Network Security — Always-On Protection Across Every Connection

Before COVID, the security model was simple: everyone worked behind a corporate firewall. Traffic was routed through the network, logs were captured, and IT had visibility. That world no longer exists.

Now advisors work from home offices, shared office suites, coffee shops, and hotel Wi-Fi. Everything they access is cloud-based — email, file storage, CRM, custodial platforms. There is no compelling reason for users to connect to a VPN, and the result is predictable: 85% of users don't connect. Their traffic is unsecured, their DNS resolution is uncontrolled, and the regulatory-required network logs that examiners expect to see are simply not being captured.

Some firms believe a commercial VPN solves the problem. It does not. A commercial VPN encrypts the tunnel — and that is all it does. It provides no intrusion prevention, no DDoS protection, no content filtering, no corporate DNS control, and no regulatory-grade logging. It is a retail tool designed for consumer privacy, not financial services compliance.

Meanwhile, the on-premise firewalls that do exist are often neglected. Firmware goes unpatched. Configurations drift. Ports that were opened for a temporary need stay open permanently. And in some offices — particularly smaller branch offices and home offices — there is no business-grade firewall at all.

The VPN Adoption Problem

VPN technology exists at every firm. The problem is adoption. Users don't turn it on because there is no consequence for leaving it off and no benefit they can see. The result: a security control that exists on paper but protects almost no one in practice.

Commercial VPN Is Not Enough

Even when users do connect to a VPN, a commercial VPN only encrypts the tunnel. It provides no DDoS protection, no intrusion prevention, no content filtering, no corporate DNS control, and no centralized logging. Encryption alone is not compliance.

On-Premise Firewall Neglect

Firewalls require ongoing management: firmware updates, configuration hardening, rule audits, and log collection. Most firms treat them as appliances that were set up once and never touched again. A firewall with stale firmware and default rules is not protection — it is a false sense of security.

Open Ports & Remote Desktop

When firms needed remote access, the most common approach was opening RDP ports on the firewall. Open RDP ports are among the most exploited attack vectors in financial services. Every open port is a door — and bad actors scan for them continuously.

No Firewall at Home Offices

Most advisors working from home are behind consumer-grade routers with no intrusion prevention, no VPN gateway, no content filtering, and no logging. Without a cloud-based firewall, the firm's network perimeter stops at the office door — and most of the firm works outside of it.

Missing Network Logs

Regulators expect firms to demonstrate network visibility. If 85% of users are not on the VPN, then 85% of network activity is invisible. On-premise firewalls that are not centrally managed produce local logs that no one collects.

Can your firm prove — to a regulator, an insurer, or a home office — that every user's network traffic passes through a managed firewall, every on-premise firewall is hardened and monitored, and every connection is logged regardless of where your people work?

FCI does not offer a VPN and hope users turn it on. FCI does not install a firewall and walk away. FCI enforces network security automatically — every device, every user, every connection — through a combination of always-on VPN with cloud-based firewall for every user and managed on-premise firewalls for every office. No opt-in. No manual steps. No gaps.

01

Always-On VPN with Cloud-Based Firewall

When the computer turns on, the VPN is on — and every bit of traffic routes through a cloud-based firewall managed by FCI. This is not a commercial VPN that only encrypts the tunnel. The cloud-based firewall provides DDoS protection, intrusion prevention, content filtering, DNS control, and centralized logging — the full range of capabilities regulators require, delivered to every user regardless of location. Users cannot turn it off — or, where business requirements allow, they can temporarily disable it for 30 minutes before it re-engages automatically.

DDoS Protection Intrusion Prevention Content Filtering DNS Control Centralized Logging

02

IP-Based Access Control

Once every device has a consistent, known IP through the always-on VPN, FCI can lock down critical systems to those IPs only. Bad actors cannot even reach the login page — they are blocked at the network level before authentication. Even systems that don't support MFA can be secured by IP restriction. Users are compelled to stay on VPN because turning it off means losing access to the systems they need to work.

03

On-Premise Firewall Management

FCI manages business-grade firewalls across every office location — corporate headquarters, branch offices, and anywhere the firm maintains a physical network presence. Each firewall is assessed, hardened to FCI standards, and monitored continuously. Firmware is kept current. Configuration changes are logged. Rules are audited and tightened. Unnecessary open ports — including RDP — are closed. The on-premise firewall is not a set-and-forget appliance. It is a managed, auditable component of the firm's security posture.

Intrusion Prevention Content Filtering Traffic Monitoring VPN Gateway Firmware Management Configuration Hardening Log Collection

04

DNS Filtering & Control

FCI controls DNS resolution for every connected device — through the cloud-based firewall for remote users and through the on-premise firewall for office users. Malicious domains are blocked before they resolve. Web filtering policies are enforced. And every DNS query is logged — providing the kind of network activity evidence that regulators expect. With a commercial VPN, the firm has no idea what domains its users are resolving. With FCI, every query is captured and auditable.

05

Network Penetration Testing & Vulnerability Scanning

FCI performs both internal and external network penetration testing and vulnerability scanning. Penetration testing simulates real-world attacks to identify exploitable weaknesses — testing what happens when an attacker is already inside the network, not just the perimeter. Vulnerability scanning systematically identifies known weaknesses: missing patches, misconfigured services, outdated software, and open ports. NYDFS now explicitly requires annual penetration testing from both inside and outside the network boundary. SEC, FINRA, and NAIC expect it as part of demonstrating compliance.

06

Firewall & Network Inventory

FCI maintains a complete inventory of all network infrastructure — on-premise firewalls at every office, the cloud-based firewall infrastructure, and always-on VPN configuration for every device. Each component is tracked with its configuration, firmware version, hardening status, and log collection state. This is the network equivalent of the endpoint asset inventory: accurate, up-to-date, with full history. When a regulator asks what network infrastructure the firm operates and how it is maintained, the answer already exists.

07

Centralized Network Logging

All network activity — VPN connections, DNS queries, on-premise firewall events, cloud-based firewall events, intrusion prevention alerts, and access attempts — feeds into centralized logging. Logs are not stored on local devices where they can be lost, overwritten, or never collected. They are centralized, searchable, and available through the FCI Portal. This creates the continuous evidence that regulators, insurers, and home offices require.

Regulators do not ask whether traffic is encrypted. They ask whether the firm controls its DNS, monitors for intrusions, filters malicious content, logs network activity, and can prove all of it. A commercial VPN answers none of those questions.

	Commercial VPN	On-Premise Firewall VPN	FCI Always-On VPN + Cloud Firewall
DDoS protection	No	Yes (office only)	Yes — every user, every location
Intrusion prevention	No	Yes (office only)	Yes — every user, every location
Content filtering	No	Yes (office only)	Yes — every user, every location
Corporate DNS control	No — VPN provider controls DNS	Yes (office only)	Yes — FCI controls, logs captured
Corporate managed	No	Partially	Fully managed by FCI
User must turn it on	Yes — and they won't	Yes — and they won't	No — it's always on
Covers remote users	Tunnel only — no firewall	No — only in-office users	Yes — cloud-based firewall for all
Network logging	Where? Unknown	Local — often uncollected	Centralized
Regulatory-grade evidence	No	Partial	Complete

Zero Trust Network Principle

Network security in a Zero Trust model means enforcing secure, encrypted communication inside and outside corporate networks. Security policies are implemented at the network level — firewall hardening, secure remote communication via always-on VPN with cloud-based firewall, and continuous monitoring. The network cannot be trusted simply because it is internal. Every connection is verified.

Every IT provider can install an on-premise firewall and set up a VPN. The difference between FCI and everyone else is not the technology — it is mastery, automation, consistency, and persistent proof applied to every connection, every firewall, every day, across every environment FCI manages.

A VPN that only encrypts the tunnel and a firewall that no one maintains are not network security. They are assumptions.

Expert Mastery

FCI has deployed and managed network infrastructure across hundreds of financial services environments. That exposure means FCI knows which firewall configurations create security gaps, which VPN settings cause user disruption, which open ports are being actively exploited, and how to deploy always-on VPN with cloud-based firewall seamlessly at scale — thousands of endpoints with zero frustrated users.

Automated Procedures

VPN enforcement is not a policy document that asks users to connect. It is an automated control that engages when the computer turns on and routes every connection through a cloud-based firewall. On-premise firewall hardening is continuous enforcement through templates that detect drift and correct it. No tickets. No reminders. No reliance on user behavior.

Consistent Controls

Every user, every device, every office, every network. FCI does not protect the corporate office with an on-premise firewall and leave remote workers with nothing but a commercial VPN tunnel. Every user gets cloud-based firewall protection. Every office gets managed on-premise firewall protection. No gaps.

Persistent Proof

FCI produces network evidence every day — VPN connection logs, cloud-based firewall logs, on-premise firewall events, DNS queries, intrusion prevention alerts, penetration test results, vulnerability scan reports. Point-in-time compliance is a byproduct of persistent enforcement.

"Before FCI, our advisors had a VPN available but 85% never connected. Our branch firewalls hadn't been updated in over a year. Remote users had no firewall protection at all. Now every device routes through a cloud-based firewall from the moment it powers on, every on-premise firewall is hardened and monitored, and we went from hoping for compliance to proving it."

A secured network is not just about protecting traffic. It becomes an access enforcement layer, a logging foundation, and a control point that strengthens every other domain. Every domain protects every other domain — and network security is the layer that connects them all.

The Principle

No single domain failure defeats the system. A compromised user is stopped by the network. A compromised endpoint is contained by IP restrictions. A compromised cloud app is caught by centralized logging. Every layer reinforces every other layer.

Endpoint Security

A VPN-connected endpoint routes all traffic through the cloud-based firewall, feeding network logging with every connection. The endpoint's local firewall works alongside the cloud-based and on-premise firewalls to create defense in depth.

User Security

IP-based access control strengthens user authentication. Even if credentials are stolen, a bad actor connecting from an unknown IP cannot reach the login page. Network security makes user security harder to bypass.

Cloud App Security

Cloud applications can be restricted to connections from known, VPN-assigned IPs. An unmanaged device on an unknown network should not reach the firm's M365 environment — and with FCI's network controls, it can't.

Data Security

Network logging captures what data moves where. DNS filtering blocks exfiltration paths. The cloud-based firewall's content filtering prevents access to unauthorized sites. Network security is the transport layer that data security depends on.

Firm Security

Every network event feeds the FCI Portal — VPN connection logs, cloud-based firewall events, on-premise firewall events, DNS queries, intrusion prevention alerts, penetration test results, and vulnerability scan findings.

Regulators, home offices, and cyber insurance carriers all ask the same question: can you prove your network is secured? FCI produces continuous evidence as a byproduct of how it operates. There is no scramble before an exam. The proof already exists.

VPN + Cloud Firewall Active

Proof that every device has always-on VPN active and every connection routes through a managed cloud-based firewall — not just an encrypted tunnel, but full firewall-grade protection.

On-Premise Firewall Compliance

Documentation that all on-premise firewalls are inventoried, hardened, patched, firmware current, and monitored — with configuration history and change logs.

Network Logging

Centralized logs of all network activity — VPN connections, cloud-based firewall events, on-premise firewall events, DNS queries, and intrusion prevention alerts.

IP Access Control

Evidence that critical systems are restricted to known IPs and that unauthorized access attempts are blocked at the network level.

Penetration Test Results

Annual internal and external penetration testing reports with findings, risk ratings, and remediation records. Aligned to NYDFS, SEC, FINRA, and NAIC expectations.

FCI Portal Visibility

The security officer can access all network evidence at any time — current state, historical state, and the ability to demonstrate compliance at any point in time.

FINRA SEC NYDFS NAIC State Regulators Cyber Insurance Home Office Compliance

Exactly which users are on VPN, that every connection routes through a managed firewall, which on-premise firewalls protect the network, when they were last tested, what vulnerabilities were found and remediated, and whether the firm's network controls are enforced today.

Ready to see what network security looks like when every user has a firewall — not just the ones in the office?

FCI works with broker-dealers and branch offices, insurance carriers and agencies, and RIAs. Start with a gap analysis — it is free, takes 30 minutes, and commits you to nothing.

Request a 30-Minute Gap Analysis

Always-on network security with no gaps — because advisors won't turn on a VPN, so FCI does it for them.

Most firms have no idea what their network actually looks like.

Seven capabilities — applied to every user and every network, enforced without asking.

Why a commercial VPN is not network security.

Four reasons the same network technology produces different results.

Network security does not stand alone — it strengthens every other domain.

Evidence that builds itself — every day, not just on audit day.

Ready to see what network security looks like when every user has a firewall — not just the ones in the office?