Network — Zero Trust, not perimeter trust.
Zero Trust segmentation, firewall and WAF tuning, VPN-to-ZTNA migration, network detection and response. The perimeter walked out the door when remote work shipped.
Companies with on-premise infrastructure (offices, branches, warehouses, distribution centers) that need modern network security — next-gen firewall, segmentation, secure remote access, intrusion detection, network logging. Especially relevant after office consolidation or a multi-site expansion.
Network security program scope
Segmentation review
Current VLANs, subnets, security zones, and east-west traffic mapped. Recommendations against NIST SP 800-207 (Zero Trust Architecture) and CISA Zero Trust Maturity Model.
Firewall + WAF tuning
Fortinet, Palo Alto, Cisco, Cloudflare — depending on your estate. Rule-set rationalization, unused-rule cleanup, geo-blocking review, IDS/IPS signature tuning.
VPN → ZTNA migration
Cloudflare Zero Trust, Zscaler, Netskope, or equivalent. Identity + device posture replacing network-perimeter trust. Phased rollout with rollback path.
Network detection + response
Flow logs, DNS logs, and network telemetry shipped to your SIEM. Anomaly detection rules tuned for your environment. Threat intel feeds aligned to your industry.
Wi-Fi + IoT segmentation
Guest networks isolated from corporate. IoT devices (cameras, printers, HVAC, building management) on their own VLAN with explicit allow-list. Critical for healthcare and manufacturing.
DDoS posture
Cloudflare or AWS Shield review, regional failover plan, runbook for sustained attacks. Pre-incident relationships with provider SOCs.
Items below sit outside the scope of this service. Some are handled by separate EFROS engagements; others belong with your existing partners or in-house team.
- Network hardware procurement (you own the equipment)
- Internet circuit ordering (handled by your telco)
- On-site cabling and electrical work (handled by your physical infrastructure vendor)
- Wireless RF survey work (separate engagement when needed)
Segmentation between corporate, OT, guest, and IoT removes the flat-network exposure that lets a single compromised endpoint reach the file share, the PoS terminals, and the camera network all at once. NGFW + IDS catch the lateral-movement attempts the endpoint EDR can't see.
Network segmentation is a core control in PCI-DSS v4.0.1 §1 + §11, HIPAA Security Rule §164.312(e)(1), and IEC 62443 (operational technology). Documented segmentation diagrams come out of the engagement as audit-ready evidence.
Standard versions should be verified from the official source before contractual reliance.
Questions before we start.
Do we really need ZTNA? Our VPN works.
Your VPN works for connectivity. It does not enforce device posture or per-application access. The day a compromised laptop connects, your VPN is the attacker's tunnel into the LAN. ZTNA replaces network-level trust with identity-and-device-level trust.
What about our legacy systems that need flat-network connectivity?
Air-gap, segment, or proxy them. Legacy ICS / OT systems get isolated VLANs with explicit gateway controls. Industrial-protocol awareness (Modbus, BACnet, etc.) added to the SIEM.
Will tuning the firewall break anything?
Not if done carefully. Audit mode first — logging-only — for 14 days to catch legitimate traffic that current rules allow. Then enforce. Rollback documented for every change.
Start with your domain.
Free passive external assessment. 60 seconds. No signup to start.