Battle pfsense vs Gryphon

Compare list
pfsense : [URL='https://www.pfsense.org/']link[/URL]
Gyrphon Router : [URL='https://gryphonconnect.com/']link[/URL]
In-depth Comparison





trujax

Level 1
Thread author
Verified
Sep 19, 2017
31
I currently have pfsense running, mostly trouble free, but occasionally some of the block lists in pfblockerng can get a little over-zealous, which raises some usability issues as their is no app to manage. Constantly needing to log into the web gui to make changes can be a little burdensome. Paid Snort and Clamav, with 3rd party signatures and google safe browsing, also active. I already own a Gryphon router, and have used it before, but ended up taking it out due to some conflicts with my old wifi mesh. Other than the conflict, I felt it provided good security, other than the web filtration, which always seemed a little lackluster to me. I assumed they used zvelo, but it would pass sites through I know zvelo would catch.

I am curious what the general consensus is between these two, in terms of which provides the best protection, particularly as it pertains to IOT, as I have many devices on my network.
 
  • Like
Reactions: oldschool

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
I think Gryphon is more plug and play, but you already know pfsense. I vote for Gryphon for IoT, it uses machine learning to figure out what is normal behavior and blocks when it deviates. However I’ve never had it block anything, so it’s really a toss up for you. You definitely have more granular control over your network as it is. If you want fine tuned control use what you have, if you want set and forget then the Gryphon is great.
 
F

ForgottenSeer 58943

pfSense is mostly trash, especially since Chris left and went to Ubiquiti. They won't admit it, but it is mostly in maint. mode at this time. Snort is pretty good. Clam is mostly trash. Bro is OK on pfSense, Suricata ain't too bad. But honestly, pfSense has a lot of bugs, reliability issues, and well, some bugs that have been there for years that can cause you to have to rebuild the box if the IPtables won't populate. It drove me insane.

I know pfSense has a cult following and anyone that disparages it basically crucified jesus. But truth is hard to deny.

Gryphon, while I agree that at times the web filtration appears anemic. I think they are more conservative with it than they should be at times. The adblocking is very very robust and effective.

Here's a trick to lock down IoT with Gryphon.. Designate the IoT device as a computer, which YES, turns off the AI/ML for that device. But set the age limit to TODDLER, and enable all of the security features. What will happen is Gryphon will block ALL ingress/egress for that piece of IoT, and you will have to manually whitelist the top level domains of what you want the IoT to connect with. This works as a hard lockdown for all pieces of gear under Gryphon.

You can use Gryphon to find backdoors in Chinese IoT (and almost all have it). For example one of the top selling cameras on Amazon has 2 legitimate connections, and 1 connection to the Chinese Military. I was testing it in the home and used the above Gryphon lockdown method and found it in a few minutes.

pfSense is OK, but Gryphon is going to provide range, stability, speed, and if you know how to stroke it, unprecedented security and lockdown capabilities.
 

trujax

Level 1
Thread author
Verified
Sep 19, 2017
31
I am good with the “zero trust” model and locking down connections, but always felt like the lack of visibility in Gryphon made that challenging. Would all of the blocks show up in notifications?

Is there any UTM build you would go with over Gryphon?
 

trujax

Level 1
Thread author
Verified
Sep 19, 2017
31
I think Gryphon is more plug and play, but you already know pfsense. I vote for Gryphon for IoT, it uses machine learning to figure out what is normal behavior and blocks when it deviates. However I’ve never had it block anything, so it’s really a toss up for you. You definitely have more granular control over your network as it is. If you want fine tuned control use what you have, if you want set and forget then the Gryphon is great.

This was partly my concern with Gryphon, and really any new, supposed AI IOT security. They are creating baselines of behavior and looking for anomalous connections/activity. The problem is that, like ForgottenSeer 58943 mentioned, if the behavior is hardcoded or already present, it becomes part of the baseline. If locking down the content filtering pushes all Block logs into the notification screen, that at least provides some vehicle to combat it.
 
Last edited:
F

ForgottenSeer 58943

I am good with the “zero trust” model and locking down connections, but always felt like the lack of visibility in Gryphon made that challenging. Would all of the blocks show up in notifications?

Is there any UTM build you would go with over Gryphon?

Setup Gryphon for zero trust. At that point you have to manually whitelist. Everything will be blacklisted. That's how I roll with it. For example my DVR's can only communicate specifically - program updates. Everything else is completely blocked.

As noted, the base-line becomes untrustworthy things with most systems that use AI/ML and that is what I want to avoid. For example D-Link cameras will always dial home to D-Link when they do not need to if you run a local camera server. But D-Link call backs will become part of the baseline for IoT security on an AI/ML router... Zero trust or default deny on Gryphon, IMO, is the best way to roll with it.

Aside from Gryphon I don't have too many recommendations, especially in the home market. The home stuff really all just sucks compared to Gryphon. You'd have to go to Fortinet, Sophos or Untangle for anything much better but now you are broaching SMB/SOHO territory.
 
F

ForgottenSeer 58943

The good part is, there really isn't any way to hack a Gryphon. It quite easily detects MAC spoofing. It doesn't have any common exploitable ports/protocols open. (No UPNP, SSH, Telnet, none of it) No Web Gui for XSS exploits. No logging sent out to have logging intercepted and exploited. The update channel is encrypted and decentralized. The app itself is pinned to the Gryphon based on the PHYSICAL scan code on the gryphon which is stored locally, and then behind your account and account credentials. Everything flows through encrypted channels between the Server and App.

A lot of guys I know have worked hard. VERY hard. Over many weeks, and even months to break apart the Gryphon and compromise it and it hasn't happened. As such, I feel it is perhaps the most hardened router ever made for the home. Even Gryphon support has no way to examine your device. If you are having issues they cannot pin down, they have to send you a specific developer-unit to put on your network, and even then, you have to provide a way to give them remote access.

Gryphon is one of the few devices I can put on my home and not get hacked, compromised or knocked out.
 
  • Like
Reactions: trujax

trujax

Level 1
Thread author
Verified
Sep 19, 2017
31
Well, good in theory, bad in practice. Setting up zero trust with the Toddler setting definitely locks down everything. The problem is when things don't work properly, the logging capability is lacking, and you are unable to troubleshoot effectively. From having Untangle & pfsense in the network prior, the logging is night and day compared to Gryphon. But...I get it, different target markets.

I will keep Gryphon active for the time being and test it out some more.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top