Would a hardware based firewall be suitable for a home?

woodrowbone

Level 10
Verified
Dec 24, 2011
489
Do I need 2 network cards for home iso?

You need a dedicated PC with two nics to install the OS (from the ISO), one nic for WAN (Internet) and one for your LAN (Your home network).
There is a completely free mode, you only install the apps you need/want.
But for 50$ a year it is a no brainer, you get https scanning, Bitdefender AV and Cyren )I think) webfilter among other things, read at their website.

Sophos is also great, but it is much harder to set up.

Untangle have another great feature in that you can set it up as a transparent bridge, after your existing router and it will scan all traffic passing thru.
It also have some kind of IoT defence running, this will protect your Smart TV, Fridge or whatever else you have connected in your home.

/W
 
Last edited:

Slyguy

Level 44
Jan 27, 2017
3,319
Absolutely a home needs a hardware firewall. I would make the claim a home needs a UTM/NGFW in these days of blended devices and blended threats!

Forget about the 60B, it's legacy and overall has very poor hardware. Also you won't be able to license it for UTM features but would still be able to use it as a NAT Firewall on your network. However once again, the 60B will run older, less secure firmware. In the case of Fortinet it is absolutely crucial to run the 5.2 series firmware at the minimum.

The lowest Fortinet I would purchase would be a 60C. I currently have a 200B in my home, which was around $5000.00 or so. You can pick them up on Ebay for about $250 or so. The 200B is very very powerful and can run the latest 5.2X firmware. As a NAT firewall it's astoundingly powerful. You can also run it unlicensed but still utilize the IPS feature which defaults to about 6000 signatures which is actually pretty decent. The other benefits of running a Fortinet (Licensed or otherwise), you can setup VPN's very easily for your devices. You can also setup VLANS and some very nice policies on it. Far far above what any consumer junk router can even approach. Note: I am a Fortinet NSE8 Engineer, and I work on Fortinet devices for a living as a Senior IT Security Engineer.

Going forward, most homes will almost essentially need a strong firewall and/or UTM/NGFW in the future! Norton Core Security, Bit Defender Box, CUJO, and about a dozen other products are here or coming out soon with UTM-Like features for the home. ASUS already bundles Trend Micro (Gateway) with their routers.

Here's my rack at home with the 200B shown. I also run 6 VLANS, 3 223C FortiAP's. I run WIDS, RogueAP Detection, IPS, etc.

16179403_1848232035461978_3358214337096550599_o.jpg




So, recently i've wanted to get rid of all my software firewalls including windows firewall, and Emsisoft firewall which has been implemented into Emsisoft Internet Security. The main reasons for this is that even with customised filters, everything was being scanned and caused massive CPU Usage, I have a gaming PC and having High CPU usage isn't optimal for everyday gamers. I am not looking for another software firewall but alternatively a hardware firewall. I was looking for something with a basic UI, that isn't that expensive.

Some people may be thinking by now, this guy is crazy! Why would he need a firewall for home? Well the amount of times a partly non intrusive firewall will save me is countless.

I was looking at the following

Cisco PIX 501 Firewall Bundle, PIX-501-BUN-K9-Newegg.com

New in Box Fortinet FortiWifi-60B VPN Firewall Security Appliance fwf-60b-Newegg.com

I am literally uneducated in terms of hardware firewalls and most networking related hardware apart from routers and such basic things.

Thank you for reading,

~ Bryan
 

Slyguy

Level 44
Jan 27, 2017
3,319
Untangle is great, the whole business package for only 50$ a year if you are a home user.
If you do not want to buy any of the appliances you can install their free ISO on a older computer with two nics and off you go, very simple.

/W

I would actually discourage Untangle. It has a hard coded 10,000 session limitation and maximum throughput of 425Mbps if that matters. If that doesn't matter, note that in September 2016 Untangle was bought out by a US-Intelligence linked private equity firm. They've replaced some staff with well known intelligence sources. If that doesn't bother you then you could consider it. But note that Untangle can be fairly buggy at times and if you build a home-box to run it you will run into throughput limitations far below the maximum of 425Mbps. But if you have a connection under 200Mbps it usually won't be a factor.

PfSense will come up soon, but Chris B. left PfSense so the future is uncertain. Also PfSense has quite a lot of unresolved bugs. PfSense also experiences a hard-cap throughput of around 450Mbps in my testing and I was testing on a purpose-built PfSense Hardware Box that was around $450.00.

I'd be more inclined to think an unlicensed Fortinet running in NAT mode with Adguard DNS for Web Filtration/Malware/Porn blocking would be a better solution than both of the above. But that's my opinion.
 

woodrowbone

Level 10
Verified
Dec 24, 2011
489
Fantastic advice Slyguy. Come back and share some more of your knowledge :)

+1

Slyguy, you did not by any chance go by another handle in the Untangle forums before, starting with a M?

And if I would reach 425 Mbit in an internet connection I would be giggling all day long. :D
Regarding the US-Intelligence, I would prefer this any day compared to Russian, Chinese and Turkish made software/hardware. (Adguard)

No offence to anyone, that is only my point of view in regards of former experiences.

/W
 

Slyguy

Level 44
Jan 27, 2017
3,319
Fantastic advice Slyguy. Come back and share some more of your knowledge :)

NP, I will hang around.

As for country of origin/jurisdiction, it's really a pick your poison thing and probably wise to base decisions on the privacy policies and operations of individual corporations. As you can see I use Fortinet which is based in the USA. However I am privy to many things at Fortinet including the fact they are now doing yearly code-audits because of the FGTAbc11*xy+Qqz27 fiasco. Also, the only way to backdoor a Fortinet currently is to use the maintainer trick and that requires L1 (physical) access to the device but can be disabled via CLI. Also I am currently unaware of any intelligence officials working directly AT Fortinet.

In all fairness Untangle is still opensource and can be audited by anyone. Where my concern is comes in with the telemetry Untangle 'could' gather. I assume Untangle is pretty safe to run if you turn off the backup app (perform manual backups instead), disable the cloud features and remote support facilities in it. However the hard coded session limitation and 425Mbps throughput throttle wouldn't be viable for me. Others I assume this wouldn't be a big problem. It just depends if you are comfortable with actual intelligence-linked people that now work at Untangle.

There is a reason I use Emsisoft Anti-Malware, it's because they don't harvest much (if any?) telemetry from their product, have strong privacy policies and staff dispersed through varied jurisdictions. Not to go off topic anymore but yes I think it is crucial to have a good hardware firewall (NAT, SPI at least), and if possible a UTM, and even better VLANS and a strong policy based device!

Just my opinion of course.