Advice Request Smart Firewall for Protection of IoT Devices - Are you using any?

[HarborFront]

A Smart Firewall is a hardware device use for protecting your home IoT devices e.g. smart tv, smart fridge, smart IP cameras, smart window/door sensors, smart door lock, smart door bell, smart smoke detector/alarm, smart watch, smart lights, connected hub etc. Of course you can have it to protect your PC, laptop, tablet etc as well

If you have a high-end router that comes with IoT protection built-in then there's no need to have a Smart Firewall.

They can be found here

The 15 best firewall devices to protect your home network
5 Best Home Firewalls 2017 | iReviews

Missing from the lists is the Norton Core.

Generally,

1) they protect your IoT devices by connecting to their company's cloud with proprietary technology for threat analyzing, use of machine learning technology and behavioral analysis
2) they use subscription based service especially after the free first year for protection and monitoring services. RATtrap and CUJO are subscription-free
3) they are not meant to replace your existing router but some (like Norton Core and F-Secure SENSE) promote themselves as such. The router features are of mid-range and cannot compare to top-of-line competitor routers
4) their cloud AV/AM protection is questionable unless they belong to the top AV/AM companies like BitDefender, Norton etc

The eBlocker Pro deserves a separate mention. It is a unique device (not a smart firewall) that provides secure privacy protection....something not found even in high-end routers with IoT protection

Products - eBlocker.com

Are you using any of such Smart Firewall to protect your home IoT devices? Like to share your experience?

 

[Sunshine-boy]

No need. I prefer an Asus router with Asuswrt-Merlin firmware on it! Asus router+Eset firewall==Solid protection.

 

[HarborFront]

No need. I prefer an Asus router with Asuswrt-Merlin firmware on it! Asus router+Eset firweall==Solid protection.

Does your Asus-Merlin firmware comes with built-in malware and privacy protection for your IoT devices?

 

[ForgottenSeer 58943]

Are you using any of such Smart Firewall to protect your home IoT devices? Like to share your experience?

Smart Firewall is slight a misnomer. These are basically home UTM appliances, which many feel (myself included) will become essential home devices very quickly here. Their importance is illustrated with recent events. Especially Meltdown/Spectre where some of them already provide IPS identification of attempts to exploit those vulnerabilities. Some modern UTM's also block bitcoin mining activity.

Nevertheless, yes I use them, actually in my case I use two of them. One primary, a secondary in transparent.

 

[HarborFront]

Smart Firewall is really a misnomer. These are basically home UTM appliances, which many feel (myself included) will become essential home devices very quickly here. Their importance is illustrated with recent events. Especially Meltdown/Spectre where some of them already provide IPS identification of attempts to exploit those vulnerabilities. Some modern UTM's also block bitcoin mining activity.

Nevertheless, yes I use them, actually in my case I use two of them. One primary, a secondary in transparent.

Does yours protect against privacy compromise like the eBlocker Pro?

 

[Sunshine-boy]

built-in malware and privacy protection

I have Adgaurd, Eset, DNS watch and... for this purpose. I don't like the concept!they are also expensive.

 

[HarborFront]

I have Adgaurd, Eset, DNS watch and... for this purpose. I don't like the concept!they are also expensive.

Does those mentioned software protects your privacy like against user profiling offered by the eBlocker Pro?

And those mentioned software are installed in your PC only. They cannot offer protection for say your smart tv, smart fridge, smart IP cameras, smart window/door sensors, smart door lock, smart door bell etc

You need something to protect your home-wide IoT devices and that would mean incorporating into your router or as a complement to your router

 

[Sunshine-boy]

You can buy Asus RT-AC86U which support VPN in the router!I can't see anything special with eBlocker(ad blocker? adguard, VPN?some Asus routers support vpn.Malware & Phishing? Eset!)

 

[Sunshine-boy]

smart fridge, smart IP cameras, smart window/door sensors, smart door lock, smart door bell etc

Dont have any of them lol

 

[HarborFront]

You can buy Asus RT-AC86U which support VPN in the router!I can't see anything special with eBlocker(ad blocker? adguard, VPN?some Asus routers support vpn.Malware & Phishing? Eset!)

eBlocker is a device which offers secure privacy as belows

1) No software needed as its a PnP device
2) No WiFi (not needed if connecting to existing router). Connects using LAN
3) Protects against ads/trackers/user profiling
4) Can customize to individual requirements per device and user
5) Anonymizes your online behavior using the TOR function
6) Stops dynamic pricing based on device fingerprints
7) Prevents credit scoring based on user profiles
8) Stops behavioral targeting based on user profiles
9) Protects your intimacy based on personal profiling
10) Parental controls
11) Protects inappropriate content. User can select predefined categories
12) User can self update filter lists and new features. This non-binding offer can be changed without notice at any time
13) Supports VPN
14) Browser protection - malware and phishing
15) Device cloaking - cloaks your device, you can choose to simulate a different device

 

[ForgottenSeer 58943]

Does yours protect against privacy compromise like the eBlocker Pro?

Some aspects, not all. For example.. Ads, tracking, telemetry is readily blocked. However there are no 'anonymizing' technologies in these types of UTM devices and there probably never will be as their focus is deployment in corporate/enterprise environments and hardening networks from threats.

The problem with items like eBlocker is VPN speed. Tor is slow. VPN's are slow. I have a 500Mbps connection right now (used to be 1000Mbps), the fastest VPN I can find is PIA, which can get me close to 150Mbps sustained. I tested 14 VPN's and that was the fastest. Also the throughput of eBlocker can't be impressive due to the limited horsepower of the Pi. It might be good for slow connections or to take traveling. In fact, I have a few Pi3's laying around, I might built an eBlocker just to take to hotels and crap.

One of the ways I anonymize traffic coming from my IP is to use something I call PhormFK I had programmed. It runs on the server and sends 1.5 million searches and web clicks and draws the sites from RSS feeds. So anyone sniffing my traffic would have to first filter through 1.5 million piles of trash mixed in with it. This program runs contained in a VM on a DMZ isolated at the physical port level from the other internal subnets. I call it 'chaffing' for privacy. It's a piece of some of the undisclosed technology I run here. One of the ways I test security products under isolated but high risk conditions is to simulate a 'clicker' environment with these kinds of tools, but when we set the values really high they become tools for chaff of the internet activity.

 

[HarborFront]

Some aspects, not all. For example.. Ads, tracking, telemetry is readily blocked. However there are no 'anonymizing' technologies in these types of UTM devices and there probably never will be as their focus is deployment in corporate/enterprise environments and hardening networks from threats.

The problem with items like eBlocker is VPN speed. Tor is slow. VPN's are slow. I have a 500Mbps connection right now (used to be 1000Mbps), the fastest VPN I can find is PIA, which can get me close to 150Mbps sustained. I tested 14 VPN's and that was the fastest. Also the throughput of eBlocker can't be impressive due to the limited horsepower of the Pi. It might be good for slow connections or to take traveling. In fact, I have a few Pi3's laying around, I might built an eBlocker just to take to hotels and crap.

One of the ways I anonymize traffic coming from my IP is to use something I call PhormFK I had programmed. It runs on the server and sends 1.5 million searches and web clicks and draws the sites from RSS feeds. So anyone sniffing my traffic would have to first filter through 1.5 million piles of trash mixed in with it. This program runs contained in a VM on a DMZ isolated at the physical port level from the other internal subnets. I call it 'chaffing' for privacy. It's a piece of some of the undisclosed technology I run here. One of the ways I test security products under isolated but high risk conditions is to simulate a 'clicker' environment with these kinds of tools, but when we set the values really high they become tools for chaff of the internet activity.

Those Smart Firewall mentioned are for home use (not even at sever level) so don't mix them with corporate ones

 

[Deletedmessiah]

No need. I prefer an Asus router with Asuswrt-Merlin firmware on it! Asus router+Eset firewall==Solid protection.

How good is it compared to DDWRT or Tomato firmware?
And how good of protection will Tomato or DDWRT provide?

 

[Sunshine-boy]

How good is it compared to DDWRT or Tomato firmware?

Read more here:VPN Routers - Ultimate Guide (Setup, Test Results, Best VPN Routers)

 

[Deletedmessiah]

Read more here:VPN Routers - Ultimate Guide (Setup, Test Results, Best VPN Routers)

Very informative article.
Next time will have to be a bit more careful while buying a router. And also a bit more money.

 

[HarborFront]

Just did short evaluations on some Smart Firewall

1) BitDefender Box 2, Bullguard DOJO and Norton Core only available in the US.

2) F-Secure SENSE wants you to use their's as the main router. Also, for Norton Core

3) CUJO needs my Portal Router to be in Bridge Mode and a second router as DHCP server is required. Max bandwidth is about 650Mbps tested at smallnetbuilder.com

4) RATrap max bandwidth is about 250Mbps. My fibre broadband speed is 1Gbps. Also, not working according to one Youtuber

5) From the 2nd link in the first post eBlocker's max bandwidth is about 200Mbps. I'll be bottlenecked if I use this

I think I'm running out of choices

 

[DeepWeb]

Recently updated by At&t Gateway. The firewall it has is more than sufficient, oftentimes too good. It drops all packages that the host computer does not request in a legitimate exchange.

-Integrated firewall includes stateful packet inspection (Layer 4)
-local IP spoofing verification
-Supports stealth mode operation
-Unique signed security certificate manufactured into each gateway for TR-069 management authentication

The most important is probably the first one. As long as your devices are behind a good hardware firewall and they stay updated, there should be little risk. I would be more worried about social engineering.

 

[woodrowbone]

I say you all forgot about ASUS and their AiProtection from Trend, free and and no annual cost.
AiProtection – Commercial-Grade Security for Your Home Network

/W

 

[HarborFront]

I say you all forgot about ASUS and their AiProtection from Trend, free and and no annual cost.
AiProtection – Commercial-Grade Security for Your Home Network

/W

Nope I have not.

In fact I moved from using ASUS RT-AC5300 to the Portal Router

The reasons being Portal

1) has Dynamic Frequency Selection (DFS) for congestion-free surfing
2) has very much better privacy policy than Trend Micro. FYI, Trend Micro is collecting a lot of your personal info

Yes, although the Portal Router's spec is not as high end as the ASUS RT-AC-5300 but the Portal Router is adequate to cover my whole house.

Unfortunately, the Portal Router does not come with AV/AM and privacy compromise protection for IoT devices so I'll need a Smart Firewall and eBlocker to do that. I have already mentioned in my starting post that if you do have a high-end router with IoT protection built-in then you don't need a Smart Firewall

Portal WiFi - Home

 

[lunarlander]

I was just looking at CSO's advice on protecting IoT devices. 8 tips to secure those IoT devices

It is a little old (Jun 2018). But here's what I gathered from the article.

It recommended putting the Io'T device into a separate network. I do that. My Wi-Fi network is on a separate router. And that router links my Google Home and an obsolete smart phone, which runs the app for controlling the Google Home as well as Spotify.

The article also recommends using different passwords for each device. I use a separate gmail account for the obsolete Android smart phone and it is the also the gmail for running the Google Home. Got to limit the damage,

Turn off UPnP. Did that, turned off at router.

Use latest firmware for the IoT device. Don't see any firmware update option fro Google Home in the app. I theorize that the Google Home' is just a microphone and speaker with TCP/IP and all the intelligence is at Google's servers.

Be wary of Cloud Services. Can't help with that one. Google Home and Spotify both need cloud servers.

Track and assess devices. I only have 1 Google Home. No smart lights, etc. However, this part of defense is weak right now, I do have router with SPI. And syslog is enabled. But I think if I put my spare PfSense to use, I can do better.

In essence, my Wi-Fi network is untrusted territory and low security. I can't even enable AP Isolation or else Spotify won't communicate with Google Home. Confidentiality is out the door because Google Home is Google and they want to know everything. Integrity is somewhat protected with a WPA2 key, but the Google Home App can be attacked and has been compromised before. ( of course I reset the smartphone, but that doesn't stop future attacks ) I currently firewall the stupid app into oblivion until I need to configure the Home Availability is also out, because spoofed DoS attacks can come in from the internet.

So I guess confidentiality is out. Integrity is somewhat OK. And availability is as good as it can get for a residential site.

Are there things I can do to improve? I feel like I need to protect the Google Home more. But then, I always feeeel that security always needs to be improved. Risk based evaluation says I don't need to spend more than the cost of the Google Home and my Spotify yearly subscription.

Hey HarborFront, what high end routers are you thinking of?