Firewalls, Wi-Fi, and Network Segmentation
Firewalls, Wi-Fi, and Network Segmentation

Photo by Jakub Zerdzicki on Pexels
Your network is the road system of your business. Every device, every user, every attacker travels on it. Network security is about controlling who gets on the road and where they can go.
Firewalls: Your First Line of Defense
A firewall is a device or software that controls traffic between your network and the internet. It examines every connection and decides whether to allow or block it based on rules. Every business needs a firewall — not just the one built into Windows, but a dedicated firewall at the network edge.
Types of Firewalls
- Hardware firewall (recommended) — A physical device between your network and the internet. Brands like Netgate (pfSense), Fortinet, and SonicWall provide business-grade protection. They can inspect traffic, block known threats, and log activity. Cost: $200-$2,000 depending on features.
- Software firewall — Built into the operating system (Windows Defender Firewall). Good for individual computers but does not protect the entire network.
- Cloud firewall — Hosted in the cloud, filters traffic before it reaches your network. Good for remote workers. Examples: Cloudflare, Zscaler.
Firewall Rules Every Small Business Should Have
- Block all inbound connections by default — Only allow what you specifically need
- Block RDP (Remote Desktop) from the internet — Port 3389 should never be exposed. Use VPN + RDP instead
- Enable intrusion detection/prevention (IDS/IPS) — Automatically blocks known attack patterns
- Enable DNS filtering — Blocks connections to known malicious websites at the DNS level
- Log all traffic — You need logs to investigate incidents. Logs should be retained for at least 90 days
Wi-Fi Security
Wi-Fi is the most common way attackers get into small business networks. An open or poorly secured Wi-Fi network is an open door.
Wi-Fi Security Checklist
- Change the default admin password — Every router comes with a default password like "admin" or "password". Change it immediately. Use a 20+ character password stored in a password manager
- Use WPA3 encryption — WPA3 is the current standard. If your devices do not support WPA3, use WPA2. Never use WEP (broken since 2004) or WPA (compromised)
- Disable WPS — Wi-Fi Protected Setup has a known vulnerability that allows brute-force attacks on the PIN. Disable it in your router settings
- Hide the SSID — Do not broadcast your network name. This does not make you invisible but removes you from casual scans
- Use a strong Wi-Fi password — 20+ characters. Not your business name, not your phone number, not "password123"
Network Segmentation
Network segmentation divides your network into separate zones. If one zone is compromised, the attacker cannot easily reach the others. Think of it as fire doors in a building — a fire in one room does not burn down the whole building.
Minimum Segmentation for Small Business
- Business network — Company computers, servers, printers. Where your real work happens
- Guest network — For visitors, personal devices, IoT devices. Isolated from your business network
- Management network — For router, firewall, switch administration. Only accessible by IT staff
Most business-grade routers support VLANs (Virtual LANs) to create these zones. If your router does not support VLANs, use a separate router for guest Wi-Fi.
Securing Remote Access
Remote access is how employees connect to the office from home or while traveling. It is also how attackers try to get in.
VPN (Virtual Private Network)
Creates an encrypted tunnel between the remote computer and your office network. The employee can access office resources as if they were physically there. Use a VPN for all remote access — never expose services directly to the internet.
Recommended VPN solutions:
- WireGuard / OpenVPN on pfSense — Free, open-source, runs on your existing firewall
- Tailscale — Free for up to 100 devices, zero-configuration mesh VPN, excellent for small teams
- Cloudflare Tunnel — Free, no open ports needed, good for exposing specific services securely
The RDP Warning
Remote Desktop Protocol (RDP) is a common way to access a remote computer. But RDP exposed directly to the internet (port 3389) is the number one way ransomware enters small business networks. Attackers scan the internet for open RDP ports and brute-force the password. If you use RDP:
- Never expose it directly to the internet
- Always put it behind a VPN
- Require MFA for RDP access
- Use strong passwords (20+ characters) for all RDP accounts
- Limit RDP to specific IP addresses if possible
DNS Filtering: The Underrated Defense
DNS filtering blocks access to malicious websites at the DNS level. When a computer tries to visit a known phishing or malware site, the DNS filter redirects it to a block page. This protects every device on your network without installing any software.
Free and low-cost DNS filtering services:
- Cloudflare Gateway (free tier) — Free DNS filtering for up to 50 users
- Quad9 — Free DNS service that blocks known malicious domains
- OpenDNS Home — Free for home/small office use
- DNSFilter / Control D — Low-cost business DNS filtering ($1-2/user/month)
Key Takeaways
- Every business needs a hardware firewall — not just the one built into Windows
- Never expose RDP to the internet — always use VPN + RDP
- Segment your network: business, guest, and management zones
- Wi-Fi must use WPA2 or WPA3 with a strong password and disabled WPS
- DNS filtering is free, takes 5 minutes to set up, and blocks most malicious websites
Firewalls, Wi-Fi, and Network Segmentation
Your network is the road system of your business. Every device, every user, every attacker travels on it. Network security is about controlling who gets on the road and where they can go.
Firewalls: Your First Line of Defense
A firewall is a device or software that controls traffic between your network and the internet. It examines every connection and decides whether to allow or block it based on rules. Every business needs a firewall — not just the one built into Windows, but a dedicated firewall at the network edge.
Types of Firewalls
- Hardware firewall (recommended) — A physical device between your network and the internet. Brands like Netgate (pfSense), Fortinet, and SonicWall provide business-grade protection. They can inspect traffic, block known threats, and log activity. Cost: $200-$2,000 depending on features.
- Software firewall — Built into the operating system (Windows Defender Firewall). Good for individual computers but does not protect the entire network.
- Cloud firewall — Hosted in the cloud, filters traffic before it reaches your network. Good for remote workers. Examples: Cloudflare, Zscaler.
Firewall Rules Every Small Business Should Have
- Block all inbound connections by default — Only allow what you specifically need
- Block RDP (Remote Desktop) from the internet — Port 3389 should never be exposed. Use VPN + RDP instead
- Enable intrusion detection/prevention (IDS/IPS) — Automatically blocks known attack patterns
- Enable DNS filtering — Blocks connections to known malicious websites at the DNS level
- Log all traffic — You need logs to investigate incidents. Logs should be retained for at least 90 days
Wi-Fi Security
Wi-Fi is the most common way attackers get into small business networks. An open or poorly secured Wi-Fi network is an open door.
Wi-Fi Security Checklist
- Change the default admin password — Every router comes with a default password like "admin" or "password". Change it immediately. Use a 20+ character password stored in a password manager
- Use WPA3 encryption — WPA3 is the current standard. If your devices do not support WPA3, use WPA2. Never use WEP (broken since 2004) or WPA (compromised)
- Disable WPS — Wi-Fi Protected Setup has a known vulnerability that allows brute-force attacks on the PIN. Disable it in your router settings
- Hide the SSID — Do not broadcast your network name. This does not make you invisible but removes you from casual scans
- Use a strong Wi-Fi password — 20+ characters. Not your business name, not your phone number, not "password123"
Network Segmentation
Network segmentation divides your network into separate zones. If one zone is compromised, the attacker cannot easily reach the others. Think of it as fire doors in a building — a fire in one room does not burn down the whole building.
Minimum Segmentation for Small Business
- Business network — Company computers, servers, printers. Where your real work happens
- Guest network — For visitors, personal devices, IoT devices. Isolated from your business network
- Management network — For router, firewall, switch administration. Only accessible by IT staff
Most business-grade routers support VLANs (Virtual LANs) to create these zones. If your router does not support VLANs, use a separate router for guest Wi-Fi.
Securing Remote Access
Remote access is how employees connect to the office from home or while traveling. It is also how attackers try to get in.
VPN (Virtual Private Network)
Creates an encrypted tunnel between the remote computer and your office network. The employee can access office resources as if they were physically there. Use a VPN for all remote access — never expose services directly to the internet.
Recommended VPN solutions:
- WireGuard / OpenVPN on pfSense — Free, open-source, runs on your existing firewall
- Tailscale — Free for up to 100 devices, zero-configuration mesh VPN, excellent for small teams
- Cloudflare Tunnel — Free, no open ports needed, good for exposing specific services securely
The RDP Warning
Remote Desktop Protocol (RDP) is a common way to access a remote computer. But RDP exposed directly to the internet (port 3389) is the number one way ransomware enters small business networks. Attackers scan the internet for open RDP ports and brute-force the password. If you use RDP:
- Never expose it directly to the internet
- Always put it behind a VPN
- Require MFA for RDP access
- Use strong passwords (20+ characters) for all RDP accounts
- Limit RDP to specific IP addresses if possible
DNS Filtering: The Underrated Defense
DNS filtering blocks access to malicious websites at the DNS level. When a computer tries to visit a known phishing or malware site, the DNS filter redirects it to a block page. This protects every device on your network without installing any software.
Free and low-cost DNS filtering services:
- Cloudflare Gateway (free tier) — Free DNS filtering for up to 50 users
- Quad9 — Free DNS service that blocks known malicious domains
- OpenDNS Home — Free for home/small office use
- DNSFilter / Control D — Low-cost business DNS filtering ($1-2/user/month)
Key Takeaways
- Every business needs a hardware firewall — not just the one built into Windows
- Never expose RDP to the internet — always use VPN + RDP
- Segment your network: business, guest, and management zones
- Wi-Fi must use WPA2 or WPA3 with a strong password and disabled WPS
- DNS filtering is free, takes 5 minutes to set up, and blocks most malicious websites
There are no comments for now.