Hardware Firewall

[Twirlywoos]

What's a decent firewall to protect your home network? I understand that my AC66U has one but was just curious what advantages a dedicated one has over Windows Firewall on each PC/Server and the one built into the router?

Cheers

 

[bremen1874]

The firewall in your router will be perfectly adequate.

 

[paradigm]

If by "Firewall in your router" you mean NAT, then I guess. It certainly won't have any form of IDS/IPS. Of course whether you need it or not for home use is certainly up for debate.

I doubt that I'd have a hardware firewall if it weren't mainly being used for my studies (ASA5510).

 

[nutcase]

I run a sonicwall TZ205 - but I got it silly cheap ans not sure what I'll do when the 3 year subscription is up. Works very well and has VPN built in etc.

 

[DJMK4]

For home networks aslong as you have a decent router most firewalls would be built in to that pretty decent

I am after a small firewall for a small business, eventually they will be going down the route of VPN (RAS only) guest wifi but i am not sure weather to go for a wifi based firewall or just get a standard wired firewall and seperate smart access point.

I was looking at SonicWall, used to be a partner with them in a previous company, but since they changed to Dell not so sure

Also been looking at picking up a cheap Cisco ASA 5505 for possibly £100 off the bay if I can find one with a working power supply.

Dont really want them having a checkpoint, and not dealt with watchguard, draytek router/firewall built in do you think would be ok for a small business? i need the option for guest wifi too

 

[Armageus]

I am after a small firewall for a small business

...

Dont really want them having a checkpoint, and not dealt with watchguard, draytek router/firewall built in do you think would be ok for a small business? i need the option for guest wifi too

Gone off Draytek a bit recently, as just had 2 3200's playing up at work due to poor quality PSUs (swapped for new PSUs - good for a while and then problems start again).

Ended up swapping out for a Cisco Small Business RV082 (Still a small business router, but as a bonus has a proper "Kettle" power lead)

Ubiquiti EdgeRouters are supposed to be pretty good and I believe you can do VPN etc on them, although not for me personally as I'm not a fan of doing everything via CLI.

https://www.ubnt.com/products/#all/routing
http://lg.io/2015/01/11/the-ubiquit...cost-enterprisegrade-router-for-home-use.html

 

[DJMK4]

I may just go for an ASA5505 if I can pick one up at a decentish price, and just get a seperate smart access point for their wireless.

 

[bigredshark]

Juniper SRX would be my choice for small business still (unless your budget will run to Palo Alto). In any case though, my advice these days is to use the virtualised versions, at the low end performance is far superior to the low end hardware and price (even including hardware) is very competitive.

 

[DJMK4]

Juniper SRX would be my choice for small business still (unless your budget will run to Palo Alto). In any case though, my advice these days is to use the virtualised versions, at the low end performance is far superior to the low end hardware and price (even including hardware) is very competitive.

Given you can get an ASA 5505 for the price you would be paying for a small juniper srx i think I may just go for the cisco

I dont really want to go down realms of virtualising firewalls as they dont use virtualisation in this small unit, they dont really have much running on servers apart from file server and backups.

 

[mrkev]

If you go for ASA make sure it's licensed for what you need. http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733510.html

if you have an old server/desktop going spare you could also run something like pfsense/OPNsense on it and get more for your money.

 

[DJMK4]

Id rather just get hardware firewall in place if I am honest, less to worry about, I am trying not to support to much for them, so adding a machine to sit it on rather than an appliance just adds to the equation.

Some of the ones coming up on the bay are licenced

 

[Scougar]

I was looking at pf sense last night, and wondering if is it really better than a stand alone router at tasks like this. Routers have dedicated hardware optimised for these tasks where as a pc does not, so does it really bring an advantage to use pfsense?

 

[mrkev]

Some of the ones coming up on the bay are licenced

I was referring to the type of licence it comes with. Some only come supporting a limited number of users.

 

[Rainmaker]

I was looking at pf sense last night, and wondering if is it really better than a stand alone router at tasks like this. Routers have dedicated hardware optimised for these tasks where as a pc does not, so does it really bring an advantage to use pfsense?

It's more the other way around. Having dedicated processing for routing etc on-board allows them to use silly small specs, for example a 500MHz CPU with 128MB RAM. That's great for a little low end gateway and DHCP server, but for anything 'proper'?...

Any self-built machine for pfSense or similar will have ample hardware grunt for even high end routing etc. You can build a quad, hex or more core system with 16GB, 32GB or upwards of RAM in a tiny mITX box with a laptop wireless card, quad port NIC and m.2 SSD pulling 10 watts under full load while routing gigabit+ on the WAN.

Good luck trying to run a UTM on a commercial plastic router box. With a small self built system you could run pfSense or Sophos UTM Home (both free) with built in routing, firewall, IPS, antivirus, antispam, squid proxy, filtering, endpoint protection, VPN server and client, mail server, domain directory, web services and God only knows what else. Much better! I'm just about to build a new one.

 

[mrkev]

I was looking at pf sense last night, and wondering if is it really better than a stand alone router at tasks like this. Routers have dedicated hardware optimised for these tasks where as a pc does not, so does it really bring an advantage to use pfsense?

If you are looking for a one box solution (modem,router,WiFi) the dedicated units are great. But I've used dedicated firewalls for years now and would never go back. I would miss the features too much. OPNsense is the best I've seen for a long time. Was using the Sophos UTM home edition before than but couldn't get it to install on my old PC.

Running OPNsense on my old PC has pretty fast throughput as well. Certainly fast enough for me.

 

[Scougar]

I have a core 2 duo Acer L3600 (2.4ghz) and 3gb ram, so was wondering if this would be suitable for such a task as fire wall, packet inspection etc. It is a very small unit so easy to locate somewhere. (It is smaller than the Comcast supplied router!).

And I just realized I am hijacking this thread...

 

[Caged]

Please be aware that the sort of throughputs you see now on FTTC/Cable connections are going to be limited if you use a relatively low end firewall that is a few generations old. An ASA 5505 is a comparatively ancient piece of kit, and you're stuck with the terrible ASDM or doing everything on the CLI.

If you're comfortable with ASAs then go for the Cisco by all means. If you're still weighing up options then I'll throw Fortigate into the mix.

 

[DJMK4]

I was referring to the type of licence it comes with. Some only come supporting a limited number of users.

They have around 8 users, don't worry will do any checks first

Please be aware that the sort of throughputs you see now on FTTC/Cable connections are going to be limited if you use a relatively low end firewall that is a few generations old. An ASA 5505 is a comparatively ancient piece of kit, and you're stuck with the terrible ASDM or doing everything on the CLI.

If you're comfortable with ASAs then go for the Cisco by all means. If you're still weighing up options then I'll throw Fortigate into the mix.

I can't remember the wan throughput on these,but they are not likely to get more than 30mb or need any more than that anyway.

They currently on a BT wires only can circuit giving them about 15mb, I am going to look at fttc but I wouldn't think they would get much more.

Its not yet anyway, I have other tasks to sort for him first

 

[Ev0]

If by "Firewall in your router" you mean NAT, then I guess. It certainly won't have any form of IDS/IPS. Of course whether you need it or not for home use is certainly up for debate.

Be interested to know how many people are running IPS at home, what and why as have both a personal and professional interest in the subject!

To me when someone says firewall I still think of an ACL based system that controls access to resources based on rules, none of this extra and faffy network stuff

Going through some stuff at work at the moment and we're interested in knowing what people mean/think from a feature point of view when you say 'firewall'. So far main things over and above your standard rules we have things like NATing, routing, VPN, but interested to hear what anyone else thinks of when they hear/say firewall

 

[Caged]

When I think firewall now I think of something a bit more fancy than an ACL that filters based on IP addresses and ports. To me a firewall is something that can scan traffic allowed into the network rather than having to rely on whether traffic is allowed as a simple yes/no answer. Case in point - when the OpenSSL vulnerabilities were blowing up last year there were several UTM vendors that had signatures updated the same day to ensure that vulnerable devices were still protected as long as connections were made through the UTM (and obviously the security features were turned on).

However, that sort of processing is quite expensive in terms of CPU usage, so if you have a gigabit fibre connection at home then it's unrealistic to expect to be able to afford that sort of protection. Just keep an eye on your ACLs and keep your software up to date.

In terms of definitions, it's obviously getting blurred since routers have been simple firewalls for a very long time now, and some things called "routers" also contain switches and wireless APs.

The terminology I tend to use is:

• Router - Job is to route packets (duh), runs a routing protocol, contains basic ACL functionality, performs NAT.
• UTM (Firewall) - Primarily a security device. Won't handle edge routing protocols but may do internal ones. Also performs NAT. Operates at layer 7 to perform real-time analysis and scanning of packets. May also terminate VPN.

I have some UTM kit at home because it's either been included as part of a training course or it's being evaluated. I would never go and spend the sort of cash that these boxes cost for a home network.