Contracting & Compliance
      Back to home
      1. Help Center
      2. Veonics® Portal Users Manual
      3. Contracting & Compliance

      Firewalls & Network Security Controls

      eXpress badging® employs robust firewall protections for both on-premises and cloud environments.

      🛡️  Our architecture ensures that all external connections are secured, inspected, and controlled using industry-standard tooling and configurations aligned with NIST CSF 2.0.

      output

      Here’s a visual diagram of your Firewall & Network Security Controls:

      • 🔵 On-Prem SonicWall Firewall → perimeter defense, inbound/outbound filtering, logging.

      • 🟢 AWS Security Groups → instance-level firewalls, strict rules, encrypted traffic.

      • 🟠 AWS Network Firewall → stateful packet inspection, advanced threat filtering.

      • 🔴 Fortra VM Vulnerability Testing → ongoing scans, remediation, quarterly reviews.

      1. Internal and External Firewalls

      • On-Premises: We use a SonicWall firewall appliance to protect the internal network perimeter — inspecting inbound and outbound traffic to prevent unauthorized access and protect internal assets.

      • Cloud (AWS): In AWS, we enforce firewall controls through:

        • VPC Security Groups: Virtual firewalls at the instance level. These enforce inbound/outbound rules based on specified IP ranges, protocols, and ports. Boto3+4AWS Documentation+4AWS Documentation+4

        • Network Firewall (optional/managed): AWS-managed, stateful network firewall for advanced packet inspection and threat filtering at the VPC level. AWS Documentation

      2. Is every external connection terminated at a firewall?

      Yes. All external inbound and outbound traffic is processed through either:

      • The SonicWall firewall (on-prem), or

      • AWS Security Groups and/or Network Firewall rules (cloud), depending on configuration and deployment stage.

      3. Are there unsafe ‘allow any’ rules?

      No. We enforce strict rule restrictions:

      • SonicWall: Configured to allow only necessary services (e.g., specific ports and IP ranges), never "any-to-any."

      • AWS Security Groups: Only allow explicitly required ports and sources. We avoid using 0.0.0.0/0 or “all ports all protocols” unless absolutely necessary (e.g., limited test environments). Amazon Web Services, Inc.+15AWS Documentation+15AWS Documentation+15

      • Network Firewall: Enforces rule groups with specific port, protocol, and IP controls, avoiding wildcard rules. AWS DocumentationAWS Open Source

      4. Are Vulnerability Assessments or Penetration Tests performed?

      Yes. Both our internal and external networks are regularly tested:

      • Periodic VAPT scans are performed using Fortra VM (works with internal SonicWall and AWS environments).

      • Results and remediation are documented per our Vulnerability Management & Remediation processes.

      NIST CSF 2.0 Alignment

      NIST Function Firewall & Network Control Practices
      Identify Inventory of firewall rules, periodic reviews.
      Protect Firewalls enforce least-privilege access.
      Detect Logs and alerts from SonicWall and AWS Firewall systems.
      Respond Rule adjustments and remediation based on test results.
      Recover Restore configurations from backups if compromised.
      Govern Management-approved firewall policy with review cadence.

      Summary

      • Yes, we deploy firewalls on-prem (SonicWall) and in the cloud (AWS Security Groups / Network Firewall).

      • Yes, all external connections are terminated at these firewalls.

      • No, no "allow any" wildcard rules exist; all firewall rules are strictly scoped.

      • Yes, internal/external networks undergo regular vulnerability scanning and penetration testing.

      Related Documentation

      Last Updated: (set date)