Home / Solutions / Industrial Networking & Datacom / Enterprise Internet Edge Security
DOMAIN 02 · INDUSTRIAL NETWORKING

Enterprise Internet Edge Security Solution: Firewall, NAT, Intrusion Prevention and DDoS Mitigation at Your Gateway

Every open port is a doorway, and ransomware crews scan for them around the clock. This solution hardens the single point where your network meets the internet: firewall zoning, NAT and safe service publishing, intrusion prevention, first-line DDoS mitigation and internet-behavior audit — designed on open-brand security product categories, sized by users and real inspected throughput, with the limits stated out loud.

The Attack Surface You Already Have

Four risks that sit at the internet edge of almost every company we assess:

Ransomware is one click awayOne phishing attachment, one exposed remote-desktop port — then encryption of every share the infected PC can reach.
Flat trust insideOnce anything gets in, it can move sideways: from a reception PC to the file server to the backups, unchallenged.
No records when auditors askWho visited what, when, from which account? Regulators and insurers increasingly ask — and most networks have nothing to show.
Exposed public servicesYour website, mail and VPN endpoint face the whole internet. Floods and scans against them are constant background noise — until one lands.

Architecture: Zones, Not Hope

Everything the internet can reach lives in its own zone; everything internal is segmented; only declared flows cross the firewall:

TRUST · internal LAN staff PCs · Wi-Fi · phones file / ERP servers (internal only) core switch segmented VLANs — one infected PC cannot reach the backup server DMZ · published services web · mail · VPN endpoint reachable, but walled off from LAN FIREWALL HA pair at larger tiers · stateful zoning Trust/DMZ/Untrust · NAT & service publishing · IPS + antivirus at the gateway · URL filtering & app control · flood limiting (DDoS first line) · VPN termination for branches only declared flows ISP 1 ISP 2 (dual egress) UNTRUST · internet port scans · exploit attempts · floods — dropped at the edge volumetric DDoS beyond your pipe: carrier / scrubbing help — see limits LOG & REPORT PLATFORM who visited what, when — retained for audits

Architecture drawn by AtlasCommTech following carrier-grade network-security design practice. Diagram labels are kept in English for engineering clarity.

Why us: our founder spent 13 years inside the Huawei partner ecosystem delivering carrier networks, where the edge is attacked every single day. We design your edge with that assumption, not with optimism.

Equipment Options

The solution is sized to your requirements and budget first — the same architecture can be delivered on several vendors' product lines. We help you choose by supply availability in your destination country, budget and your team's operating habits.

Huawei — enterprise campus, WAN and security linesMature ecosystem with a global service network.
ZTE & Wantone — comparable datacom linesPrice-performance direction; supply runs smoother in some markets.
H3C — campus and data-center linesWidely deployed campus and data-center portfolio.
Atlas industrial switches — industrial-scenario access layerOur own industrial line — compatible with any brand's core layer.

What the Design Delivers

Six controls, one box family, one policy set — the whole edge becomes explainable in a single page of rules:

Stateful zoningTrust, DMZ and Untrust zones with default-deny between them — traffic crosses only where a written rule says it may.
NAT & safe publishingInternal addressing stays hidden; web, mail and VPN are published through the DMZ with only their required ports open.
Intrusion prevention & antivirusIPS signatures and gateway antivirus inspect what passes — exploit traffic and known-bad files are dropped before they reach a desktop.
Ransomware-aware segmentationKnown command-and-control destinations blocked outbound; internal zones cut so one infected PC cannot reach the backup server. Layered defense logic, applied at your scale.
DDoS first lineFlood limiting and connection controls absorb the everyday scans and small floods at the gateway; what needs carrier-level scrubbing is named honestly in the limits below.
Audit & internet-behavior logsURL categories and application control by policy; who-visited-what logs retained to your regulator's clock, ready when someone asks.

Three Sizes, One Design Logic

Firewalls are sized by what they inspect, not by what the datasheet celebrates — here is how the tiers differ:

Numbers we design around:
Size by inspected throughput — all features on, your real traffic mix — not the datasheet headline
Concurrent sessions: hundreds per user is normal once cloud apps are counted
Log retention: match your regulator — 90/180/365 days changes the storage design
Scale tierTypical siteWhat the design includes
~50 usersSmall office · single-site companyOne desktop-class firewall with IPS and URL filtering on, NAT and a small DMZ if you publish anything, logs to the built-in store — one box, correctly configured, beats five gadgets.
~200–500 usersOffice building · school · hospital · hotel group HQRack-class firewall — HA pair recommended — dual ISP egress, proper DMZ, segmented internal zones, dedicated log platform with retention to your regulator.
1000+ usersCampus · government branch · data-heavy enterpriseHA firewall pair sized on inspected throughput with headroom, dedicated log and report platform, per-department policy, and — where public services justify it — a dedicated anti-DDoS appliance in front.

Equipment Roles (Categories, Not Models)

The solution is built from these security product categories — the brand is chosen with you at design stage. Exact models depend on your bandwidth, enabled features and destination country — so we spec models after your requirements list, not before.

RoleWhat it does
Next-gen firewallsThe core of the design: zoning, NAT, IPS, antivirus, URL filtering, VPN termination — desktop class to HA rack pairs, chosen by inspected throughput.
Log & report platformCollects firewall and behavior logs, keeps them for your retention period, and turns them into the reports auditors actually accept.
Anti-DDoS appliances (when justified)Dedicated scrubbing in front of heavily published services — for most companies the firewall's flood controls plus carrier support is the right-sized answer, and we say so.
Core / DMZ switchesCarry the segmented zones and connect published servers — the physical layer that makes the zone drawing real.
Signature & category licencesIPS signatures, antivirus databases and URL categories are living, licensed services — we state plainly which functions need them and for how long.
Endpoint protection (your side)Not our box to sell here — but the gateway design assumes endpoints have their own protection and offline backups exist. We will not pretend the edge replaces them.

Send us your requirements list — user count, bandwidth, published services, retention rules — and the model list follows. That order keeps the design honest.

Design Notes & Honest Limits

Read this before you commit:
  • A firewall alone will not save you from a phishing email. The edge blocks what it can see; ransomware defense also needs endpoint protection, offline backups and trained people. We design the edge layer and name the other layers explicitly.
  • Inspected throughput is far below the headline number. With IPS, antivirus and HTTPS inspection on, real capacity can be several times lower than the datasheet's best case — we size on the inspected figure with headroom, and show you the math.
  • DDoS bigger than your internet pipe cannot be fixed at your gateway. Once the flood fills the line upstream, mitigation must happen at the carrier or a scrubbing service — we design the first line here and help you arrange the upstream part.
  • Licensing policy and product availability differ by brand and destination country — and for security functions the signature subscriptions matter as much as the box. We check and confirm both for your country at the design stage, before you commit.
  • Employee-monitoring rules differ by country. The audit functions here are standard practice in most markets, but what you may log and for how long is local law — we implement the technical side and flag where counsel should confirm.

FAQ

Will a firewall stop ransomware?
Alone, no — and anyone who says otherwise is selling. A well-configured edge blocks known bad destinations, exploit traffic and command-and-control callbacks, and segmentation stops one infected PC from reaching your backups. But ransomware defense is layered: gateway controls, endpoint hygiene, offline backups and trained staff. We design the gateway layer and tell you plainly where the other layers must come from.
How do I size a firewall correctly?
By inspected throughput with your features enabled — IPS, antivirus, HTTPS inspection — at your real traffic mix, not the headline number on the datasheet, which is measured with everything off. As a rule the throughput with full inspection can be several times lower than the headline. We size from your user count, bandwidth and enabled features, with headroom.
Can we see and control which websites employees visit?
Yes. URL category filtering and application control decide what is reachable during work hours, and audit logs record what was visited when. Rules differ by country on employee monitoring — we implement the technical side and flag where local law needs checking.
What is a DMZ and can I host my website safely?
A DMZ is a separate firewall zone for servers the internet must reach — web, mail, VPN. If a DMZ server is compromised, the attacker is still outside your internal zone. Publishing through the DMZ with NAT and strict rules is exactly how a company website should be hosted on-premises.
Do the protection features need ongoing subscriptions?
Yes — IPS signatures, antivirus databases and URL categories update continuously and are licensed services. This is normal across all firewall vendors. We state clearly at design stage which functions are licensed, for how long, and confirm each brand's licence policy for your destination country before you commit.

Send us your user count, bandwidth and what you publish to the internet

An engineer replies with a zone design, a policy outline and the equipment-category list. Send us your requirements list — the model list follows.

WhatsApp an engineer →

Related Solutions