Serious Discussion Why I chose to buy the Netgate Hardware Firewall

Victor M

Level 19
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
910
It is more than a firewall. Your Windows has a firewall. But the Netgate has an intrusion prevention system (IPS). It can recognize and stop attacks like SLIVER (an attack framework, like the older Cobalt Strike , very popular among cybercriminals now).

Netgate is the hardware arm of PFSense, a mature opensource firewall platform. Opensource license means there has to be a free version, and that's what I have used before. But I don't have a free older PC right now so I am essentially buying the hardware. And at $189 it is not too pricey.

It also has VLAN, VPN and commercial grade routing protocols and integrates with corporate networks well.

PFsense has many plugins. Among them is snort IPS and suricata IPS. Snort has been bought by Cisco in 2013. Cisco , if you don't know, Cisco has 76% of market share in networking equipment. It is good to have the resouces of a huge company like Cisco to fund your development. Cisco also has a well known security intelligence and research team called TALOS. And I also subscribe to their Snort ruleset at $30/yr. If you only use their community rule set, it is up to 30 days old, which is useless in todays security environment; you need up to the minute rules to be effective, and Netgate updates every 6 hrs. Security intelligence is pricy, and can fetch prices of more than $1000, so the $30 price for individual security pro's is a great deal.

Intusion Protection Systems stops exploits and hack attacks. It blocks malicious traffic: dropping suspicious packets or blocking traffic from the source IP address that's attempting the attack and terminates the connections. It protects against exploits that target known software vulnerabilities Even if a patch for a vulnerability hasn't been applied yet (a "zero-day" vulnerability), an IPS can often detect and block attempts to exploit it based on its behavior. Proper security has to be done in layers, you've probably heard of 'layers of security' and an IPS is a good example. If one layer fails you should have another. They teach that in cybersecurity courses.

If you like newer technology you can use the suricata IPS. It too is opensource. Like snort it has a big community. It has advancements not present in snort, like JA4, which is a TLS fingerprinting technology.

An IPS is critical for security. It stops malicous attacks at the perimeter and protects all the PCs in the LAN. Big corps have fancier tech like next gen firewalls for example brands like Palo Alto and Sonicwall. And they are priced according to their network throughput capacity. (if you have 500 staff you better have the bandwidth) And all of them has big price tags for their security add-ons. We are lucky there are opensource products for security pros. Don't let the free price tag fool you, corporations use a lot of opensource in the cloud. When you are using Google Cloud, Amazon AWS or MS Azure, there is no place for them to plug in a hardware firewall and it's security add-ons. And these corps have a vested interest in maintaining the communities of snort and suricata. Their security teams share IoC and IPS rules to the community. Because stopping attacks is good for the ecosystem. Ir is the same argument as why MS develops free security products to embed in Windows and why MS offers security updates even to those who runs non-licensed Windows Pro.

The only catch, Netgate makes firewalls, and in their eyes, WiFi belongs to an WiFi access point. So you have to use a cheap WiFi router behind the Netgate if you want WiFi. For city dwellers in apartment complexes, WiFi is no good because your perimeter is gone, people from several levels above and below can reach you.
 
Last edited:

Bot

AI-powered Bot
Apr 21, 2016
5,173
You've made a comprehensive case for the Netgate Hardware Firewall. Its features like IPS, VPN, commercial grade routing protocols, and the ability to integrate with corporate networks make it a robust security solution. The fact that it's backed by a strong community and large corporations like Cisco adds to its credibility. The regular updates and affordable subscription to Snort ruleset are indeed valuable for maintaining up-to-date security. Your point about the importance of an IPS in stopping malicious attacks at the perimeter is well taken. The lack of built-in WiFi might be a drawback for some, but as you've pointed out, it can be easily remedied with an additional WiFi router. Thanks for sharing your insights!
 

Victor M

Level 19
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
910
Some may ask 'why do I need another security layer?' Well, you've probably read articles or watched videos about this bypass and that bypass. Our forum member Shadowra's famous video tests provide lots of examples. It is common to see in her videos detection failures numbering 10-15 across the best brands of anti-malware. So you have to add more layers instead of just praying that it won't happen to you. God help those who help themselves.

And in this case, it is not a lot of money if you divide the cost across 7-8 years of it's useful life and the number of PC's in your LAN.
 
Last edited:

Zero Knowledge

Level 21
Verified
Top Poster
Content Creator
Dec 2, 2016
1,088
Is this an advertisement or something your pushing? It's basically a simple pfSense box with extra bells and whistles for extra $$$. How much are you blowing a year on this? You could probably save some or a lot of money and buy a 10 year old desktop and put pfSense on it yourself, same or similar results! I like pfSense and they deserve support just not sure buying their hardware is cost effective when you can load it up on ancient hardware for the same result.
 
  • Like
Reactions: Victor M

Victor M

Level 19
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
910
I figured it is about time for an upgrade. I still have the 32bit Pentium machine. But Pfsense no longer provide a 32bit ISO. Using dated security software is a no no.

The Netgate box costs $189. My CiscoTALOS snort rules costs $30/yr. No yearly maintennce fees, no upgrade costs. I am just glad that I found this good deal, so I preached a little cybersecurity.
 
Last edited:
  • Like
Reactions: simmerskool

Zero Knowledge

Level 21
Verified
Top Poster
Content Creator
Dec 2, 2016
1,088
Yeah I get it I really do pfSense is great this and that but in a way your still supporting Cisco with your subscription. I used to have a closet full of enterprise network gear, still have some lying around. Garbage and a waste of money in the end, zero security benefit on a home network. Good for research and learning networking but otherwise....Thought about donating them to Kaspersky or ESET for research but by now all exploits are probably patched.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top