Skip to main content
Firewall Management

Managed firewall protection, managed for you.

Firewall rule reviews, access control, and 24/7 monitoring across your on-premises and cloud environments without managing it in-house.

24/7
Network monitoring
NGFW
Managed firewall tech
100%
Managed & maintained
What's included

A complete service, run by people.

Threat filtering

Firewall controls with deep packet inspection and current threat intelligence.

Access control

Granular control over network traffic with customizable security policies for every user and device.

Network segmentation

Network partitioning to contain threats and prevent lateral movement across your environment.

Cloud firewall coverage

Consistent policy across on-premises infrastructure and cloud environments.

Real-time monitoring

24/7 network visibility with instant threat detection and alerts before damage occurs.

Performance optimization

Traffic shaping and optimization so security never becomes a bottleneck.

Zero Trust

Moving from perimeter security to zero trust network access

The traditional perimeter security model assumed that everything inside your network was trustworthy and everything outside was not. Firewalls were deployed at the network edge to enforce this boundary: traffic originating inside the network flowed freely, while traffic from outside was inspected, filtered, or blocked. This model worked reasonably well when "inside the network" meant a building with a wired LAN and "outside" meant the public internet. It does not work for organizations where employees connect from home networks, coffee shops, and hotel Wi-Fi; where applications run in AWS and Microsoft Azure rather than on-premises servers; and where supply chain vendors require remote access to internal systems. For Canadian SMBs in 2024, the perimeter is everywhere and nowhere simultaneously.

Zero Trust Network Access (ZTNA) is an architecture principle, not a product. It asserts that no connection — regardless of source IP, network segment, or VPN status — should be granted implicit trust. Every access request must be authenticated, authorized, and continuously validated based on the identity of the user, the health state of the device, the sensitivity of the resource being accessed, and the risk context of the request. The practical expression of ZTNA for an SMB is a set of specific controls: multi-factor authentication on all remote access, device health checks before network admission, microsegmentation to limit lateral movement, and granular application-level access policies that replace "VPN in, access everything" architectures.

Managed firewall services fit into a zero trust strategy as the network enforcement layer — the component that implements and maintains the segmentation policies, ingress/egress rules, and VPN configurations that give the architecture its teeth. A zero trust strategy that lacks coherent network policy enforcement becomes a collection of identity controls with no network backstop: an attacker who compromises valid credentials can still move laterally across a flat network without encountering any additional access challenge. Managed firewall services ensure that network policy keeps pace with changes in the environment — new cloud workloads, new remote users, new IoT devices — rather than drifting toward permissiveness as IT changes accumulate without corresponding security updates.

For SMBs, the practical path to zero trust is incremental. No organization replaces its entire network architecture at once. The realistic starting point is: enforce MFA on all remote access (VPN and direct application access), implement network segmentation to isolate user workstations from servers and IoT from corporate systems, require device health attestation before granting VPN access, and establish logging sufficient to reconstruct any access event. These four changes, executed systematically by a managed firewall provider, represent the majority of the risk reduction available from a full zero trust implementation at a fraction of the cost of a ground-up architecture replacement.

Scope

What managed firewall covers — and what it doesn't

Managed firewall is a defined scope of service. Understanding what is and is not included prevents both over-reliance on firewall management as a complete security solution and confusion about incident ownership during a response. The scope below applies to Quantm's standard managed firewall engagement.

In scope
  • 24/7 monitoring of firewall logs, alert triage, and escalation of confirmed or suspected intrusion attempts, policy violations, and anomalous traffic patterns
  • Firewall rule base review and optimization on a defined cadence — identifying overly permissive rules, stale rules for decommissioned systems, and rules that conflict with current segmentation policy
  • VPN configuration management including client certificate rotation, split tunneling policy, and MFA enforcement on VPN authentication for supported platforms
  • Network segmentation design and policy implementation — creating and maintaining VLANs for user, server, IoT, guest, and backup segments with inter-segment access control policies
  • Firmware and software updates for managed firewall appliances, coordinated with change management windows to minimize disruption
  • Threat intelligence feed integration — applying vendor and third-party threat intelligence to block known-malicious IP ranges, command-and-control domains, and exploit kit delivery infrastructure
  • Configuration backup and documentation maintenance — ensuring that current firewall configuration is backed up off-device and that network topology documentation reflects current state
  • Monthly reporting on top traffic sources, blocked threat categories, policy change history, and any incidents requiring client notification
Out of scope
  • Endpoint detection and response (EDR) on workstations and servers — firewall management does not include agents deployed to endpoints, behavioral analysis of endpoint processes, or endpoint isolation actions
  • Email security filtering, anti-phishing, or DMARC/DKIM/SPF configuration — email traffic inspection at the content level is handled by dedicated email security platforms, not the network firewall
  • Cloud workload security within AWS, Azure, or GCP tenants — cloud security groups and network ACLs within cloud environments require cloud-specific posture management tooling, not on-premises firewall management
  • Application-layer web filtering or proxy services beyond what the managed firewall platform natively supports — dedicated web proxy and DNS security services are separate from firewall management scope
  • Physical network hardware procurement, installation, or cabling — managed firewall covers software configuration of existing or newly purchased hardware; physical deployment and rack-and-stack are separate professional services
  • Security awareness training, phishing simulation, or user behavior controls — network-layer controls cannot compensate for untrained users; these are distinct program components
Network Segmentation

Why network segmentation is the most effective ransomware control an SMB can deploy

Ransomware causes maximum damage through lateral movement: the attacker compromises one endpoint, then traverses the network to encrypt as many systems as possible before triggering the payload. On a flat network — where every device can communicate directly with every other device — this traversal is unconstrained. Segmentation introduces mandatory inspection points between network zones that an attacker must cross, and cannot cross silently. The following items explain what segmentation accomplishes and what segments every SMB should implement.

  • Stops lateral movement at zone boundaries — When workstations, servers, IoT devices, and backup systems are in separate network segments with inter-segment traffic controlled by firewall policy, a compromised workstation cannot directly reach a backup server, a domain controller, or an IoT device. The attacker must either exploit a permitted traffic flow (which leaves a log trail) or breach the firewall policy (which triggers an alert). This directly limits blast radius: even a fully compromised user workstation cannot encrypt your file servers if there is no permitted SMB path between the two segments.
  • User workstation segment — All employee workstations and laptops belong in a dedicated segment that has outbound internet access (with filtering), access to required business applications, and no direct access to server infrastructure except through specific, policy-controlled application ports. Workstation-to-workstation communication within the segment should be disabled — lateral movement between workstations is the primary propagation mechanism for most ransomware strains. Windows Firewall policies applied via Group Policy can enforce host-based isolation within the segment.
  • Server segment — Domain controllers, file servers, application servers, and databases belong in a separate segment with tight ingress controls. Only specific management workstations (IT admin systems) should have administrative access. Business applications should communicate with servers only on the specific ports required. No general workstation traffic should reach this segment directly. This is the segment whose compromise determines whether a ransomware incident is catastrophic (full data loss, domain compromise) or contained (endpoint re-image, no data loss).
  • IoT and OT segment — Network-connected printers, cameras, building access control systems, HVAC controllers, and any other device running non-updatable firmware belong in an isolated segment with no path to user or server segments. IoT devices are consistently the least-patched devices on any network and often run with default or trivially brute-forced credentials. An attacker who compromises an IP camera cannot pivot to your file servers if the camera is in an isolated VLAN with internet-only egress.
  • Guest and BYOD segment — Visitor Wi-Fi and personal devices must be isolated from all corporate infrastructure. This is the most commonly implemented segment because the business requirement is obvious, but it is frequently misconfigured: guest networks with access to corporate printers, or BYOD networks that can reach internal DNS. A properly isolated guest segment has internet-only access, no corporate DNS, and no routing to any internal subnet.
  • Backup segment with one-directional access — Backup infrastructure deserves its own segment with the strictest access controls on the network. Backup agents on servers and workstations should be able to push data to backup targets, but backup targets should have no initiated outbound connections to general network segments. Management access to backup systems should be restricted to a dedicated management VLAN accessible only from specific admin workstations, not from the general IT management network. This configuration ensures that a compromised domain admin account cannot reach backup infrastructure without crossing an additional access control boundary.
  • Measurable risk reduction — The Center for Internet Security (CIS) and NIST both rank network segmentation among the top controls for ransomware risk reduction. Insurers increasingly require documented segmentation as a condition of coverage and use its presence as a rating factor. The implementation cost for a typical SMB environment — VLAN configuration, firewall policy updates, and inter-VLAN routing rules — is days of managed firewall engineering time, not months of infrastructure project work. The risk reduction is immediate and measurable: any ransomware incident on a segmented network is, by definition, limited to the segment where the initial compromise occurred.
Outcomes

What changes after week one.

You'll feel the difference fast fewer alerts, faster response, and a clearer picture of where your real risk lives.

  • Stop lateral movement before attackers reach critical systems
  • Enforce consistent access policies across every segment of your network
  • Pass network security controls for PCI DSS, HIPAA, and ISO 27001
  • Replace ad hoc firewall tweaks with reviewed, managed rule sets
  • Get monthly reports showing blocked threats and policy changes
How it works

From kickoff to coverage in days.

Step 01
Assess

We audit your current firewall rules, gaps, and topology.

Step 02
Deploy

New policies and segmentation applied with zero downtime.

Step 03
Monitor

24/7 traffic monitoring with real-time alerting.

Step 04
Maintain

Ongoing rule reviews, threat intel updates, and quarterly audits.

FAQ

Common questions, answered.

The things buyers ask us most about scope, onboarding, and what you'll see in your monthly report.

Ask us anything

Lock down your network perimeter.

We'll audit your current firewall posture and show you the gaps in a free 30-minute session.