On your site, you’ll probably have a few articles that are most dear to your heart. Articles you desperately want people to read. Articles you want people to find in Google. At Yoast, we call these articles your cornerstone articles. How does the Yoast SEO plugin help you set up a cornerstone content strategy? We’ll tell you all about that in this blog post. Plus, find out how our new SEO workout can make the whole process much easier!
What is a cornerstone content strategy?
Cornerstone content consists of those articles that you’re most proud of, that are most important to you. The posts that make people come back to your site or buy your stuff. The articles that reflect the mission of your company perfectly, and the ones you definitely want to rank highest. In general, cornerstone articles are lengthy, and they tend to be informative.
In a nutshell, a cornerstone content strategy means choosing your best content and channeling the most internal links towards it from other relevant pages on your site.
What does Yoast SEO do with cornerstone content?
There are three aspects to a successful cornerstone content approach:
Cornerstone content should be lengthy, well-written, and well-optimized.
Cornerstone articles should have a prominent place in your site’s structure.
You should keep your cornerstones fresh and up to date.
Without a doubt, the most common question we are asked is: “how do I make my site rank for keyword X?”. What most people don’t realize, is that they’re asking the wrong question. You see, sites don’t rank: individual pages rank. If you want to rank for a particular keyword, you’ll need to determine which specific page you want to rank for that keyword.
Adding a keyword to the title of every page is not helpful; you should use a focus keyphrase only once. What also won’t work is writing 200 articles around variations of a keyphrase without giving these a proper linking structure. You need one page that is the center of the content about that topic – a “hub” page if you will. That’s where cornerstone content comes in. But how do you make sure your cornerstone content articles start ranking in the search engines?
To rank with these articles, you need to make sure they’re the best articles you can write. You also need a kickass internal linking structure. Luckily, Yoast is there to help! In this post, we’ll explain just what cornerstone content is and how to rank with these articles. Are you struggling with implementing cornerstone content? Check out our Internal linking SEO workout: the cornerstone approach!
How to set up a cornerstone content strategy with Yoast SEO
Step 1: Choose which pages will be your cornerstones
Your cornerstone content pages will need to be 100% awesome in every way. You need to think about keyword research, headlines, first-class content and more. This article just covers what to do with those pages once they’re created, so if your pages aren’t ready, go and make some now! Not sure where to begin? Check out our detailed post on what type of articles should be your cornerstone content.
Which keywords to target with cornerstone articles?
Your cornerstone articles should be optimized for your most ‘head’ or most competitive keywords. Of course, you should still be realistic when determining these head keywords. But, your internal linking structure will help your cornerstone pages rank (more on that below), which is why these articles should aim to rank for your most competitive keywords.
Positioning that new cornerstone content on your site
Now let’s talk about where to place that content on your site. Important content deserves a place within your core site structure, not a news item or blog post drifting around somewhere. It should be easily found in a few clicks. This also means you should not create other pages within your site that target the exact same keyword! And you really don’t have to, as there are many ways to use keyword variations for these other pages and use these in your site structure.
Step 2: Mark those pages as cornerstone content using the toggle button
Once you’ve put together a list of the pages that will be your cornerstone content, you need to go to each of those pages and make sure this button is toggled to ‘On’:
Alternatively, you can head straight over to our SEO workout: the cornerstone content approach and take a look at the overview in the first step. If there are any missing that you want to add, just look them up using the search box and click to add them to the list.
Our SEO analysis will help you optimize your blog post for the search engines. For cornerstone content, you have to go the extra mile, so indicating that an article is cornerstone content will make the SEO analysis and the readability analysis a bit more strict. For example, if a post is cornerstone content, we urge you to write at least 900 words, instead of the 300 words for a normal post.
Make sure you use your focus keyphrase enough, mention it in a few headings, and optimize your images. Readability is equally important, though. Our readability analysis helps you to, for instance, use enough headings and to write in short, easy-to-read sentences and paragraphs.
Step 3: Check that all your cornerstone content pages are marked
You’ll want to make sure all of your chosen pages are marked as cornerstone content at this point (otherwise you might need to double back later and redo some steps). It can help you to keep track if you make a note next to each page on your list once you’ve toggled the cornerstone content button to ‘On’.
If you’re a Yoast SEO Premium user you can access our new Internal linking SEO workout and quickly check which pages are marked as ‘cornerstone content’ in the overview provided:
Again, if anything is missing from this overview, you can easily add it using the search box below the list.
Step 4: Make sure your cornerstone content pages have the most incoming internal links
You have to link to your cornerstone articles to make them rank high in the search engines. By linking to your favorite articles the most often, you’ll tell Google that these are the ones that are most important. Think of it as a map: big cities have considerably more roads leading towards them than small towns. Those cities are your cornerstones. They should receive the most links. The small towns are your posts on more specific topics. If you build your site structure like this, you won’t be competing with your own content for a place in the search engines.
The text link counter allows you to see all the internal links you’ve put in a post and all internal links to a post from your other pages. This tool provides you with a clear overview of the distribution of your internal links. Make sure to check (and keep checking) if your cornerstone articles receive enough internal links!
If you’re using the Premium Internal linking SEO workout to set up your cornerstone content strategy, you can see all the incoming links of your posts and pages in one simple overview, instead. If any are lacking enough internal links, you can click to add them to the next step of the workout where you will add more.
Step 5: Add text links (in context) from relevant pages on your website
When you’re adding links to your cornerstones, use the keyword you’re targeting as the anchor text for that link, if possible. But most importantly, link from within the content. Don’t just add some site-wide sidebar/footer links. The reason for this is simple: links from within content are way more valuable than links from sidebars.
In addition to that, you need to make sure that you’re linking to your cornerstones from pages that actually are about related topics. Contextual links are the ones that’ll help you rank. Adding hand-picked, relevant links that are useful for someone visiting your website is the best way of achieving this. Automation will not give you quality results. That means that building a decent linking strategy can be a lot of work, especially if your site is large.
If you use our Premium plugin, you can use our internal linking tool. This tool will make linking suggestions for other posts based on the words you’re using in your post. The posts you’ve marked as cornerstone content articles – as described previously – will always appear on top of our list of suggestions. That way, whenever you’re writing about a specific topic, you’ll find the right cornerstone article to link to.
Using our internal linking tool will remind you to link to your cornerstones whenever you’re writing a new post. As a result, your cornerstones will stay on top of your linking structure. And that’s what they need to get ranking!
Once again, the Internal linking SEO workout can make this step a whole lot easier. We’ve added a tool that shows you your cornerstone articles (with a link you can copy) as well as relevant pages from your site that you can visit to add that link right away!
This means you can manage the whole thing from one page — plus you can immediately see whether you’ve added enough links or not. If you still need more after you’ve added all the relevant suggested links, just refresh the SEO workout and you’ll get more suggestions to add!
Step 6: Monitor and maintain!
Don’t start neglecting your cornerstone content strategy once everything is set up — as you add more pages to your website, you’ll need to keep making sure your cornerstone content is getting enough links. You probably don’t need to check this weekly, but if you leave it for more than a year then your website could change a lot in that time. Keep on top of your links to keep your cornerstone content strategy healthy and effective.
Regularly updating your cornerstone content is important for your cornerstone strategy, too. After all, your cornerstones should be timeless, and therefore, always contain the latest insights. If you have Yoast SEO Premium installed, you’ll have an additional feature to help you keep your cornerstones up to date. The stale cornerstone content filter allows you to see at a glance which of your cornerstones need updating. It works in both your post overview, and your pages overview. Neat, right?
Of course, at Yoast, we practice what we preach, so you’ll find no stale content here 😉
Don’t forget to promote your cornerstone content
If well-written, your cornerstone content should be something to be proud of! Something that others willingly share and thereby also something that will attract links. Don’t be afraid to reach out to other people who have written about related topics: show them what you have created and that it might be worthwhile for their visitors to see. You might even want to offer to write a guest post for them on the topic, linking back to your article.
Cornerstone content strategy made simple with Yoast SEO
The cornerstone content approach is a powerful strategy that channels your internal links toward the content that matters. Your cornerstone articles deserve special attention. They need to be written carefully, to be the most complete and authoritative. They should also be easy to find on your site! Cornerstones need many contextual links pointing towards them to make Google see that they are the most important articles. That’ll make them rank in the search engines. That’ll get them the traffic they’re worthy of!
Our Yoast SEO plugin comes with an array of tools to help you set up and maintain your cornerstone content and your internal links. Upgrade to Yoast SEO Premium and the benefits get even better. Try our Internal linking SEO workout today and give your cornerstone content the treatment it deserves!
At Fastly we often highlight our powerful POPs and modern architecture when asked how we’re different, and better than the competition. Today we’re excited to give you another peek under the hood at the kind of innovation we can achieve on a modern network that is fully software-defined.
This past February, Fastly delivered a new record of 81.9 Tbps of traffic during the Super Bowl, and absolutely no one had to do anything with egress policies to manage that traffic over the course of the event thanks to Autopilot. Autopilot is our new zero-touch egress traffic engineering automation system, and because it was running, no manual interventions were required even for this record-breaking day of service. This means that for the first time ever at Fastly we set a new traffic record for the Fastly network while reducing the number of people who were needed to manage it. (And we notably reduced that number all the way to zero.) It took a lot of people across different Fastly teams, working incredibly hard, to improve the self-managing capabilities of our network, and the result is a network with complete automation that can react quickly and more frequently to failures, congestion, and performance degradation with zero manual intervention.
Autopilot brings many benefits to Fastly, but it is even better for our customers who can now be even more confident in our ability to manage events like network provider failures or DDoS attacks and unexpected traffic spikes — all while maintaining a seamless and unimpacted experience for their end users. Let’s look at how we got here, and just how well Autopilot works. (Oh, but if you’re not a customer yet, get in touch or get started with our free tier. This is the network you want to be on.)
Getting to this result required a lot of effort over several years. Exactly three years ago, we shared how we managed the traffic during the 2020 Super Bowl. At that time, an earlier generation of our traffic engineering automation would route traffic around common capacity bottlenecks while requiring operators to deal with only the most complex cases. That approach served us well for the traffic and network footprint we had three years ago, but it still limited our ability to scale our traffic and network footprint because, while we had reduced human involvement, people were still required to deal reactively with capacity. This translates to hiring and onboarding becoming a bottleneck of its own as we would need to scale the number of network operators at least at the same rate of the expansion of our network. On top of that, while we can prepare and be effective during a planned event like a Super Bowl, human neurophysiology is not always at its peak performance when woken up in the middle of the night to deal with unexpected internet weather events.
Achieving Complete automation with Autopilot and Precision Path
The only way forward was to remove humans from the picture entirely. This single improvement allows us to scale easily while also greatly improving our handling of capacity and performance issues. Manual interventions have a cost. They require a human to reason about the problem at hand and make a decision. This cannot be performed infinite times, so that requires us to preserve energy and only act when the problem is large enough to impact customer performance. It also means that when a human-driven action is taken, it normally moves a larger amount of traffic to avoid having to deal with the same issue again soon, and to minimize the amount of human interventions needed.
A modern CDN gives you huge improvements in caching, SEO, performance, conversions, & more.
With complete automation the cost of making an action is virtually 0, allowing very frequent micro-optimizations whenever small issues occur, or are about to occur. The additional precision and reactivity provided by full automation makes it possible to safely run links at higher utilization and rapidly move traffic around as necessary.
Figure: Egress interface traffic demand over capacity. Multiple interfaces had a demand that exceeded three times the physical capacity available during the Super Bowl, triggering automated traffic engineering overrides, which enabled continued efficient delivery without negative consequences to the network.
The graph above shows an example where Autopilot detected traffic demand exceeding physical link capacity. During the Super Bowl this demand exceeded 3 times the available capacity in some cases. Without Autopilot the peaks in traffic demand would have overwhelmed those links, requiring a lot of human intervention to prevent failure, but then to manage all of the downstream impacts of those interventions in order to get the network operating at top efficiency again. With Autopilot the network deflected traffic onto secondary paths automatically and we were able to deliver the excess demand without any performance degradation.
This post sheds light on the systems we built to scale handling large traffic events without any operator intervention.
Technical problem
Figure – Fastly POP is interconnected to the Internet via multiple peers and transit providers
The Fastly network of Points of Presence (POPs) is distributed across the world. Each POP is “multihomed”, i.e., it is interconnected to the Internet via a number of different networks, which are either peers or transit providers, for capacity and reliability purposes. With multiple routing options available, the challenge is how to select the best available path. We need to ensure that we pick the best performing route (in any given moment), and quickly move traffic away from paths experiencing failures or congestion.
Network providers use a protocol called Border Gateway Protocol (BGP) to exchange information about the reachability of Internet destinations. Fastly consumes BGP updates from its neighbors, and learns which neighbor can be used to deliver traffic to a given destination. However, BGP has several limitations. First, it is not capacity or performance aware: it can only be used to communicate whether an Internet destination can be reached or not, but not whether there is enough capacity to deliver the desired amount of traffic or what the throughput or latency would be for that delivery. Second, BGP is slow at reacting to remote failures: if a failure on a remote path occurs, it typically takes minutes for updates to be propagated, during which time blackholes and loops may occur.
Solving these problems without creating new ones is challenging, especially when operating at the scale of tens of Terabits per second (Tbps) of traffic. In fact, while it is desirable to rapidly route around failures, we need to be careful in those processes as well because rerouting large amounts of traffic erroneously can move traffic away from a well performing path onto a worse performing one and create congestion downstream as a result of our action, resulting in poor user experience. In other words, if decisions are not made carefully, some actions that are taken to reduce congestion will actually increase it instead – sometimes significantly.
Fastly’s solution to the problem is to use two different control systems that operate at different timescales to ensure we rapidly route around failures while keeping traffic on most performing paths.
The first system, which operates at a timescale of tens of milliseconds (to make a few round trips), monitors the performance of each TCP connection between Fastly and end users. If the connection fails to make forward progress for a few round trip times it reroutes that individual connection onto alternate paths until it resumes progress. This is the system underlying our Precision Path product for protecting connections between Fastly and end users, and it makes sure we rapidly react to network failures by surgically rerouting individual flows that are experiencing issues on these smaller timescales.
The second system, internally named Autopilot, operates over a longer timescale. Every minute it estimates the residual capacity of our links and the performance of network paths collected via network measurements. It uses that information to ensure traffic is allocated to links in order to optimize performance and prevent links from becoming congested. This system has a slower reaction time, but makes a more informed decision based on several minutes of high resolution network telemetry data. Autopilot ensures that large amounts of traffic can be moved confidently without downstream negative effects.
These two systems working together, make it possible to rapidly reroute struggling flows onto working paths and periodically adjust our overall routing configuration with enough data to make safe decisions. These systems operate 24/7 but had a particularly prominent role during the Super Bowl where they rerouted respectively 300 Gbps and 9 Tbps of traffic which would have otherwise been delivered over faulty, congested or underperforming paths.
This approach to egress traffic engineering using systems operating at different timescales to balance reactivity, accuracy, and safety of routing decisions is the first of its type in the industry to the best of our knowledge. In the remainder of this blog post, we are going to cover how both systems work but we’ll need to first make a small digression to explain how we route traffic out of our POPs, which is unusual and another approach where we’re also industry leaders.
Figure – Amount of traffic (absolute and percentage of total traffic) delivered by Precision Path and Autopilot respectively during the Super Bowl
Fastly network architecture
Figure – Fastly POP architecture
A typical Fastly POP comprises a layer of servers that are interconnected with all peers and transit providers via a tier of network switches. The typical approach to build an edge cloud POP consists in using network routers, which have a large enough memory to store the entire Internet routing table. In contrast, Fastly started designing a routing architecture that pushed all routes to end hosts in order to build a more cost-effective network, but we quickly realized and embraced the powerful capabilities that this architecture made possible. Endpoints that have visibility into the performance of flows now also have the means to influence their routing. This is one of the key reasons Fastly’s networking capabilities, programmability, flexibility, and ease of use continue to exceed the competition.
Here’s how our routing architecture works: Both switches and servers run routing daemons, which are instances of the BIRD Internet Routing Daemon with some proprietary patches applied to it. The daemons running on switches learn all routes advertised by our transits and peers. However, instead of injecting those routes in the routing table of the switches, they propagate them down to the servers which will then inject them into their routing tables. To make it possible for servers to then route traffic to the desired transit or peer, we use the Multiprotocol Label Switching (MPLS) protocol. We populate each switch with an entry in their MPLS lookup table (Label Forwarding Information Base [LFIB]) per each egress port and we tag all BGP route announcements propagated down to the servers with a community encoding the MPLS label that is used to route that traffic. The servers use this information to populate their routing table and use the appropriate label to route traffic out of the POP. We discuss this more at length in a scientific paper we published at USENIX NSDI ‘21.
Quickly routing around failures with Precision Path
Our approach of pushing all routes to the servers, giving endpoints the ability to reroute based on transport and application-layer metrics, made it possible to build Precision Path. Precision Path works on a timeframe of tens of milliseconds to reroute individual flows in cases of path failures and severe congestion. It’s great at quickly routing away from failures happening right in the moment, but it’s not aware or able to make decisions about proactively selecting the best path. Precision Path is good at steering away from trouble, but not zooming out and getting a better overall picture to select an optimized new route. The technology behind our precision path product is discussed in this blog post and, more extensively in this peer-reviewed scientific paper, but here’s a brief explanation.
Figure – Precision path rerouting decision logic for connections being established (left) and connections already established (right).
This system is a Linux kernel patch that monitors the health status of individual TCP connections. When a connection fails to make forward progress for some Round Trip Time (RTT), indicating a potential path failure, it is rerouted onto a randomly chosen alternate path until it resumes forward progress. Being able to make per-flow rerouting decisions is made possible by our host-based routing architecture where servers select routes of outgoing traffic by applying MPLS labels. End hosts can move traffic rapidly on a per-flow granularity because they have both visibility into the progress of connections, and the means to change network route selection. This system is remarkably effective at rapidly addressing short-lived failures and performance degradation that operators or any other telemetry-driven traffic engineering would be too slow to address. The downside is that this system only reacts to severe performance degradations that are already visible in the data plane and moves traffic onto randomly selected alternate paths, just to select non-failing paths, but they might not be the best and most optimal paths.
Making more informed long-term routing decision with Autopilot
Autopilot complements the limitations of Precision Path because it’s not great at responding as quickly, but it makes more informed decisions based on knowledge of which paths are able to perform better, or are currently less congested. Rather than just moving traffic away from a failed path (like Precision Path), it moves larger amounts of traffic *toward* better parts of a network. Autopilot has not been presented before today, and we are excited to detail it extensively in this post.
Autopilot is a controller that receives network telemetry signals from our network such as packet samples, link capacity, RTT, packet loss measurements, and availability of routes for each given destination. Every minute, the Autopilot controller collects network telemetry, uses it to project per-egress interface traffic demand without override paths, and makes decisions to reroute traffic onto alternate paths if one or more links are about to reach full capacity or if the currently used path for a given destination is underperforming its alternatives.
Figure – Autopilot architecture diagram
Autopilot’s architecture is comprised of three components (shown above):
A route manager, which peers with each switch within a POP and receives all route updates the switch received from its neighbors over a BGP peering session. The route manager provides an API that allows consumers to know what routes are available for a given destination prefix. The route manager also offers the ability to inject route overrides via its API. This is executed by announcing a BGP route update to the switch with a higher local preference value than routes learned from other peers and transit providers. This new route announcement will win the BGP tie-breaking mechanism and be inserted into servers’ routing tables and used to route traffic.
A telemetry collector, which receives sFlow packet samples from all the switches of a POP which allow an estimation of the volume of traffic broken down by destination interface and destination prefix as well as latency and packet loss measurements for all the traffic between Fastly POPs over all available providers from servers.
A controller, which consumes (every minute) the latest telemetry data (traffic volumes and performance) as well as all routes available for the prefixes currently served by the POP, and then computes whether to inject a BGP route override to steer traffic over alternate paths.
Making Precision Path and Autopilot work together
One challenge of having multiple control systems operating on the same inputs and outputs is having them work collaboratively to select the overall best options rather than compete with each other. Trying to select the best option from the limited vantage point of each separate optimization process could actually lead to additional disruption and do more harm than good. To the best of our knowledge, we are the first in the industry using this multi-timescale approach to traffic engineering.
The key challenge here is that once a flow is being rerouted by Precision Path, it no longer responds to BGP routing changes, including those triggered by Autopilot. As a result, Autopilot needs to account for the amount of traffic currently controlled by Precision Path in its decisions. We addressed this problem in two ways: first we tuned Precision Path to minimize the amount of traffic it reroutes, and by making that traffic observable by Autopilot so that it can be factored into Autopilot decisions.
When we first deployed Precision Path, we fine-tuned its configuration to minimize false positives. False positives would result in traffic being rerouted away from an optimal path that is temporarily experiencing a small hiccup, and onto longer paths with worse performance, which could in turn lead to a worse degradation by impacting the performance of affected TCP connections. We reported extensively on our tuning experiments in this paper. However, this is not enough, because even if we make the right decision at the time of rerouting a connection, the originally preferred path may recover a few minutes after the reroute, and this is typically what happens when BGP eventually catches up with the failure and withdraws routes through the failed path. To make sure we reroute connections back onto the preferred path when recovered, Precision Path probes the original path every five minutes after the first reroute, and if the preferred path is functional, it moves the connection back onto it. This mechanism is particularly helpful for long-lived connections, such as video streaming, which would otherwise be stuck on a backup path for their entire lifetime. This also minimizes the amount of traffic that Autopilot cannot control, giving it more room to maneuver.
The problem of making the amount of traffic routed by Precision Path visible to Autopilot is trickier. As we discuss earlier in this post, Autopilot learns the volume of traffic sent over each interface from sFlow packet samples emitted by switches. These samples report, among other things, over what interface the packets were sent to and which MPLS label it carried but do not report any information about how that MPLS label was applied. Our solution was to create a new set of alternate MPLS labels for our egress ports and allocate them for exclusive usage by Precision Path. This way, by looking up an MPLS label in our IP address management database, we can quickly find out if that packet was routed according to BGP path selection or according to Precision Path rerouting. We expose this information to the Autopilot controller which treats Precision Path as “uncontrollable”, i.e., traffic that will not move away from its current path even if the preferred route for its destination prefix is updated.
Making automation safe
Customers trust us with their business to occupy a position as a middleman between their services and their users, and we take that responsibility very seriously. While automating network operations allows for a more seamless experience for our customers, we also want to provide assurances to its reliability. We design all our automation with safety and operability at its core. Our systems fail gracefully when issues occur and are built so that network operators can always step in and override their behaviors using routing policy adjustments. The last aspect is particularly important because it allows operators to use tools and techniques learned in environments without automation and apply them here. Minimizing cognitive overhead by successfully automating more and more of the problem is particularly important to reduce the amount of time needed to solve problems when operating under duress. These are some of the approaches we used to make our automation safe and operable:
Standard operator tooling: both Precision Path and Autopilot can be controlled using standard network operator tools and techniques.
Precision Path can be disabled on individual routes by injecting a specific BGP community on an individual route announcement, which is a very common task that network engineers typically perform for a variety of reasons. Precision Path can also be disabled on an individual TCP session by setting a specific forwarding mark on the socket, which makes it possible to run active measurements without Precision Path kicking in and polluting results.
Autopilot route reselection is based on BGP best path selection, i.e., it will try to reroute traffic onto the second best path according to BGP best path selection. As a result, operators can influence which path Autopilot will fail over to by applying BGP policy changes such as altering MED or local pref values, and this is also a very common technique.
Finally, data about whether connections were routed on paths selected by precision path or autopilot is collected by our network telemetry systems, which allows us to reconstruct what happens
Data quality auditing: We audit the quality of data fed into our automation and have configured our systems to avoid executing any change if input data is inconsistent. In the case of Autopilot, for example, we compare egress flow estimation collected via packet samples against an estimation collected via interface counters, and if they diverge beyond a given threshold it means at least one of the estimations must be wrong, and we do not apply any change. The graph below shows the difference between those two estimations during the Super Bowl on one North American POP.
Figure – Difference between link utilization estimates obtained via interface counters and packet samples. The +/- 5% thresholds represent the acceptable margins of error
What-if analysis and control groups: in addition to monitoring input data we also audit the decisions made by systems and step in to correct them if they misbehave. Precision Path uses treatment and control groups. We randomly select a small percentage of connections to be part of a control group for which Precision Path is disabled and then monitor their performance compared to the others where precision path is enabled. If control connections perform better than treatment connections our engineering team is alerted, and steps in to investigate and remediate. Similarly, in Autopilot, before deploying a configuration change to our algorithm, we run it in “shadow” mode where the new algorithm makes decisions, but they are not applied to the network. The new algorithm will only be deployed if it performs at least as well as the one that is currently running.
Fail-static: when a failure occurs at any component of our systems, rather than failing close or open, they fail static, i.e., leave the network in the last known working configuration and alert our engineering team to investigate the problem.
Conclusions
This blog post is a view into how Fastly automates egress traffic engineering to make sure our customers’ traffic reaches their end users reliably. We continue to innovate and push the boundaries of what is possible while maintaining a focus on performance that is unrivaled. If you are thinking that you want your traffic to be handled by people who are not only experts, but also care this much, now is a great time to get in touch. Or if you’re thinking you want to be a part of innovation like this, check out our open listings here: https://www.fastly.com/about/careers/current-openings.
Open Source Software
The automation built into our network was made possible by open source technology. Open source is a part of Fastly’s heritage — we’re built on it, contribute to it, and open source our own projects whenever we can. What’s more, we’ve committed $50 million in free services to Fast Forward, to give back to the projects that make the internet, and our products, work. To make our large network automation possible, we used:
goBGP – BGP routing daemon library, used to build the Autopilot route collector/injector
BIRD – BGP routing daemon running on our switches and servers.
We did our best to contribute back to the community by submitting to their maintainers improvements and bug fixes that we implemented as part of our work. We are sending our deepest gratitude to the people that created these projects. If you’re an open source maintainer or contributor and would like to explore joining Fast Forward, reach out here.
Lorenzo Saino is a director of engineering at Fastly, where he leads the teams responsible for building the systems that control and optimize Fastly’s network infrastructure. During his tenure at Fastly, he built systems solving problems related to load balancing, distributed health checking, routing resilience, traffic engineering and network telemetry. Before joining Fastly he received a PhD from University College London. His thesis investigated design issues in networked caching systems.
Jeremiah Millay is a Principal Engineer on the Network Systems team at Fastly where he spends most of his time focused on network automation and writing software with the goal of improving network operations at Fastly. Prior to Fastly he spent a number of years as a Network Engineer for various regional internet service providers.
Paolo Alvarado is a Senior Manager of Technical Operations at Fastly. Paolo has over 10 years of experience working with content delivery networks in customer-facing and behind-the-scenes roles. Paolo joined Fastly to help build out the Fastly Tokyo office before moving into network operations. Currently, he manages a team of Network and System Operation engineers to meet the challenges of building and running a large scale network.
VP of Engineering leading Network Systems Organization
Hossein Lotfi is VP of Engineering leading Network Systems Organization at Fastly. Hossein has over 20 years of experience building networks and large-scale systems ranging from startups to hyper-scale cloud infrastructure. He has scaled multiple engineering organizations geared towards rapid, novel innovation development and innovations that are informed and inspired by deep involvement with the operational challenges of global scale systems. At Fastly, Hossein is responsible for building reliable, cost-effective, and low-latency systems to connect Fastly with end-users and customer infrastructures. The Network Systems Organization teams include Kernel, DataPath (XDP), L7 Load Balancing, TLS Termination, DDoS Defence, Network Architecture, Network Modeling and Provisioning Systems, Traffic Engineering, Network Telemetry, DNS, Hardware Engineering, Pre-Production Testing and Fastly’s Edge Delivery platform.
Wordfence remains the number one security plugin of choice for website owners serious about protecting their investment and their customers. Our Threat Intelligence team and engineering team stay abreast of the newest threats and ensure that Wordfence is able to protect against them. But keeping a product like Wordfence ahead of the pack requires that we maintain and improve many other aspects of the product including performance, internationalization, the user interface, and that we continue to add improvements and bug fixes as they’re discovered.
Wordfence 7.10.0 has just been released and incorporates many of those ongoing improvements like improving the ability to internationalize Wordfence messages that are customer facing, clarifying messages around plugins that have been removed from the repository and even recognizing the Prespa Accord which resolved a decades long dispute over the name of the Republic of North Macedonia.
A huge thanks and congrats to the entire engineering team at Wordfence for this latest release, Wordfence 7.10.0. I think you’ll find many features you’ve been asking for, or looking forward to, are included in Wordfence 7.10.0. You can find the details of what is included in this release, below.
Wordfence 7.10.0 Changes
Several improvements were made for translations:
Improvement: Added translation support for strings from login security plugin
Improvement: Added translator notes regarding word order and hidden text
Improvement: Added translation support for additional strings
Change: Moved translation file from .po to .pot
These changes implement the translation of strings for the Login Security module which could not be translated previously, add more context for translators in several areas, and allow translation of the remaining text that was not translatable before. Some text in scan results or in error messages sent from the Wordfence servers may still appear in English, but all text that is visible by your site’s visitors and nearly all text for admins should be translatable. Please contact our support team if you have any issues translating additional strings.
Improvement: Updated scan result text to clarify meaning of plugins removed from wordpress.org
We clarified the text of scan results that show when a plugin was removed from wordpress.org, since people sometimes thought this meant that a plugin was removed from their sites.
Improvement: Prevented scans from failing if unreadable directories are encountered
On some hosts, the Wordfence scan could fail if it found a private directory inside the site’s public files, if reading the directory was blocked by a method other than file permissions. This issue no longer occurs.
Fix: Corrected IPv6 address expansion
Manually blocking IPv6 address ranges could previously cause a str_repeat() error on PHP 8 and above.
Fix: Ensured long request payloads for malicious requests are recorded in live traffic
Certain blocked hits for large requests would sometimes not appear in Live Traffic. These blocked hits should now appear.
Change: Moved detection for old TimThumb files to malware signature
Finding a vulnerability in TimThumb lead to the creation of Wordfence. Detection for vulnerable TimThumb files had been built into the plugin since that time, and detection has now been moved to the same method used for detecting malware and other dangerous files. This change prevents a false positive result on sites where PHP’s “opcache” is stored inside the document root.
We found a few cases in our logs where a site could not register for a free key due to an improperly encoded URL or other data, and added a method to handle such cases.
Additional minor changes:
Improvement: Added help link to IPv4 scan option
Improvement: Made “Increased Attack Rate” emails actionable
Improvement: Updated JavaScript libraries
Improvement: Updated GeoIP database
Fix: Prevented “commands out of sync” database error messages when the database connection has failed
Fix: Prevented PHP notice from being logged when request parameter is missing
Fix: Prevented deprecation warning in PHP 8.1
Change: Renamed “Macedonia” to “North Macedonia, Republic of”
The above list includes text changes, prevention of unnecessary log messages, and some updates to libraries and data used by Wordfence.
We hope you enjoy Wordfence 7.10.0 as much as we enjoyed creating it!
In this article, we’re going to show you how to use ChatGPT to write a blog post. If you’re new to using AI content generators, don’t worry. We will be walking you through the entire process step-by-step.
ChatGPT is a game-changer for marketers and bloggers—in fact, pretty much anyone that does anything online, in fact, ChatGPT can even help you brainstorm. And although it might sound like AI will take everyone’s jobs, we should embrace AI technology and use it to create better content more quickly.
Before we jump into this topic, it’s worth noting here that it is highly likely that OpenAI will be adding a digital watermark to content generated by ChatGPT.
If you intend to publish this content online, you should either rewrite the output in your own words or use a more comprehensive AI writing tool like Jasper to write or rewrite the paragraphs for you, based on the outline and ideas generated by ChatGPT (and check out our thoughts on the future of white-collar work in the age of AI here)
Writing a blog post is somewhere ChatGPT can excel. But the thing is, it won’t simply produce the perfect blog post at the click of a button. ChatGPT needs detailed instructions to produce good content.
And of course, when it comes to creativity and original ideas, you will still need to add a human touch.
That being said, ChatGPT can be used for pretty much every part of the writing process when guided carefully by a human writer.
Often, blog articles are relatively short and focused pieces that center primarily around one topic. Because of this, Chat GPT will happily suffice for short blog posts on simple topics.
However, a higher standard can often be achieved by augmenting the process with Jasper’s AI writing capabilities.
Here’s how to use ChatGPT to write a blog post.
BRAINSTORM TOPICS AND TITLE IDEAS
Chat GPT has emerged as a useful brainstorming tool. It’s becoming increasingly popular with bloggers and copywriters to help them with writer’s block.
It offers a quick and convenient way of generating relevant topics and title suggestions. To get started, you must create a free account with OpenAI. There is a paid version available, too—ChatGPT Plus.
In this guide, we’re going to be using the free version, but you can use either.
Once you’re signed in, you can enter a prompt in the chat box at the bottom of the page. For example: “Generate 12 new topic ideas and titles for a dog training blog.”
If you’re happy with the generated text, you can move on to the next step. Alternatively, you can also ask ChatGPT to regenerate the response for more ideas.
USE CHATGPT TO HELP YOU WRITE A SOLID OUTLINE
Once you have established a topic, the next step is to use ChatGPT to write an outline for your blog post.
Doing this manually can be a time-consuming process. But the good news is, ChatGPT will make it a lot easier.
It will provide you with a detailed outline which you can then edit or add to yourself with your own ideas.
First, you will need to enter your command into ChatGPT.
Command example: Create a detailed outline for a blog post titled “Mastering Recall: Tips and Techniques for Training Your Dog to Come When Called”.
ChatGPT will then provide you with a detailed outline that you can tweak as needed.
Now that you’ve got an outline, you can either use ChatGPT, or another tool like Jasper to create content for each section of your blog post.
HOW TO USE CHATGPT TO HELP WRITE EACH SECTION OF YOUR BLOG POST
If you want to use ChatGPT to write a blog post, you’re going to need to break down what you want into different sections and categories. That way, you can ask ChatGPT to write each section for you as you go.
After that, you can piece them all together at the end to create a long-form blog post you can publish.
If you’re writing a shorter piece of content of up to 500 words, then technically, you could just ask it to write a whole blog post in one go.
However, in general, breaking this down into sections is the best way to go about this. This will ensure that the topic is covered thoroughly and in the appropriate order.
Doing this is also essential if you want to create long-form content.
ASK CHATGPT TO WRITE YOUR INTRODUCTION
A strong start to any blog post is a must. This is why you want to start by asking ChatGPT to write your introduction for you.
Ask ChatGPT to write an introduction to your blog post.
Example prompt:
Write an introduction for a blog post titled “Mastering Recall: Tips and Techniques for Training Your Dog to Come When Called”.
And here’s what ChatGPT generated based on that prompt:
As you can see, it has done a pretty good job in just a few seconds.
You can now tweak this introduction if required. This is a good time to add your own expertise and introduce yourself as an authority on the topic.
ENTER EACH SUBHEADING IN CHATGPT AS A QUESTION
The next step is to create content for each subheading detailed in your outline.
ChatGPT is designed to be an AI chatbot rather than exclusively an article writer. Because of this, it works well if you enter your prompts as questions.
If you make the headings within your article a question, then you can ask GPT to answer this question for you. Then you can use the answer it generates as a basis for each paragraph of your blog post.
So for the first subheading, “Explanation of the importance of recall training”, you would enter a prompt of “Explain the importance of recall training for dogs”.
ChatGPT will then respond to this prompt, providing another section of your blog post.
Note: If you intend to publish this content online, you should either rewrite the output in your own words. You could also use a more comprehensive tool like Jasper to write or rewrite the paragraphs for you, based on the outline created by ChatGPT.
Ending any blog post on a high is a great idea. Once you are certain your blog post has thoroughly covered the topic at hand, it’s time to close things off.
Simply ask ChatGPT to create a conclusion based on the topic you’re already writing about. You can even go one step further and ask it to include things like a call to action or next steps.
You might want to change things a little to ensure your brand and/or name is mentioned. However, asking ChatGPT to write you a conclusion paragraph gives you a solid starting point.
When you start by asking ChatGPT to write you a conclusion, it will tell you that it needs to know the topic of the blog and the main points you have mentioned in the post, so it can conclude your blog post accurately.
REVIEW AND EDIT YOUR BLOG POST
Just because ChatGPT (or indeed any AI writing software) has created a post for you, that doesn’t mean you should use it as it is. It’s important to thoroughly review and edit the content. Make sure that it reads well and keeps in line with your existing brand voice.
Most people won’t respond well to content they think has been auto-generated, so putting across your voice and ensuring that it sounds in line with the rest of your content is essential.
This is something that you should be double-checking in the review stage of your blog post.
FACT-CHECKING
ChatGPT’s knowledge generally ends in the latter part of 2021. This means that some of the facts it gives may be outdated and, therefore, inaccurate.
Before you publish a post, while you’re reviewing it, you should make sure that any facts mentioned are accurate and edit them if they’re not.
It’s all well and good having a well-written article, but if the information within it is inaccurate, it could destroy any trust you have built with your readers or audience.
Instead, spend some time checking all of the facts for yourself. This way, you can be sure that the content you are putting out there is going to be well received by its intended audience.
CHECK FOR PLAGIARISM WITH GRAMMARLY
While your text should be unique when generated with ChatGPT, that’s not always true. It’s always a good idea to double-check it. Grammarly is a popular free tool for checking spelling and grammar in written content, and it has a built-in plagiarism checker.
It’s worth spending a couple of minutes copying and pasting your AI-generated content into Grammarly’s Plagiarism Checker just to give it the once over before it goes live.
Overall, ChatGPT is a super useful tool for digital marketers and bloggers to have as part of their content creation toolkit.
You can use it for everything from blog writing to writing a meta description and even generating social media captions. It can also be used for keyword research and to help you generate new keyword ideas.
The main thing to bear in mind is that it’s likely that content generated with ChatGPT is watermarked or soon will be.
This means that Google and other search engines, along with AI content detection tools like Originality.ai, will usually be able to tell if your content is AI-generated.
However, that doesn’t mean you should dismiss ChatGPT altogether. But it does mean you need to be savvy and do what you can to get the most out of the tool.
Teaming up ChatGPT with other tools like Jasper can be a great way to get the most out of your content marketing efforts. This can also help you to get around the potential ‘Watermarking’ issues that you may come across in the future with Chat GPT.
ChatGPT isn’t really designed for long-form content writing, so you probably won’t use it to create entire blog posts in one go. However, there’s nothing to say that facility won’t come in the future. And there are already awesome courses like AI for blogging that are helping students profit from this new technology.
What it does is offer a quick and easy way to get blog post ideas, expand on ideas you already have, and even get an idea of what other people might be writing about within your niche.
You can then use the information you have gathered from ChatGPT in Jasper to create a unique, high-quality long-form blog post that you would be proud to publish on your platform.
On April 6, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities in Getwid – Gutenberg Blocks, a plugin installed on over 50,000 WordPress sites. The plugin’s developers responded immediately, and we sent over the full disclosure the same day. A patched version of the plugin, 1.8.4, was released on April 13, 2023.
The most serious vulnerability had a high severity because it allows authenticated users to perform Server Side Request Forgery (SSRF), which can result in full access to the hosted instance on some cloud configurations. Additionally, it may allow further penetration into internal networks in some enterprise configurations. The other vulnerability is much lower in severity and allows authenticated users to clear and update the site’s template cache.
Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule protecting against the Server Side Request Forgery (SSRF) on April 6, 2023. Wordfence Free users received the same protection on May 6, 2023.
The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Server Side Request Forgery via the get_remote_content REST API endpoint in versions up to, and including, 1.8.3. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the get_remote_templates function in versions up to, and including, 1.8.3. This makes it possible for authenticated attackers with subscriber-level permissions or above to flush the remote template cache. Cached template information can also be accessed via this endpoint but these are not considered sensitive as they are publicly accessible from the developer’s site.
Technical Analysis
Getwid – Gutenberg Blocks is a plugin offering a library of pre-generated blocks which it makes available to plugin users and retrieves remotely from the developer’s server. Unfortunately, this remote retrieval functionality, which utilized the REST API, only required an authenticated user in vulnerable versions, meaning that even subscriber-level users could make use of it.
While the rest routes for both vulnerabilities used a capability check in the permissions_check function, the capability checked was read, which all users, even subscribers, are assigned.
Pictured: The REST API Endpoints and the permissions_check function
On its own this was not a significant issue, but the get_remote_content function also failed to validate the URL passed in, meaning it could be used to retrieve information from any location via the server.
Pictured: The get_remote_content function
Only GET requests can be performed and the response data will only be rendered if it is JSON-formatted. However, sites hosted on Amazon AWS EC2 instances all have an endpoint which can be accessed internally and returns JSON-formatted credentials that can be used to access the instance.
Pictured: EC2 Credentials on a test box retrieved using this exploit. Click on the image to see it at full size
The second issue was significantly less severe and made use of the minimal capability check on the ‘get_remote_templates’ function. While this would likely have minimal impact on a site, it still compromises the site’s integrity to some extent.
Disclosure Timeline
April 6, 2023 – The Wordfence Threat Intelligence team releases a firewall rule to Wordfence Premium, Wordfence Care, and Wordfence Response users and begins the responsible disclosure process. We send over the full disclosure to the developers. April 13, 2023 – The plugin developers release a patch in version 1.8.4 of Getwid. May 6, 2023 – Wordfence Free users receive the firewall rule.
Conclusion
In this blog post, we detailed a Server Side Request Forgery (SSRF) vulnerability in Getwid version 1.8.3 and earlier. This vulnerability allows authenticated attackers with subscriber-level permissions or higher to send arbitrary GET requests from the website, which can be used to obtain critically sensitive information in some configurations. We also described a lower-severity vulnerability allowing subscribers to clear the local template cache.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting the SSRF vulnerability on April 6, 2023. Sites still using the free version of Wordfence received the same protection on May 6, 2023.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as the SSRF vulnerability poses a significant risk. If you or someone you know is hosted on AWS we also highly recommend migrating to IMDSv2 if you have not already, as it offers protection from not only this but the vast majority of SSRF vulnerabilities.
Alongside our usual work to discover, report, and remediate vulnerabilities in the WordPress ecosystem, the WordPress Threat Intelligence team has been conducting a deep-dive into WordPress plugin code with the objective of finding methods to bypass authentication and gain elevated privileges in WordPress plugins so we can help developers patch these vulnerabilities before threat actors can exploit them.
One such plugin we examined recently is Directorist, a popular tool used by over 10,000 WordPress sites to manage directory listings and classified ads.
On April 3, 2023, our team uncovered two significant vulnerabilities – an Arbitrary User Password Reset to Privilege Escalation, and an Insecure Direct Object Reference leading to Arbitrary Post Deletion. Both vulnerabilities were found to affect Directorist versions 7.5.4 and earlier.
Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule to protect against any exploits targeting these vulnerabilities on April 4, 2023. Sites still using the free version of Wordfence received the same protection on May 4, 2023.
Unfortunately, on June 1, 2023, the plugin was closed due to developer unresponsiveness, and it currently remains unavailable for download from the repository. This presents an issue as site owners are unable to request an update directly via their WordPress dashboard. Given this situation, we advise site owners to either temporarily uninstall the plugin, or manually download the patched version, 7.5.5, and upload it to their sites for optimal protection. For this reason, we have intentionally kept specific vulnerability details to a minimum in this post.
Vulnerability Summaries from Wordfence Intelligence
Authenticated (Subscriber+) Arbitrary User Password Reset to Privilege Escalation
The Directorist plugin for WordPress is vulnerable to an arbitrary user password reset in versions up to, and including, 7.5.4. This is due to a lack of validation checks within login.php. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to reset the password of an arbitrary user and gain elevated (e.g., administrator) privileges.
Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion in listing_task
The Directorist plugin for WordPress is vulnerable to an Insecure Direct Object Reference in versions up to, and including, 7.5.4. This is due to improper validation and authorization checks within the listing_task function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts.
Technical Analysis
Password Reset Vulnerability
Directorist, created by wpWax, is designed to help businesses establish directory listings and classified ads on their WordPress sites. It includes a Login and Registration form that can be enabled using the [directorist_user_login] shortcode.
The Directorist Login and Registration form
This form features a “Recover Password” function, akin to the default WordPress “lost your password?” feature. In vulnerable versions, the underlying code lacks essential validation checks to ensure that the user attempting to reset a password is indeed the account owner. This could allow attackers with subscriber-level permissions or higher to reset the passwords of other users, including administrators, thereby gaining unauthorized elevated privileges and taking over the site.
Directorist “Recover Password” logic
Arbitrary Post Deletion Vulnerability
In addition, we found an arbitrary post deletion vulnerability in the plugin. Directorist listings are essentially custom WordPress posts. In vulnerable versions, the code designed to manage listing deletions lacks the necessary authorization checks to confirm the user is permitted to delete the listing and does not verify that the post being deleted is a Directorist listing. Consequently, this could enable threat actors with subscriber-level and above permissions to delete any post on a WordPress instance, including posts by administrators.
Directorist directory listing deletion logic
Disclosure Timeline
April 3, 2023 – The Wordfence Threat Intelligence team discovers and documents two vulnerabilities in Directorist. April 4, 2023 – The Wordfence Threat Intelligence team releases firewall rules to Wordfence Premium, Wordfence Care, and Wordfence Response users and begins the responsible disclosure process. May 4, 2023 – Wordfence Free users receive the firewall rules. June 1, 2023 – The plugin developers release a patch in version 7.5.5 of Directorist.
Conclusion
In this blog post, we reviewed two vulnerabilities in our ongoing vulnerability research focused on bypassing authentication and gaining elevated privileges – an Arbitrary User Password Reset to Privilege Escalation that allows threat actors to gain full control of a WordPress instance, and a less-severe Insecure Direct Object Reference to Arbitrary Post Deletion, both in Directorist versions 7.5.4 and prior.
The Wordfence Threat Intelligence team reported these vulnerabilities to the Directorist team on April 4, 2023, following responsible disclosure protocols. The Directorist team addressed these vulnerabilities and released the patch in Directorist version 7.5.5 on June 1, 2023.
We recommend all users update their Directorist plugin to the newest version available, which is 7.5.5 at the time of this writing, immediately to secure their websites.
Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule to protect against any exploits targeting these vulnerabilities on April 4, 2023. Sites still using the free version of Wordfence received the same protection on May 4, 2023.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk.
In the fast-paced realm of cyberspace where threats continue to multiply, firewall software represents a critical line of defense for businesses of all sizes.
Such programs function as digital gatekeepers, regulating the flow of inbound and outbound network traffic according to a set of rules defined by the user.
With the continued rise of data breaches, investing in the best firewall software isn’t a mere consideration; it’s a necessity.
That’s why we researched, analyzed, and selected the best firewall software solutions for 2023:
Norton is a household name in cybersecurity that has long been delivering top-tier firewall software that signifies its wealth of experience in the sector.
The standout attribute of Norton is its comprehensive security suite, going beyond basic firewall protection to incorporate a smart firewall and intrusion prevention system (IPS), antivirus capabilities, identity theft protection, and even a VPN offering.
All that adds up to a holistic solution for businesses desiring a single-stop security software.
Pricing
Norton’s Smart Firewall is included in Norton 360, whose pricing plans at the time of writing are:
Deluxe: $49.99 for the first year for 5 PCs, Macs, tablets, or phones.
Select + LifeLock: $99.99 for the first year for 10 PCs, Macs, tablets, or phones.
Advantage + LifeLock: $191.88 for the first year for 10 PCs, Macs, tablets, or phones.
Ultimate Plus + LifeLock: $299.88 for the first year for unlimited PCs, Macs, tablets, or phones.
Features
Advanced smart firewall with customizable rules, allowing businesses to modify access based on their specific needs, thus providing a higher level of personalized security.
Integrated VPN for safe browsing ensures users can access the internet securely without worrying about potential threats or privacy breaches.
Identity theft protection is another vital feature, which helps safeguard sensitive personal and business data from potential hackers.
SafeCam feature prevents unauthorized access to your webcam, thwarting any potential spying or privacy intrusions.
Automatic updates ensure that your protection is always up-to-date, reinforcing defenses against new and evolving threats.
Pros
Norton offers a comprehensive security suite, providing a broad spectrum of protective measures beyond the typical firewall, creating a fortified line of defense against a myriad of cyber threats.
The interface is easy to navigate, making the process of setting up and managing the firewall less complex and more user-friendly, even for those with limited technical knowledge.
It provides 24/7 customer support, ensuring that you’ll have access to assistance whenever you need it, regardless of the hour or day.
Cons
While perfect for small to mid-sized businesses, Norton might not be as scalable for larger businesses with a vast network of devices, potentially limiting its effectiveness in such an environment.
Depending on your requirements, the subscription can become expensive with add-ons, which might be a drawback for businesses on a tight budget.
Fortinet
Best for scalability
Fortinet is a well-regarded player in the cybersecurity arena and its firewall software exemplifies its commitment to delivering high-quality solutions. FortiGate, Fortinet’s firewall offering, is recognized for its advanced firewall solutions that are scalable and robust.
Particularly useful for growing businesses, FortiGate brings forward top-notch features that can effortlessly adapt to the needs of expanding network infrastructures.
Pricing
Fortinet offers a variety of solutions priced broadly to accommodate all business sizes—from $250 for home office to $300,000 for large enterprises. Contact Fortinet for accurate pricing information.
Features
FortiGate offers an advanced firewall with extensive protection against incoming threats, thus maintaining the security of your network.
With scalability at its core, FortiGate can adapt and grow along with your business, addressing increasing security demands seamlessly.
Smooth integration with other Fortinet security solutions, enabling a comprehensive security ecosystem for your business.
FortiGate Cloud-Native Firewall offers high resiliency to ease security delivery across cloud networks and availability zones at scale.
Automatic updates keep the firewall current and equipped to deal with the latest threats, ensuring your network’s protection remains robust.
Pros
Fortinet’s robust firewall features deliver comprehensive security for your network, providing the necessary defenses to ward off potential threats.
With a strong focus on scalability, Fortinet is an ideal choice for rapidly growing businesses that need a security solution to match their expanding network.
The software’s high-performance nature means that it delivers robust security without hampering your network’s speed or efficiency.
Cons
Despite (or because of) offering a wealth of features, Fortinet’s interface may not be as user-friendly as some other options, potentially causing difficulties for those without substantial technical knowledge.
While Fortinet offers a range of pricing options, the cost can quickly escalate for larger networks or when additional features are included, which may not suit budget-conscious businesses.
Pricing information is not transparent and requires negotiation. Your mileage may vary.
GlassWire
Best for user-friendly interface
GlassWire is an elegant and visually appealing firewall software that provides comprehensive network monitoring capabilities.
It uniquely combines a network monitor and firewall, offering users a clear visual representation of their network activity. This functionality helps users to understand their online behavior and potential threats in a way that’s easy to interpret.
Pricing
GlassWire offers a tiered pricing model:
Free: provides limited features, perfect for individual users or small businesses.
Premium: Starts at $2.99 per month per license, paid annually. Its premium tier plans suitable for business range between 10 and 200 licenses.
Features
Real-time and detailed visualization of your current and past network activity, offering an intuitive and easy-to-understand representation of what’s happening on your network.
Built-in firewall that allows users to easily monitor applications using the network and block any suspicious activity, providing a comprehensive network security solution.
A unique “Incognito” mode for users who do not want certain network activities to appear on the network graph, ensuring user privacy.
Firewall profiles to instantly switch between different environments, such as public and private networks.
The network time machine feature allows users to go back in time up to 30 days to see what their computer or server was doing in the past.
Pros
GlassWire offers a beautifully designed, user-friendly interface that presents complex network security information in a visually appealing and understandable way.
Its comprehensive network monitoring capability allows users to understand their online behavior, identify patterns and detect anomalies.
The software’s built-in firewall offers users the flexibility to control which applications can access the network, enhancing the overall security of their systems.
Cons
The software requires a moderate amount of system resources to run efficiently, which might be an issue for systems with limited resources.
Although GlassWire’s visualizations are beautiful and informative, some users may find them overwhelming and would prefer a more traditional interface.
Cisco Secure Firewall Management Center
Best for centralized management and control
The Cisco Secure Firewall Management Center provides a comprehensive solution for centralized control and management of security policies. It enhances the overall efficiency of network administration by offering a unified platform to manage multiple Cisco security appliances.
Businesses that use a variety of Cisco security tools will find this a valuable addition to streamline operations and enhance control.
Pricing
Cisco Secure Firewall Management Center’s pricing depends on the scale of operations and the specific needs of a business. For detailed and customized pricing information, you can directly contact Cisco or its partners.
Features
A unified management console that can control a wide range of Cisco security appliances, reducing the complexity associated with managing multiple devices.
Advanced threat detection and analysis capabilities, enabling administrators to swiftly identify and respond to security incidents.
Flexible deployment options, including on-premises, virtual and cloud-based solutions, catering to various operational needs and preferences.
Comprehensive policy management, allowing administrators to efficiently establish and enforce security policies across their Cisco security infrastructure.
Integration with other Cisco security tools, such as Cisco Threat Response, provides a cohesive and powerful security solution.
Pros
The ability to manage multiple Cisco security appliances from a single platform is a significant advantage, especially for larger enterprises managing complex security infrastructures.
Cisco Secure Firewall Management Center offers advanced threat detection and analysis capabilities, aiding in swift and efficient incident response.
Its flexible deployment options cater to diverse operational needs, providing convenience and ease of setup to businesses of all sizes.
Cons
Although powerful, the platform may require a steep learning curve, particularly for those who are new to Cisco’s ecosystem.
Some users have reported a desire for more customization options within the management interface to meet their specific operational needs.
Pricing information is not transparent and requires negotiation. Your mileage may vary.
pfSense: Best open source solution
pfSense is an open-source firewall software solution that is highly customizable, suitable for tech-savvy businesses that prefer having the flexibility to tailor their firewall to specific needs. It’s built on the FreeBSD operating system, offering a comprehensive range of features for network management and security.
Pricing
As an open-source platform, pfSense is free to download and use. However, Netgate, the company behind pfSense, offers paid support and services, including hardware solutions integrated with pfSense software.
Features
A wide array of networking functionalities, including firewall, VPN, and routing services, ensuring comprehensive network protection.
Being open-source, it offers extensive customization options, allowing businesses to tailor the software to their specific needs.
Supports a large selection of third-party packages for additional features, granting more flexibility in expanding its capabilities.
Detailed network monitoring and reporting tools, allowing for granular insight into network traffic and potential security threats.
It has a community-backed development model, ensuring continuous improvements and updates to its features.
Pros
pfSense’s open-source nature allows for extensive customization, giving businesses control over how they want to configure their firewall.
The software provides a comprehensive set of features, ensuring thorough network protection and management.
Its support for third-party packages allows for the addition of further functionalities, enhancing its overall capabilities.
Cons
The configuration of pfSense can be quite complex, particularly for users without a strong technical background, which could pose a challenge for some businesses.
The user interface, while functional, may not be as polished or intuitive as some commercial firewall solutions.
As with many open-source projects, while there’s a supportive community, professional customer service might not be as accessible as with commercial solutions.
Sophos Firewall
Best for cloud-based management
Sophos Firewall brings a fresh approach to the way you manage your firewall and how you can detect and respond to threats on your network.
Offering a user-friendly interface and robust features, this product provides businesses with an effective and efficient solution for their network security needs. It’s a versatile solution that not only offers traditional firewall capabilities but also integrates innovative technologies to ensure all-round security.
Pricing
Sophos does not publicize pricing information, because their solutions are provided by resellers and can vary depending on the business’s size, needs, and location. You can contact them directly for accurate pricing information.
Features
All-in-one solution by integrating advanced threat protection, IPS, VPN, and web filtering in a single comprehensive platform, thereby providing robust security for your network.
Deep learning technology and threat intelligence, both of which work in synergy to identify and respond to threats before they can cause damage, offering advanced protection against malware, exploits, and ransomware.
User-friendly interface that simplifies configuration and management tasks, making it easier for users to set up security policies and monitor network activities.
Synchronized Security technology that facilitates communication between your endpoint protection and your firewall, creating a coordinated defense against cyber threats.
The Sophos Firewall comes with an effective cloud management platform, allowing administrators to remotely manage the system, configure settings, and monitor network activity.
Pros
A user-friendly interface that simplifies the process of setting up and managing network security policies, making it suitable for businesses with limited technical expertise.
It integrates advanced protection capabilities, such as threat intelligence and deep learning technology, to provide robust defense against sophisticated cyber threats.
This firewall software’s unique Synchronized Security feature offers a coordinated and automated response against threats, enhancing the overall effectiveness of your network security.
Cons
Some users have reported that while the user interface is intuitive, it might take some time to navigate due to the depth of features available.
The initial setup and configuration might require technical expertise, although Sophos provides comprehensive resources and customer support to guide users.
Although Sophos’ site advertises “Simple Pricing,” their costs are not in fact transparent and will require negotiating a quote. Your mileage may vary.
ZoneAlarm
Best for personal use
ZoneAlarm is an excellent choice for personal use and small businesses due to its simplicity and effectiveness.
With a robust set of features and an intuitive interface, it provides robust protection without requiring extensive technical knowledge. Its reputation as a reliable firewall solution makes it an attractive choice for users seeking to safeguard their systems from various threats.
Pricing
ZoneAlarm offers both free and premium versions of their firewall software. The free version provides basic protection, while the Pro Firewall version, which comes at a yearly subscription fee starting from $22.95 for 1 PC, offers advanced features such as zero-day attack protection and full technical support.
Features
Robust two-way firewall protection, preventing unauthorized access to your network while also stopping malicious applications from sending out your data.
Advanced privacy protection feature that protects your personal information from phishing attacks.
Unique ID Lock feature that keeps your personal information safe.
ZoneAlarm boasts an Anti-Phishing Chrome Extension that detects and blocks phishing sites, protecting your information online.
The premium version offers advanced real-time antivirus protection, ensuring that your system is continuously protected from threats.
Pros
ZoneAlarm offers a straightforward interface and setup process, making it an ideal choice for users who lack advanced technical skills.
The software provides a comprehensive suite of features, including robust firewall protection, advanced privacy tools and real-time antivirus capabilities.
ZoneAlarm’s ID Lock feature is a standout, helping to ensure the security of personal data.
Cons
While ZoneAlarm offers robust features, its protection level may not be adequate for large enterprises or businesses with complex network architectures.
Some users have reported that the software can be resource-intensive, potentially slowing down system performance.
Key features of firewall software
When choosing the best firewall software for your business, there are key features you should consider. These range from the extent of the security suite to scalability and cloud-based management, all of which play a significant role in how effectively the software will serve your needs.
Comprehensive security suite
A comprehensive security suite is more than just a basic firewall. It includes additional layers of security like antivirus capabilities, identity theft protection, and a VPN.
The best firewall software solutions should deliver this kind of comprehensive coverage, protecting against a wide variety of threats and helping you maintain the security of your entire network. Norton, Cisco, and Sophos firewalls excel in this area.
Scalability
Scalability is particularly important for businesses that are growing or plan to grow. As the size of your network increases, your security needs will change and become more complex.
Firewall software like FortiGate and pfSense are designed with scalability in mind, allowing them to adapt to the increasing security demands of your expanding network.
User-friendly interface
A user-friendly interface is crucial, especially for those who may not have a lot of technical expertise. Firewall software should be easy to navigate and manage, making the process of setting up and adjusting the firewall less daunting.
Norton excels in this area, with an intuitive interface that is straightforward to use. GlassWire, while not as intuitive, also offers an attractive and convenient interface.
Robust features
Having robust features in firewall software is key to ensuring comprehensive protection. This includes an advanced firewall with extensive customizable rules, IPS, and threat detection capabilities.
The most robust firewall solutions include Norton, FortiGate, Cisco, and Sophos, as well as pfSense, although you’ll have to do some legwork to program the latter in particular.
Cloud-based management
Cloud-based management is a significant advantage in today’s digital landscape. It allows for the remote configuration and monitoring of your firewall, making it easier to manage and adjust as needed. This feature is particularly beneficial for businesses with remote workers or multiple locations.
Norton, FortiGate, Cisco, Sophos, and ZoneAlarm all provide this capability.
Advanced firewall protection
Advanced firewall protection includes capabilities like deep packet inspection, which examines data packets to detect malware that could otherwise bypass standard firewalls. This kind of advanced protection is vital to secure your network from sophisticated threats. Most of the firewalls in this list offer advanced, next-generation capabilities.
Integration
Integration capabilities are crucial as they allow your firewall software to work in harmony with other security solutions you might have in place. Cisco firewalls, as you might expect, integrate seamlessly with other Cisco solutions, but can falter when trying to integrate with third-party solutions. On the other hand, thanks to its open-source nature, pfSense can be configured to integrate very broadly.
By considering these features when choosing your firewall software, you can ensure that you select a solution that meets the specific needs of your business, provides comprehensive protection and offers room for growth and adaptation as your business evolves.
Benefits of working with firewall software
Employing robust firewall software within your network infrastructure brings along a myriad of benefits that contribute to the overall security and efficiency of your business operations, from enhanced network security and data protection to reduced downtime and regulatory compliance.
Enhanced network security
Perhaps the most fundamental advantage of using firewall software is the enhanced network security it provides. Firewall software acts as the first line of defense against potential threats, including hackers, viruses, and other cyberattacks.
By monitoring and controlling incoming and outgoing network traffic based on predetermined security rules, firewall software ensures that only safe connections are established, thus protecting your network.
Data protection
With the increasing incidence of data breaches and cyber theft, data protection is more crucial than ever. Firewall software plays a pivotal role in safeguarding sensitive data from being accessed or stolen by unauthorized users.
By blocking unauthorized access, it ensures the safety of important information and reduces the risk of data breaches.
Traffic management
Firewall software is not only about protection but also about managing and optimizing the network traffic. Features like bandwidth management can be leveraged to allocate network resources effectively and ensure the smooth functioning of your online operations.
Real-time security updates
With the constantly evolving threat landscape, maintaining up-to-date security measures is vital. Firewall software frequently receives real-time security updates, which help to protect your network against the latest threats. This ensures that your network remains secure against even the most recent forms of cyberattacks.
Reduced downtime
Downtime can be a significant issue for any business, leading to financial losses and damage to reputation. By proactively identifying and preventing potential threats, firewall software can significantly reduce the risk of system outages, leading to increased uptime and reliability.
Scalability
As your business grows, so does the complexity and the scope of your network. Scalable firewall software grows with your business, adjusting to the increased demands and providing consistent protection despite the expanding network size. This makes it a cost-effective solution that can support your business in the long term.
Regulatory compliance
Many industries have regulations in place requiring businesses to protect sensitive data. Firewall software helps meet these regulatory requirements by providing robust security measures that prevent data breaches and protect client and customer information.
Incorporating firewall software into your network infrastructure is a critical step towards securing your business in an increasingly digital world. The benefits it offers are invaluable, providing not just enhanced protection, but also efficiency and adaptability that can significantly contribute to your business’s success.
How to choose the best firewall software for your business
Choosing the best firewall software for your business involves a careful examination of your specific needs and security requirements.
Size and security level: The size and nature of your business, the sensitivity of your data, and the extent of your network operations are crucial factors that determine what kind of firewall software will be the most beneficial.
Comprehensive features: Moreover, you should consider firewall solutions that offer a comprehensive suite of security features, such as VPN services, antivirus protection, and advanced threat detection capabilities.
Scalability: The scalability of a firewall software solution is important, particularly for growing businesses. Opt for software that can seamlessly adapt to the expanding needs of your network, providing reliable protection irrespective of your business size.
Interface: Unless you have a robust, well-trained IT department, the interface of your chosen software will need to be user-friendly and easily manageable, even for those with minimal technical expertise.
Cloud-based management: Features that allow for remote configuration and monitoring are highly beneficial in the current era of remote work. These features offer the flexibility of managing your network’s security from any location, improving overall efficiency.
Integration: Your chosen software should integrate smoothly with your existing security infrastructure to create a comprehensive, effective security system.
Support: Solid customer support from the vendor is also crucial to navigating any issues that may arise during setup or throughout the software’s lifespan.
Choosing firewall software is an investment in your business’s security, so take the time to evaluate each option thoroughly.
Frequently Asked Questions (FAQs)
Who should use firewall software?
Any individual, business, or organization that uses a network or the internet should consider using firewall software. Whether you’re a small business owner, a large corporation, or a home user, a firewall can provide essential protection against unauthorized access and various cyber threats.
Where are firewalls located on a network?
Firewalls are typically located at the edge of a network, serving as a barrier between a trusted internal network and an untrusted external network, such as the internet. They can also be positioned between different parts of an organization’s networks to control access.
Are there any downsides to using a firewall?
While firewalls are essential for network security, they can occasionally block legitimate traffic if the security settings are too restrictive. Additionally, managing and maintaining a firewall can require technical expertise. However, the benefits of using a firewall far outweigh these potential challenges.
How often should a firewall be updated?
Firewall software should be updated regularly to ensure it can protect against the latest threats. Many firewall providers release updates regularly and many firewalls are set to update automatically. However, it’s a good idea to check for updates manually periodically to ensure your firewall is up-to-date.
What is firewall software’s role in regulatory compliance?
For many businesses, especially those in regulated industries like healthcare or finance, firewall software plays a critical role in meeting compliance requirements. Regulations like the Health Insurance Portability and Accountability Act (HIPAA) or the General Data Protection Regulation (GDPR) require robust data protection measures, which includes network security provided by a firewall.
Can firewall software protect against all cyber threats?
While firewall software provides a strong layer of protection, it’s not a panacea for all cyber threats. Some sophisticated threats, like targeted phishing attacks or insider threats, require additional security measures. It’s essential to have a comprehensive security strategy in place that includes firewall software, antivirus software, strong access controls, and user education about safe online practices.
Methodology
To deliver this list, we based our selection on an examination of firewall software features and overall reputation in addition to their ease of use, quality of customer support, and value for money.
This information is available in user reviews as well as official product pages and documentation. Nonetheless, we encourage you to conduct your own research and consider your unique requirements when choosing a firewall software solution.
Bottom line: Choosing the best firewall software for your business
The evolving threat landscape necessitates a robust and reliable firewall solution for both personal use and businesses of all sizes. Based on the products listed, it’s evident that several excellent options exist in the market, each with its own unique strengths and capabilities.
Choosing the best firewall software ultimately depends on your requirements, the nature of the network environment, and the budget at hand. It’s essential to consider each product’s features, pros, and cons, and align them with your individual or business needs.
The chosen solution should provide comprehensive protection, be user-friendly, and ideally offer scalability for future growth. Whether it’s for personal use or to protect a multilayered enterprise network, there’s a firewall solution out there that fits the bill.
Also see
Firewalls come in all shapes and sizes. Here’s a look at eight different types of firewalls.
And once you’ve selected your firewall, make sure you define and implement a clear, strong firewall policy to back it up—as well as setting robust firewall rules to govern the software.
Enterprise firewall software is an essential component of network security infrastructure for organizations. These firewalls are designed to provide high availability and scalability to meet the needs of large and complex networks because they can handle high traffic volumes and accommodate the growth of network infrastructure.
By exploring the following top firewall solutions, enterprises can make an informed decision to fortify their network defenses and safeguard critical assets from ever-evolving cyber threats.
Palo Alto is a leading network security provider of advanced firewall solutions and a wide range of network security services.
The company offers various firewall solutions for various enterprise use cases, including cloud next generation firewalls, virtual machine series for public and private clouds, container series for Kubernetes and container engines like Docker, and its PA-series appliances designed for data centers, network edge, service providers, remote branches and retail locations, and harsh industrial sites.
These firewalls provide enhanced visibility, control, and threat prevention capabilities to protect networks from various cyber threats, including malware, viruses, intrusions, and advanced persistent threats (APTs).
Pricing
Palo Alto doesn’t advertise its product pricing on its website. Our research found that the Palo Alto PA-series price range from $2,900 to $200,000 (more or less). To get the actual rates for your enterprise, contact the company’s sales team for custom quotes.
Standout features
Advanced threat prevention.
Advanced URL filtering.
Domain name service (DNS) security.
Medical IoT security.
Enterprise data loss prevention (DLP).
Up to 245 million IPv4 OR IPv6 sessions.
Pros
Provides visibility across IoT and other connected devices.
Provides visibility across physical, virtualized, containerized and cloud environments.
Offers a variety of products for different business sizes, from small businesses to large enterprises.
Easy-to-navigate dashboard and management console.
Cons
Complex initial setup.
Some users reported that the Palo Alto license is pricey.
Check Point Quantum
Best for connected devices
Check Point is an Israeli multinational company that develops and sells software and hardware products related to network, endpoint, cloud, and data security.
Check Point Quantum is designed to protect against advanced cyber threats, targeting Gen V cyber attacks. This solution encompasses various components to safeguard networks, cloud environments, data centers, IoT devices, and remote users.
Check Point’s SandBlast technology employs advanced threat intelligence, sandboxing, and real-time threat emulation to detect and prevent sophisticated attacks, including zero-day exploits, ransomware, and advanced persistent threats.
Pricing
Check Point does not publicly post pricing information on its website. Data from resellers shows that Check Point products can range from around $62 for a basic solution to over $50,000 for an enterprise-level solution. Contact the Check Point sales team for your actual quotes.
Standout features
URL filtering.
DLP.
Full active-active redundancy.
Zero-trust protection for IoT devices.
Check Point Quantum protects against GenV attacks.
Advanced threat protection.
Pros
24/7 customer service and support.
Easy to setup and use.
Management platform with automation features.
Sandblast protection for testing malware.
Cons
Users reported that the Check Point firewall is expensive.
Documentation can be improved.
Fortinet FortiGate
Best for flexibility and scalability
Fortinet offers various firewall products for different organization sizes, from home offices to large enterprises.
The FortiGate 7000 series (FG-7121F, FG-7081F, FG-7081F-2, FIM-7921F, FIM-7941F, and FPM-7620F) is an enterprise firewall product that provides high-performance network security. It is designed for organizations with high network traffic volumes and that have to manage large network infrastructures.
This firewall series is powered by a Security Processing Unit (SPU) of up to 520Gbps and also includes the latest NP7 (Network Processor 7) and CP9 (Content Processor 9).
Pricing
Fortinet’s FortiGate firewall tool pricing is available upon request. Pricing will depend on various factors, including the size of the network, the number of users, and the types of security features needed. Contact a Fortinet representative for pricing and product information.
Standout features
Protects IT, IIoT, and OT devices against vulnerability and device-based attack tactics.
FortiGate 7000F series provides NGFW, segmentation, secure SD-WAN, and mobile security for 4G, 5G, and IoT.
Offers various types of firewalls, including container firewalls, virtual firewalls and hardware firewall appliances.
Zero Touch Integration with Fortinet’s Security Fabric Single Pane of Glass Management.
Pros
Integrations with over 500 third-party services.
AI-powered capabilities.
Users reported that the tool is user-friendly.
Cons
Support can be improved.
Its reporting feature can be improved.
Juniper Networks
Best for logging and reporting capability
Juniper Networks’ firewall helps enterprises protect their network edge, data center, and cloud applications.
The company is also known for its Junos operating system (OS), a scalable network OS that powers Juniper Networks devices. Junos provides advanced routing, switching, and security capabilities and allows for seamless integration with third-party software and applications.
Juniper Networks vSRX virtual firewall provides enhanced security for Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform, IBM Cloud, and Oracle Cloud environments, while its cSRX Container Firewall offers advanced security services to secure applications running in containers and microservices. The company’s SRX firewalls series is designed for various organization sizes, from small to large enterprises.
Pricing
Juniper Network pricing is available on request. However, they offer different license methods, including Pay-As-You-Go (PAYG) and Bring-Your-Own-License (BYOL) options for public clouds. Contact the company’s sales team for custom quotes.
Standout features
Juniper Network has various types of firewalls, including container firewalls, virtual firewalls and hardware firewall appliances.
Public cloud workload protection, including AWS, Microsoft Azure, and Google Cloud Platform.
Logging and reporting capability.
Supports VMware ESXi, NSX, and KVM (Centos, Ubuntu).
Pros
Advanced threat prevention capability.
Deployable on-premises and cloud environments.
Cons
Support can be improved.
Users report that some Juniper Networks firewall products are expensive.
Cisco Secure Firewall
Best for centralized management
Cisco Secure Firewall combines firewall capabilities with advanced security features to protect networks from various threats, including unauthorized access, malware, and data breaches.
Cisco Secure Firewall integrates with Cisco Talos, a threat intelligence research team. This collaboration enables the firewall to receive real-time threat intelligence updates, enhancing its ability to identify and block emerging threats.
Cisco Secure Firewall can be centrally managed through Cisco Firepower Management Center (FMC). This management console provides a unified interface for configuration, monitoring, and reporting, simplifying the administration of multiple firewalls across the network.
Pricing
Contact Cisco’s sales team for custom quotes.
Standout features
IPS to protect against known threats.
Web filtering.
Network segmentation.
Centralized management.
Pros
Provides comprehensive visibility and control.
Efficient support team.
Highly scalable tool.
Cons
Support can be improved.
Complex initial setup.
Zscaler
Best for businesses with cloud network infrastructure
The Zscaler firewall provides cloud-based security for web and non-web traffic for all users and devices. Zscaler inspects all user traffic, including SSL encrypted traffic, with elastically scaling services to handle high volumes of long-lived connections.
One of the key advantages of Zscaler’s cloud-based approach is that it eliminates the need for on-premises hardware or software installations. Instead, organizations can leverage Zscaler’s infrastructure and services by redirecting their internet traffic to the Zscaler cloud. This makes scaling and managing security easier across distributed networks and remote users.
Pricing
Zscaler doesn’t advertise its rates on its website. However, data from resellers shows that its pricing starts from about $72 per user per year. For your actual rate, contact the Zscaler sales team for quotes.
Standout features
Centralized policy management.
Fully-integrated security services.
Real-time granular control, logging, and visibility.
User-aware and app-aware threat protection.
Adaptive IPS security and control.
File transfer protocol (FTP) control and network address translation (NAT) support.
Pros
Easy to use and manage.
AI-powered cyberthreat and data protection services.
Always-on cloud intrusion prevention system (IPS).
AI-powered phishing and C2 detection.
Cons
Complex initial setup.
Documentation can be improved.
pfSense
Best open-source firewall
pfSense is an open-source firewall and routing platform based on FreeBSD, an open-source Unix-like OS. It is designed to provide advanced networking and security features for small and large networks.
pfSense can be deployed as a physical appliance or as a virtual machine. pfSense offers many capabilities, including firewalling, VPN connectivity, traffic shaping, load balancing, DNS and DHCP services, and more.
Pricing
For pfSense cloud:
pfSense on AWS: Pricing starts from $0.01 per hour to $0.40 per hour.
pfSense on Azure: Pricing starts from $0.08 per hour to $0.24 per hour.
For pfSense software:
pfSense CE: Open source version available to download for free.
pfSense+ Home or Lab: Available at no cost for evaluation purposes only.
pfSense+ W/TAC LITE: Currently available at no charge, but the vendor may increase the rate to $129 per year in the future.
pfSense+ W/TAC PRO: $399 per year.
pfSense+ W/TAC ENT: $799 per year.
pfSense offers three hardware appliances tailored to the needs of large enterprises.
Netgate 8200: Cost $1,395. It has 18.55 Gbps IPERF3 and 5.1 Gbps IMIX traffic speed.
Netgate 1537: Cost $2,199. It has 18.62 Gbps(10k ACLs) IPERF3 and 10.24 Gbps (10k ACLs) IMIX traffic speed.
Netgate 1541: Cost $2,899. It has 18.64 Gbps(10k ACLs) IPERF3 and 12.30 Gbps(10k ACLs) IMIX traffic speed.
Standout features
NAT mapping (inbound/outbound).
Captive portal guest network.
Stateful packet inspection (SPI).
Pros
Free open-source version.
Community support.
Anti-spoofing capability.
Cons
Steep learning curve for administrators with limited experience.
GUI is old-fashioned and could be simplified.
Key features of enterprise firewall software
There’s a wide variety of capabilities that enterprise firewall software can provide, but some of the key features to look for include packet filtering, stateful inspection, application awareness, logging and reporting capabilities, and integration with your existing security ecosystem.
Packet filtering
Firewall software examines incoming and outgoing network packets based on predefined rules and policies. It filters packets based on criteria such as source/destination IP addresses, ports, protocols, and packet attributes. This feature enables the firewall to block or allow network traffic based on the configured rules.
Stateful inspection
Enterprise firewalls employ stateful inspection to monitor network connections’ state and analyze traffic flow context. By maintaining information about the state of each connection, the firewall can make more informed decisions about which packets to allow or block.
Application awareness
Modern firewall software often includes application awareness capabilities. It can identify specific applications or protocols within network traffic, allowing organizations to enforce granular policies based on the application or service used. This feature is handy for managing and securing web applications and controlling the use of specific services or applications.
Logging and reporting
Firewall software logs network events, including connection attempts, rule matches, and other security-related activities. Detailed logging enables organizations to analyze and investigate security incidents, track network usage, and ensure compliance with regulatory requirements. Reporting capabilities help generate comprehensive reports for auditing, security analysis, and compliance purposes.
Integration with the security ecosystem
Firewall software is typically part of a broader security ecosystem within an organization. Integration with other security tools and technologies, such as antivirus software, threat intelligence platforms, Security Information and Event Management (SIEM) systems, and network access control (NAC) solutions, allows for a more comprehensive and coordinated approach to network security.
Benefits of working with enterprise firewalls
Key advantages of enterprise firewall solutions include enhanced network security, threat mitigation, and access control, as well as traffic analytics data.
Network security: Firewalls act as a protective barrier against external threats such as unauthorized access attempts, malware, and other malicious activity. Enforcing access control policies and modifying network traffic helps prevent unauthorized access and protect critical data.
Threat mitigation: By combining intrusion prevention techniques, deep packet monitoring, and threat intelligence, a firewall can detect and block suspicious traffic, reducing the risk there that the network will be corrupted and damaged so
Access control: Firewall software allows administrators to restrict or allow access to network resources, applications, and services based on specific user roles, departments, or needs. This ensures that only authorized people or systems can access the screen and its accessories.
Traffic data and analytics: In addition to protecting your network, firewalls can also provide granular information about traffic and activity passing through your network, as well as its overall performance.
How do I choose the best enterprise firewall solution for my business?
When choosing the best enterprise firewall software for your business, consider the following factors.
Security: Assess your organization’s specific security needs and requirements.
Features: Evaluate the features and capabilities of firewall solutions, such as packet filtering, application awareness, intrusion prevention, VPN support, centralized management, and scalability. Consider the vendor’s reputation, expertise, and support services.
Compatibility: Ensure compatibility with your existing network infrastructure and other security tools.
Hands-on tests: Conduct a thorough evaluation of different firewall solutions through demos, trials, or proofs of concept to assess their performance, ease of use, and effectiveness in meeting your organization’s security goals.
Total cost of ownership (TCO): Consider the cost, licensing models, and ongoing support and maintenance requirements.
By considering these factors, you can make an informed decision and select the best enterprise firewall software that aligns with your business needs and provides robust network security.
Frequently Asked Questions (FAQ)
Is an enterprise firewall different from a normal firewall?
Although they share many characteristics, an enterprise firewall is not the same as a consumer-grade firewall. Enterprise firewalls are designed to meet large organizations’ security needs and network infrastructure challenges. They are robust, scalable, and can handle high network traffic volumes and sophisticated threats, compared to generic firewalls for home or small office environments.
What is the strongest type of firewall?
A firewall’s strength depends on various factors, and no universally dependable firewall exists. A firewall’s effectiveness depends on its materials, configuration, and how well it fits into the organization’s security needs.
That said, next-generation firewalls (NGFWs) provide improved security capabilities and are often considered the ideal firewall solution in today’s enterprise. NGFWs combine traditional firewall features with additional functionality such as application awareness, intrusion prevention, deep packet monitoring, and user-based policies. They provide advanced protection against modern threats with greater visibility and control over network traffic.
How do you set up an enterprise firewall?
Setting up an enterprise firewall involves several steps:
We recommend engaging network security experts or reviewing vendor documentation and support materials for specific guidance in installing and configuring your enterprise firewall.
Methodology
The firewall solutions mentioned in this guide were selected based on extensive research and industry analysis. Factors such as industry reputation, customer reviews, infrastructure, and customer support were considered.
We also assessed the features and capabilities of the firewall solutions, including packet filtering, application awareness, intrusion prevention, DLP, centralized management, scalability, and integration with other security tools.
Network scanning tools are a critical investment for businesses in this era of increasing cyber threats. These tools perform an active examination of networks to identify potential security risks and help IT administrators maintain the health and security of their networks.
As businesses become more digital and interconnected, the demand for such tools has significantly increased. To help businesses sort through the plethora of these solutions available on the market, we’ve narrowed down the list to eight top products and their ideal use cases.
Here are our picks for the top network scanning software:
Burp Suite is a trusted tool among IT professionals for its robust web vulnerability scanning capabilities. It identifies security holes in web applications and is particularly well-suited for testing complex applications.
Pricing
The vendor has three enterprise pricing options as follows:
Pay as you scan: This tier starts at $1,999 per year plus $9 per hour scanned. It includes unlimited applications and users.
Classic: This tier is priced at $17,380 per year and includes 20 concurrent scans, unlimited applications and unlimited users.
Unlimited: This is the superior plan and is priced at $49,999 per year. It includes unlimited concurrent scans, applications, and users.
Features
Out-of-band Application Security Testing (OAST) added to dynamic scans for accurate identification of vulnerabilities.
Easy setup with point-and-click scanning or trigger via CI/CD.
Recurring scanning options for daily, weekly, or monthly scans.
Out-of-the-box configurations for fast crawl or critical vulnerability audits.
API security testing for increased coverage of microservices.
JavaScript scanning to uncover more attack surfaces in Single Page Applications (SPAs).
Scalable scanning with the ability to adjust the number of concurrent scans.
Custom configurations available, including crawl maximum link depth and reported vulnerabilities.
Burp Scanner, a trusted dynamic web vulnerability scanner used by over 16,000 organizations.
Integration with major CI/CD platforms such as Jenkins and TeamCity.
API-driven workflow for initiating scans and obtaining results via the REST API.
Integration with vulnerability management platforms for seamless scanning and security reporting.
Burp extensions allow customization of Burp Scanner to meet specific requirements.
Multiple deployment options including interactive installer and Kubernetes deployment.
Integration with bug tracking systems like Jira with auto ticket generation and severity triggers.
GraphQL API for initiating, scheduling, canceling, and updating scans.
Role-based access control for multi-user functionality and control.
Compatible configurations from Burp Suite Pro can be manually integrated into the Enterprise environment.
Reporting features include graphical dashboards, customizable HTML reports, scan history metrics, intuitive UI, rich email reporting, security posture graphing, aggregated issue reporting, and compliance reporting for PCI DSS and OWASP Top 10.
Pros
Extensive vulnerability detection.
Can handle complex web applications.
Integration with popular CI/CD tools.
Cons
Steep learning curve for beginners.
Relatively higher pricing.
Detectify
Best for ease of use and automation
Source: detectify.com
Detectify is a fully automated External Attack Surface Management (EASM) solution powered by a world-leading ethical hacker community. It can help map out a company’s security landscape and find vulnerabilities that other scanners may miss.
Pricing
The vendor has several pricing options as follows:
The full EASM package comes with a 2-week free trial. Pricing is custom and based on the number of domains, sub-domains, and web applications of the attack surface.
For organizations with a small attack surface, the vendor offers two pricing tiers that also come with a free 2-week trial:
Surface Monitoring: Pricing starts from $289 per month (billed annually). This package includes up to 25 subdomains.
Application Scanning: Pricing starts from $89 per month per scan profile (billed annually).
Features
The features of the full EASM solution are:
Continuous 24/7 coverage for discovering and monitoring your modern tech stack.
Crawling and fuzzing engine that surpasses traditional DAST scanners.
Ability to monitor large enterprise products and protect sensitive organizational data.
Accurate results with 99.7% accuracy in vulnerability assessments through payload-based testing.
SSO, API access, automatic domain verification, custom modules, and attack surface custom policies.
Identify risks before they are exploited by enriching assets with critical information like open ports, DNS record types, and technologies.
Integrates with popular tools such as Slack, Jira, and Splunk, and comes with an API that allows users to export results in the manner that best suits their workflows.
Pros
Simple and clean interface, easy to use.
Continuous automatic updates and scans.
Customizable reports and notifications.
Cons
Limited manual testing capabilities.
May generate false positives.
Intruder
Best for cloud-based network security
Source: intruder.io
Intruder is a powerful cloud-based network security tool that helps businesses prevent security breaches by automating routine security checks. Each threat found is classified according to severity and a remediation plan proposed.
Pricing
Pricing is based on the number of applications and infrastructure targets with three pricing tiers: Essential, Pro and Premium. The Pro plan comes with a 14-day free trial.
Example pricing for 1 application and 1 infrastructure target is as follows:
Comprehensive risk monitoring across your stack, including publicly and privately accessible servers, cloud systems, websites, and endpoint devices.
Detection of vulnerabilities such as misconfigurations, missing patches, encryption weaknesses, and application bugs, including SQL injection, Cross-Site Scripting, and OWASP Top 10.
Ongoing attack surface monitoring with automatic scanning for new threats and alerts for changes in exposed ports and services.
Intelligent results that prioritize actionable findings based on context, allowing you to focus on critical issues like exposed databases.
Compliance and reporting with high-quality reports to facilitate customer security questionnaires and compliance audits such as SOC2, ISO27001, and Cyber Essentials.
Continuous penetration testing by security professionals to enhance coverage, reduce the time from vulnerability discovery to remediation, and benefit from vulnerability triage by certified penetration testers.
Seamless integration with your technical environment, with no lengthy installations or complex configurations required.
Pros
Cloud-based, eliminating the need for on-site servers.
Comprehensive vulnerability coverage.
Automated, regular security checks.
Cons
Dependency on automated scanning engines may result in occasional false positives or false negatives.
ManageEngine OpManager
Best for real-time network monitoring
Source:manageengine.com
ManageEngine OpManager is a comprehensive network monitoring application, capable of providing intricate insights into the functionality of various devices such as routers, switches, firewalls, load balancers, wireless LAN controllers, servers, virtual machines, printers, and storage systems. This software facilitates in-depth problem analysis to identify and address the core source of network-related issues.
Pricing
The vendor offers three editions with starting prices as follows:
Standard: $245 for up to 10 devices.
Professional: $345 for up to 10 devices.
Enterprise: $11,545 for 250 up to 250 devices.
Features
Capable of monitoring networks using over 2,000 performance metrics, equipped with user-friendly dashboards, immediate alert systems, and intelligent reporting features.
Provides crucial router performance data including error and discard rates, voltage, temperature, and buffer statistics.
Enables port-specific traffic control and switch port mapping for device identification.
Continuous monitoring of WAN link performance, latency, and availability, leveraging Cisco IP SLA technology.
Active monitoring of VoIP call quality across WAN infrastructure, facilitating the troubleshooting of subpar VoIP performance.
Automatic generation of L1/L2 network mapping, aiding in the visualization and identification of network outages and performance issues.
Provides monitoring for both physical and virtual servers across various operating systems such as Windows, Linux, Solaris, Unix, and VMware.
Detailed, agentless monitoring of VMware-virtualized servers with over 70 VMware performance monitors.
Utilizes WMI credentials to monitor Microsoft Hyper-V hosts and guest performance with over 40 in-depth metrics.
Enables monitoring and management of Host, VMs, and Storage Repositories of Citrix Hypervisor, providing the necessary visibility into their performance.
Allows for monitoring and management of processes running on discovered devices through SNMP/WMI/CLI.
Uses protocols like SNMP, WMI, or CLI for monitoring system resources and gathering performance data.
Provides immediate notifications on network issues via email and SMS alerts.
Facilitates the orchestration and automation of initial network fault troubleshooting steps and maintenance tasks.
Provides a centralized platform for identifying network faults, allowing for visualization, analysis, and correlation of multiple monitor performances at any instant.
Enables network availability, usage trend, and performance analysis with over 100 ready-made and customizable reports.
Employs a rule-based approach for syslog monitoring to read incoming syslogs and assign alerts.
Includes a suite of OpManager’s network monitoring tools to assist in first and second-level troubleshooting tasks.
Pros
In-depth network monitoring.
Easy-to-understand performance dashboards.
Supports both physical and virtual servers.
Cons
May be complex for beginners.
Cost can quickly escalate based on number of devices.
Tenable Nessus
Best for vulnerability analysis
Source: tenable.com
Tenable Nessus is a vulnerability assessment tool that enables organizations to actively detect and rectify vulnerabilities throughout their ever-evolving attack surface. It is formulated to evaluate contemporary attack surfaces, expanding beyond conventional IT assets to ensure the security of cloud infrastructure and provide insights into internet-connected attack surfaces.
Pricing
Nessus offers a free 7-day trial. Customers can scan up to 32 IPs per scanner during the trial period.
After the trial, the product is available at a starting fee of $4,990 per year for an unlimited number of IPs per scanner.
Nessus Enterprise pricing is dependent on business requirements.
Features
Evaluates contemporary attack surfaces, extends beyond conventional IT assets, and provides insights into internet-connected environments.
Built with an understanding of security practitioners’ work, aiming to make vulnerability assessment simple, intuitive, and efficient.
Provides a reporting feature that prioritizes the top ten significant issues.
Nessus is deployable on a range of platforms, including Raspberry Pi, emphasizing portability and adaptability.
Ensures precise and efficient vulnerability assessment.
Offers visibility into your internet-connected attack environments.
Ensures the security of cloud infrastructure before deployment.
Focuses on the most significant threats to enhance security efficiency.
Provides ready-to-use policies and templates to streamline vulnerability assessment.
Allows for customization of reports and troubleshooting procedures.
Provides real-time results for immediate response and rectification.
Designed for straightforward and user-friendly operation.
Provides an organized view of vulnerability assessment findings for easy interpretation and analysis.
Pros
Broad vulnerability coverage.
Easy integration with existing security systems.
User-friendly interface.
Cons
Relatively higher pricing.
Pentest Tools
Best for penetration testing
Source: pentest-tools.com
Pentest Tools is a suite of software designed to assist with penetration testing. Pentest Tools provides the necessary capabilities to effectively carry out penetration tests, offering insights into potential weak points that may be exploited by malicious actors.
Pricing
The vendor offers four pricing plans as follows:
Basic: $72 per month, billed annually, for up to 5 assets and up to 2 parallel scans.
Advanced: $162 per month, billed annually, for up to 50 assets and up to 5 parallel scans.
Teams: $336 per month, billed annually, for up to 500 assets and up to 10 parallel scans.
Enterprise: For more than 500 assets and more than 10 parallel scans, plan pricing varies.
Features
Initially built on OpenVAS, now includes proprietary technology to assess network perimeter and evaluate a company’s external security posture.
Uses proprietary modules, like Sniper: Auto Exploiter, for a comprehensive security scan.
Provides a simplified and intuitive interface for immediate scanning.
Conducts in-depth network vulnerability scans using over 57,000 OpenVAS plugins and custom modules for critical CVEs.
Includes a summarized report of vulnerabilities found, their risk rating, and CVSS score.
Each report offers recommendations for mitigating detected security flaws.
Prioritizes vulnerabilities based on risk rating to optimize manual work and time.
Generates customizable reports with ready-to-use or custom templates.
Provides a complete view of “low hanging fruit” vulnerabilities, enabling focus on more advanced tests.
Allows testing of internal networks through a ready-to-use VPN, eliminating the need for time-consuming scripts and configurations.
Identifies high-risk vulnerabilities such as Log4Shell, ProxyShell, ProxyLogon, and others.
Assists in running vulnerability assessments necessary to comply with various standards like PCI DSS, SOC II, HIPAA, GDPR, ISO, the NIS Directive, and others.
Facilitates thorough infrastructure tests, detecting vulnerabilities ranging from weak passwords to missing security patches and misconfigured web servers.
Third-party infrastructure audit that’s useful for IT services or IT security companies, providing reports for client assurance on implemented security measures.
Pros
Broad coverage of penetration testing scenarios.
Easy to use, with detailed reports.
Regular updates and enhancements.
Cons
Proprietary technology can also limit interoperability with other tools or platforms.
New users may experience a steep learning curve.
Qualys VMDR
Best for cloud security compliance
Source: qualys.com
Qualys VMDR is a top choice for businesses looking for cloud-based network security software. It provides automated cloud security and compliance solutions, allowing businesses to identify and fix vulnerabilities.
Pricing
Prospective customers can try out the tool for free for 30 days.
Pricing starts at $199 per asset with a minimum quantity of 32 (i.e., $6,368 total starting cost).
Flexible pricing for larger packages based on business needs.
Features
Qualys is a strong solution for businesses seeking cloud-based network security software, providing automated cloud security and compliance solutions.
Utilizes TruRisk™ to quantify risk across vulnerabilities, assets, and asset groups, enabling proactive mitigation and risk reduction tracking.
Automates operational tasks for vulnerability management and patching with Qualys Flow, saving valuable time.
Leverages insights from over 180,000 vulnerabilities and 25+ threat sources to provide preemptive alerts on potential attacks with the Qualys Threat DB.
Detects all IT, OT, and IoT assets for a comprehensive, categorized inventory with detailed information such as vendor lifecycle.
Automatically identifies vulnerabilities and critical misconfigurations per Center for Internet Security (CIS) benchmarks, by asset.
Integrates with ITSM tools like ServiceNow and Jira to automatically assign tickets and enable orchestration of remediation, reducing Mean Time To Resolution (MTTR).
Pros
Cloud-based, reducing on-premise hardware needs.
Comprehensive vulnerability and compliance coverage.
Powerful data analytics capabilities.
Cons
Can be complex for small businesses.
Pricing is high and can be prohibitive for smaller organizations.
SolarWinds ipMonitor
Best for large-scale enterprise networks
Source:solarwinds.com
SolarWinds ipMonitor is an established network monitoring solution ideal for monitoring servers, VMware hosts, and applications on large-scale enterprise networks. It offers deep performance insights and customizable reports.
The monitoring tool provides over a dozen notification types including alerts via email, text message, or directly to Windows Event Log files.
Facilitates the monitoring of common ports with key protocols.
Ensures IT environment functionality by continuously monitoring database availability.
Enhances end user network experience monitoring capabilities.
Offers monitoring of network equipment health in tandem with network infrastructure.
Confirms the ability of a web server to accept incoming sessions.
Provides critical insights into the overall IT environment.
Offers an affordable tool for network monitoring.
Utilizes VM ESXi host monitors to track the health and performance of your virtual environment.
Enables monitoring of Windows services and applications..
Pros
Extensive scalability for large networks.
Deep insights and comprehensive reporting.
Wide range of integrated applications.
Cons
Can be overly complex for smaller networks.
The pricing model may not suit smaller businesses.
Key features of network scanning tools and software
Vulnerability scanning is central to all network scanning tools, but other features, such as real-time monitoring, penetration testing, and integrability, should not be overlooked.
Vulnerability scanning
This is the most critical feature buyers typically look for in network scanning tools. Vulnerability scanning helps identify potential security threats and weak spots within the network.
The tools do this by scanning the network’s devices, servers, and systems for known vulnerabilities such as outdated software, open ports, or incorrect configurations.
This feature matters because it provides an overview of the network’s security posture, enabling users to take corrective measures promptly.
Real-time network monitoring
Real-time network monitoring allows for continuous observation of the network’s performance, detecting any issues or anomalies as they occur.
This feature is vital because it can significantly reduce downtime and address performance issues before they impact business operations.
Penetration testing
Penetration testing (or pentesting) simulates cyberattacks on your network to test the effectiveness of your security measures and identify potential vulnerabilities that may not be detectable through standard vulnerability scanning.
Penetration testing is essential for businesses as it offers a more proactive approach to cybersecurity than standard vulnerability scans.
Compliance assurance
Compliance assurance ensures that the organization’s network aligns with various regulatory standards, such as HIPAA for healthcare or PCI DSS for businesses that handle credit card information.
Compliance assurance is critical because non-compliance can result in hefty fines and damage to the company’s reputation.
Integration with other tools
Integration capabilities are an often overlooked but essential feature of network scanning tools. The ability to integrate with other IT management and security tools allows for a more streamlined and efficient workflow.
For example, integrating a network scanning tool with a ticketing system could automatically create a ticket when a vulnerability is detected.
This feature is vital as it enables businesses to enhance their overall IT infrastructure management and improve response times to potential threats.
How to choose the best network scanning software for your business
Selecting the best network scanning tool for your business involves several key considerations:
Identify your needs: The first step is to understand what you need from a network scanning tool. Do you require real-time network monitoring, pentesting, compliance assurance, or more? The type of network you’re operating and the size of your business can heavily influence your needs.
Consider the ease of use: The usability of the software is an important factor depending on the size and expertise of your IT team. If it’s too complex, it may be challenging for your team to use effectively. Look for software that has a user-friendly interface and offers good customer support.
Examine the features: Look for software that offers the features that match your specific requirements. If you’re unsure what features you might need, consulting with an IT professional can be beneficial.
Evaluate scalability: Your business is likely to grow, and so will your network. The network scanning tool you choose should be able to scale along with your business without losing efficiency.
Check for regular support and updates: Good network scanning software should provide reliable support and regular updates to address emerging security threats. Check whether the software is frequently updated and if technical support is readily available.
Review pricing: Lastly, consider the pricing and your budget. Keep in mind that while some software might be more expensive, it could offer more features or better support, leading to better value for your business in the long run.
Frequently Asked Questions (FAQs)
What are the benefits of network scanning tools?
Network scanning tools offer a multitude of benefits, including:
Security enhancement: Network scanning tools identify vulnerabilities and security risks within a network, allowing businesses to address these issues proactively and bolster their security posture.
Compliance assurance: Many of these tools help ensure that your network aligns with various regulatory and industry standards, reducing the risk of non-compliance penalties.
Real-time monitoring: By providing real-time network monitoring, these tools allow for immediate detection and mitigation of issues, thereby reducing network downtime and improving performance.
Resource optimization: Network scanning can identify underutilized resources, aiding in more efficient resource allocation and cost savings.
Improved network management: With a thorough understanding of the network infrastructure, administrators can make more informed decisions regarding network planning and expansion.
Who should use network scanning software?
Network scanning software is beneficial for a variety of roles and industries, including:
Network administrators: These professionals can use network scanning tools to monitor and manage the health of the network, consistently optimizing its performance.
IT security professionals: These tools are crucial for IT security staff in identifying potential vulnerabilities and mitigating security risks.
Managed Service Providers (MSPs): MSPs can utilize network scanning tools to manage and monitor their clients’ networks, ensuring they are secure and comply with relevant regulations.
Regulated industries: Businesses within industries that must adhere to strict data security standards, such as healthcare, finance, and e-commerce, can benefit significantly from these tools to ensure compliance and protect sensitive data.
What are the types of network scanning?
Network scanning can be categorized into several types based on their function:
Port scanning: This type identifies open ports and services available on a network host. It can help detect potential security vulnerabilities.
Vulnerability scanning: This process involves identifying known vulnerabilities in the network, such as outdated software or misconfigurations, that could be exploited.
Network mapping: This type of scanning identifies the various devices on a network, their interconnections, and topology.
Performance scanning: This form of scanning monitors network performance, identifying potential issues that could affect the speed or reliability of the network.
Compliance scanning: This type checks the network’s compliance with certain regulatory or industry standards, helping avoid potential legal issues.
Methodology
The selection, review, and ranking of the network scanning tools in this list was carried out through a comprehensive and structured methodology, which involved several key steps: namely, requirement identification, market research, feature evaluation, user reviews and feedback, ease of use, pricing, and scalability.
By combining these steps, we have aimed to provide a balanced and comprehensive overview of the top network scanning tools of 2023, thereby enabling potential buyers to make an informed decision that best suits their specific needs and circumstances.
Bottom line: Managing vulnerabilities with network scanning tools
Network scanning tools are essential for any organization striving to maintain a secure and efficient IT environment. From identifying vulnerabilities to ensuring compliance and enhancing overall network performance, these tools play a pivotal role in successful network management.
The eight tools discussed in this article offer a variety of features and capabilities, catering to different needs and business sizes. However, choosing the right tool should be guided by an organization’s unique requirements, budget, and the tool’s ability to scale alongside the growth of the business.
By doing so, businesses can foster a more secure, compliant, and reliable IT network, boosting operational efficiency and business resilience.
Knowing your network’s vulnerabilities is just the beginning. Here are the best vulnerability management tools to keep your data locked up safe.
On May 20, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a Privilege Escalation vulnerability in WPDeveloper’s ReviewX plugin, which is actively installed on more than 10,000 WordPress websites. This vulnerability makes it possible for an authenticated attacker to grant themselves administrative privileges via a user meta update.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 22, 2023. Sites still using the free version of Wordfence will receive the same protection on June 21, 2023.
We contacted WPDeveloper on May 20, 2023, and received a response the next day. After providing full disclosure details, the developer released a patch on May 22, 2023. We would like to commend the WPDeveloper development team for their prompt response and timely patch, which was released in just one day.
We urge users to update their sites with the latest patched version of ReviewX, which is version 1.6.14 at the time of this writing, as soon as possible.
The ReviewX plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.13 due to insufficient restriction on the ‘rx_set_screen_options’ function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role via the ‘wp_screen_options[option]’ and ‘wp_screen_options[value]’ parameters during a screen option update.
Technical Analysis
ReviewX is a plugin that primarily enables customers to add ratings and reviews to WooCommerce stores, but it is also possible to use it with custom post types.
The reviews are listed on the WordPress admin page, which includes a screen option for how many reviews should be displayed per page for the admin user. Unfortunately, this feature was implemented insecurely, allowing all authenticated users to modify their capabilities, including granting themselves administrator capabilities.
Upon closer examination of the code, we see that the ‘rx_set_screen_options’ function, which updates a user’s per-page screen option, is hooked to the ‘admin_init’ action.
This hook is triggered on every admin page without any post type or page restrictions. This means that the ‘rx_set_screen_options’ hooked function is invoked on all admin pages, allowing users who otherwise do not have access to the plugin to also access the function, as the function itself does not contain any restrictions.
This makes it possible for any authenticated user with an account, such as a subscriber, to invoke the ‘rx_set_screen_options’ function.
The function includes a nonce check, but it uses a general nonce that is available on every admin page where there is a screen option.
The most significant problem and vulnerability is caused by the fact that there are no restrictions on the option, so the user’s metadata can be updated arbitrarily, and there is no sanitization on the option value, so any value can be set, including an array value, which is necessary for the capability meta option.
This made it possible for authenticated users, such as subscribers, to supply the ‘wp_capabilities’ array parameter with any desired capabilities, such as administrator, during a screen option update.
As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.
Disclosure Timeline
May 20, 2023 – Discovery of the Privilege Escalation vulnerability in ReviewX. May 20, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion. May 21, 2023 – The vendor confirms the inbox for handling the discussion. May 21, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix. May 22, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. May 23, 2023 – A fully patched version of the plugin, 1.6.14, is released. June 21, 2023 – Wordfence Free users receive the same protection.
Conclusion
In this blog post, we detailed a Privilege Escalation vulnerability within the ReviewX plugin affecting versions 1.6.13 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to elevate their privileges to that of a site administrator which could ultimately lead to complete site compromise. The vulnerability has been fully addressed in version 1.6.14 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of ReviewX.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 22, 2023. Sites still using the free version of Wordfence will receive the same protection on June 21, 2023.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
