, the network sits behind a firewall which blocks all requests except the ones coming from the VPN server. Other times, the server is inside the network - so connecting to the server essentially makes you part of the infrastructure.
Like firewalls, VPNs are usually shipped as hardware products (Layer 2 VPNs using IPSec - the Fortigate above also offers this) or software products (Layer 3 VPNs using OpenVPN or WireGuard, which are modern VPN protocols). Which one you choose depends on your requirements. Generally speaking, SMEs want to avoid the complex infrastructure and prohibitive pricing of hardware products, so managed software VPNs are the way to go. Stingray, the network security product we sell at Blackshell, does just that. Other good options include things like NordLayer, GoodAccess or Tailscale.
We will discuss different types of VPNs in a future article. Now, let’s move on to Zero Trust.
Don’t trust and verify
Zero Trust is not a product, but a set of principles applied across security. However, companies use it as a buzz word to advertise various types of products that follow those principles, and this is where the meaning of the term gets blurry.
The main idea behind Zero Trust is that any person, service, application or request should be distrusted by default, until they verify their identity. When discussing VPNs and firewalls, you might have noticed one of the underlying assumptions of traditional network security: once you are inside the network, you are trusted; a lot of effort is put into verifying your identity before granting you access, but that’s where the checks stop.
Zero Trust is like a high-security building where everyone needs to prove their identity and authorization at every door, even if they're already inside. Any request coming from inside or outside of the network must pass through an authentication mechanism. One practical example of this is the Zero Trust Gateway service that we offer as part of our network security solution at Blackshell. The gateway sits in front of all internal services and requires authentication (via username and password + MFA, access tokens or 3rd party SSO integrations) and, sometimes, device posture checking, which verifies that the device you are connecting from is configured in an appropriate manner (e.g. its antivirus software is on, full disk encryption is on). Once your user has been authenticated, a further authorization step is performed to check if your user has access to the resource you are trying to access. If the answer is yes, the gateway will redirect you to the resource.
Unlike a VPN, such zero trust gateways do not offer encryption. However, when used over HTTPS, they are an efficient alternative for certain environments where real-time authorization and granular access mapping is desired.
There are countless products out there that adhere to the Zero Trust philosophy, and many B2B VPNs are built on top of such architectures. Picking the right one will come down to budget and requirements.
So, which one do I need?
If you are a small to medium company, you probably need software-based VPN that also provides the right security and monitoring add-ons (such as revoking user access, automatic certificate management, traffic logging etc.)
If you are a large company, you probably want a software or hardware based Firewall + VPN, along with the right Zero Trust agent for sensitive company services. This only makes sense once your infrastructure can support it, which is why I wouldn’t recommend it to a small customer (unless they’re extremely tech-savvy and already rely heavily on digital services and cloud based tools).
If you just want to watch Netflix, any of the big B2C providers will do.
