Establish basic perimeter defences

Small and Medium Organizations: Establish basic perimeter defences

Cyber threat actors can exploit networks and devices that connect to the Internet. By using basic perimeter defences, your organization can create safer networks and keep sensitive information safe.

What are examples of basic perimeter defences?

Your organization should use a dedicated firewall. A firewall is a hardware (or software) network security system that monitors and controls the flow of network traffic via a set of security rules. Firewalls sit at the entrances to networks, defending against cyber threats.

Your organization should implement a Domain Name System (DNS) firewall. DNS is the Internet equivalent to a phone book; it translates domain names into Internet protocol (IP) addresses. DNS firewalls can prevent users and devices from connecting to known malicious Internet websites by taking advantage of threat intelligence made available by the cyber security community.

There are additional risks to consider if your organization allows employees to work from outside of the office (i.e. from home or on the road) and connect remotely into a network from the Internet. If allowing employees to work remotely, you should understand the benefits and risks associated with using a virtual private network (VPN) connection. If using a VPN, you should ensure that it uses encryption and two-factor authentication.

Your organization likely uses wireless networks (Wi-Fi) to leverage advantages such as mobility, simplicity, and lower costs. When using Wi-Fi, avoid connecting to public networks. We recommend that you use networks that are secure and provide strong user authentication (i.e. use WPA2 wireless security protocol). If your organization offers public Wi-Fi services for visitors and guests, never connect the public network to your internal network and resources (e.g. printers).

Be sure to segment point-of-sale terminals and financial systems, isolating them from the Internet and other areas of the corporate network via a firewall. Your organization should follow the Payment Card Industry Data Security Standard (PCI DSS), which is an information security standard meant to increase controls around credit cards data and reduce fraud.

Your organization should have security measures to protect its email services. We recommend that you implement Domain-based Message Authentication, Reporting and Conformance (DMARC). DMARC is an email authentication, policy, and reporting system that can detect and prevent the forging of a sender’s email address. DMARC also addresses spam and malicious emails.

Recommendations for your organization:

  • Install a dedicated firewall at the boundary between the corporate network and the Internet
  • Implement a DNS firewall for outbound DNS requests to the Internet
  • Use secure VPN connectivity with two-factor authentication for all remote access to the corporate network
  • Use secure Wi-Fi for internal networks
  • Avoid connecting publicly accessible Wi-Fi networks to your corporate network
  • Follow the PCI DSS for all point-of-sale terminals
  • Use a firewall to isolate point-of-sale terminals from the Internet and other areas of the corporate network
  • Implement DMARC for email services

For more information:

Date modified: