Pro-Owner perspective: This document frames your systems as a technical estate — an asset to be stewarded, documented, and bequeathed. Treat these steps as craftsmanship: protect the continuity, auditability, and transferability of your digital legacy.

Network Security Basics: Protecting Your Perimeter

The 60-second version

Network security is about controlling who can talk to what. Firewalls block unwanted traffic. VPNs encrypt connections over the internet. Network segmentation isolates critical systems. This article explains the minimum viable network security for small businesses without requiring a networking degree.

What this solves (in real business terms)

Scenario: An employee's laptop gets infected with malware at a coffee shop. They bring it back to the office, connect to the network, and now the malware can see your file system, accounting system, and every other computer on the network.

Without network security controls, one compromised device can reach everything. With proper controls, that laptop is isolated from sensitive systems.

Protection layers:

1. Firewall: Blocks malicious traffic from internet
2. VPN: Encrypts remote access
3. Segmentation: Separates guest/office/system networks
4. Monitoring: Alerts on suspicious network activity

What it costs (honest ranges)

Basic protection (small office, 10-20 devices): $500-2K one-time + $100-300/year

• Business firewall: $300-800
• VPN included in most firewalls: $0
• Network segmentation (VLANs): $200-1200 (managed switch)
• Monitoring: $50-100/month (usually included in firewall)

Mid-range (50 devices, multiple locations): $3K-10K one-time + $500-1K/year

• Enterprise firewall: $2K-5K
• Managed switches: $1K-5K
• VPN licenses: Usually included
• Network monitoring service: $200-500/month

What can go wrong

1. Treating guest WiFi like office WiFi "Everyone connects to the same network, it's easier..."

• Result: Customer's infected laptop can see your accounting system.
• Prevention: Separate guest network. Different SSID. Different VLAN. No access to internal resources.

2. Opening all ports "to make things work" "We couldn't figure out the right ports so we just allowed everything..."

• Result: Firewall becomes decoration. Every service exposed to internet.
• Prevention: Start with deny-all. Add rules one by one. Document each.

3. No VPN for remote access "People just RDP directly to the office system from home..."

• Result: Login credentials sent over internet unencrypted. Easy to intercept.
• Prevention: Mandatory VPN for all remote access. No exceptions.

Vendor questions (copy/paste)

1. "Can this firewall segment guest, office, and system networks?"
2. "What's included in the support contract? Can you help configure rules?"
3. "How many concurrent VPN connections are included?"
4. "Does this support intrusion detection/prevention (IDS/IPS)?"
5. "What happens when the firewall needs a firmware update? How long is the downtime?"

Minimum viable implementation

Week 1: Segment networks

• [ ] Create 3 networks:
  • Guest: Internet only, no internal access
  • Office: Internal resources, email, file system
  • systems: Critical systems, restricted access
• [ ] Configure firewall rules:
  • Guest → Internet only
  • Office → systems (specific services only)
  • systems → Internet (updates only)

Week 2: Configure firewall

• [ ] Default policy: Deny all inbound from internet
• [ ] Allow outbound for web browsing, email
• [ ] Document all exceptions
• [ ] Test from outside: Can you access internal services? (Should be no)

Week 3: Set up VPN

• [ ] Enable VPN on firewall
• [ ] Create user accounts
• [ ] Require strong passwords or certificate auth
• [ ] Test connection from home/coffee shop
• [ ] Verify: Can access office resources, can't access when VPN is off

Week 4: Enable monitoring

• [ ] Configure logging (firewall blocks, VPN connections)
• [ ] Set up alerts for:
  • Failed VPN login attempts (5+ in 10 minutes)
  • Traffic to known malicious IPs
  • Unusual outbound traffic volumes
• [ ] Weekly: Review logs for anomalies

When to hire help

DIY-friendly if:

• Single office location
• Under 20 devices
• Standard internet connection (no multiple WANs)
• Basic security needs

Get professional help if:

• Multiple office locations
• More than 50 devices
• Complex applications (VoIP, video conferencing)
• Compliance requirements (HIPAA, PCI-DSS)
• Previous security incidents

Warning signs:

• You don't know what's connected to your network
• Guest network can access file system
• No monitoring or logging enabled
• Firewall rules say "Allow All" everywhere
• Remote Desktop (RDP) exposed directly to internet