Every now and then, cybersecurity advice from national agencies hits exactly the right note. The NSA, CISA, GCHQ and others have recently published guidance focused on mitigating the risks of edge devices, and for anyone working in IT or security, it reads like a checklist of issues they’ve been quietly struggling with for years.
The documents are relatively technical and designed for practitioners. But the core message is simple: if you don’t control the infrastructure someone is connecting from, you can’t assume it’s secure. That message aligns very closely with what we see at Loxada every day.
The edge that no one owns
The NSA defines network edge devices as those that sit between external and internal networks, things like routers, VPN concentrators, gateways, etc. In enterprise environments, these devices are typically known and controlled.
But for a large and growing number of organisations, the edge doesn’t sit at a single firewall or data centre. It lives in homes, client offices, serviced workspaces, hotels, and anywhere else your team plugs in. These are networks you don’t own and equipment you didn’t deploy. And yet, sensitive data still flows through them.
This is where the risk begins. According to the guidance:
“Edge devices are frequently targeted by malicious actors as entry points into networks. If not properly secured and maintained, they pose significant risk.”
That’s not alarmist. It’s accurate.
So why is it still hard to fix?
The NSA and its partners recommend a range of mitigation strategies: use secure-by-design devices, ensure automatic updates, prevent lateral movement, maintain known-good configurations, and centrally manage everything.
The advice is solid. But here’s the problem: most of these strategies depend on controlling the environment.
If a staff member connects from a serviced office where someone else runs the IT, their home router, or from a client’s Wi-Fi, you can’t harden that infrastructure. You can’t see what firmware version it’s running. You can’t confirm whether patching is applied. You don’t know if a compromised smart device is on the same network.
Even if you pre-configure routers or issue guidance, there’s a limit to what you can enforce. You can’t ensure that firmware doesn’t contain known vulnerabilities (many still do). You can’t guarantee nothing gets reset. And you can’t stop lateral threats from local devices if you’re relying on the user’s environment.
The result is a gap between the ideal technical controls and the real-world scenarios security teams are being asked to secure.
What the NSA says to focus on
The joint guidance is full of sensible, high-level advice. If you strip away the acronyms and protocols, here are the fundamentals they recommend for reducing risk at the network edge:
- Use secure-by-design devices wherever possible
- Replace or lock down default credentials and admin access
- Apply firmware and software updates promptly (ideally, automatically)
- Ensure devices always boot from a known-good state
- Monitor devices and configurations centrally
- Prevent lateral movement by isolating connected endpoints
It’s an excellent list. But as the authors acknowledge, implementing these measures consistently across distributed users is extremely difficult without the right tools or infrastructure in place.
Bridging the gap
This is the space Loxada was built for. Our system gives organisations a way to apply the principles in the NSA guidance, even in locations they don’t manage.
We supply routers that run our own locked-down firmware, replacing the manufacturer’s software entirely. The devices automatically tunnel traffic back to your secure environment, isolate connected endpoints from other devices on the same network, and check in centrally for updates and configuration enforcement.
No assumptions. No reliance on the end user. No dependence on whatever router they happened to pick up five years ago.
Conclusion: Use the guidance (but make it practical)
The NSA guidance on securing the network edge is worth reading. It outlines clear, smart steps for reducing exposure. But it also reveals a broader truth: effective security is only possible when you can actually control the environment.
That’s the part many organisations still struggle with.
If you’re trying to protect sensitive data that flows through unknown or unmanaged networks, the problem isn’t your policy, it’s your reach.
Loxada helps you extend that reach.
Further reading:
NSA press release on mitigating edge device risks
Contact us to talk about securing your network edge in real-world conditions.
