We have 8 users in an SMB setting. We do not have a dedicated IT person on staff, we manage everything ourselves. We haven't had any major security issues thus far.
After quick research, we settled on a FortiGate 40F firewall. Then we looked at the CVEs, and found this:
https://www.cvedetails.com/vulnerability-list/vendor_id-3080/Fortinet.html
Some of them are quite serious. I am not singling out Fortinet here; in fact, we found out that a lot of other vendors are in a similar situation.
We are now asking ourselves whether we will be in a worse situation from a security standpoint, because we will be installing a device, which, if compromised, may allow full access to our network. In other words, by installing a new critical piece of network security equipment, will we actually inadvertently increase our attack surface?
What are the best practices for SMB network hardening? I imagine every business needs different levels of security, but I feel like there should be documented or perhaps even standardized set of guidelines for different scenarios. There is ISO27001, but that does not come with specific recommendations.
Thanks!
Can you manage a hardware firewall yourselves?
If not, it is a bad idea.
Good luck.