Home hardware firewall recommendation

[someperson472034]

Hello dear community,

I am looking for a home hardware firewall, no routers.
Here are some opt-outs and requirements:

1. It must be closed source
2. It should not support SNMP
3. The firewall should not support UPnP (if your recommendation does support it, I should have the possibility to turn it on, off and change it's security permissions like opening ports)
4. The price must not exceed 150 €.

I am hoping for useful answers and would be very thankful.

 

[bill001g]

You are not going to find this. Closed source mean it MUST be a commercial box you buy. It is almost a REQUIRED feature by most business that the firewall DOES support SNMP. It would be highly unlikely a company wanting to sell it device to the largest number of customers would cut it potential market by not offering a feature that most customers will insist on.

Cisco,juniper and many others offer firewalls in your price range. Most smaller consumers buy sonicwall because it generally offers the most value for the dollar when you do not need some of the enterprise level feature in the other brands.

If you are afraid of SNMP and do not understand how you secure SNMP you are in big trouble. A firewall is just a tool. It is the person doing the configuration that is key to getting a good working policy. Even the best firewall allow you to configure them in a a insecure way...most will not even warn you that you did something stupid.

 

[someperson472034]

Thanks for the answer.
I am aware of the fact, that misconfiguration is a high security risk and I just wanted to know,
if there is a commercial hardware firewall without SNMP.

How exactly would one secure SNMP?
One way would be to shut it off.
But what, if the option does not exist in the webGUI?

Do you have any other recommendations?

 

[Shadowjk]

What is it with SNMP that is putting you off? By default it won't be active anyway at least in all cisco devices it is.

If you wish you can look for a firewall that supports SNMPv3 which includes IPSec and will require authentication before any device information is sent.

Josh

 

[someperson472034]

I don't like remote management and all this device information related functions.
Especially if there is no authentication required except in SNMPv3.
It's a functionality I don't need at all.

 

[bill001g]

snmp is not management is is used for monitoring. The key exposure is that you can collect information about traffic flowing thought he device sometimes. There are almost no devices that let you change the operational status of the device via SNMP. Because SNMP before v3 was known to be a spoofable few if any vendors even put in abilities to change things via snmp. Maybe that is changing but the security on SNMP is now as good as SSH or HTTPS.

You best bet is to configure SNMP v3 that way you know it is on and secure. Since you can limit it by certificates/userids and even IP address you can restrict it quite a bit.

On top of all this since the device is a firewall you can always put in rules that limit snmp traffic. Normally you would only allow SNMP to come from your internal network anyway.

 

[someperson472034]

To be honest.
I really don't know how to decide which one I should buy.
There are probably 20 or more manufacturers and browsing every single website
to find out which firewall would be suitable is frustrating.
Can anyone help me with this?

Also, what exactly is a VPN firewall?
Does it mean, that VPN is activated by default or must be somehow enabled?
Or to be more clear, what is the difference between a VPN firewall and a normal hardware firewall?

 

[bill001g]

Depends what you are going to do with the firewall. Almost all can run VPN but VPN is also very resource intensive so if you are going to run a lot of connections at high rates of speed you need a larger devices. This is why firewall vendors many times quote number of tunnels and throughput rates of encrypted traffic.

Simple filtering of traffic even a cheap router can do do. Pretty easy to build rules that restrict by ip blocks or ports. What a true firewall has is the ability to analyze multiple packets or even multiple sessions and make determinations based on that. One example although there are many would be a firewall that can allow VoIP calls to run though it. Since the ports that are used are dynamically negotiated between the end devices it must understand these message and intercept them and see what ports are going to be needed.

Another feature that causes some of the commercial firewalls to cost a lot is redundancy. It allows firewalls to be grouped together to protect against various kinds of hardware failures. Problem is if you are only going to buy a single firewall you still pay for this feature because you "might" use it in the future...at least the vendors try to justify their pricing on that.

Most people who frequent this forum tend to use things like sonicwall. These are true firewalls but are cheaper since they really do not scale to the enterprise level devices.

 

[dbhosttexas]

Why the requirement for closed source firmware?

 

[someperson472034]

Thanks to bill001g for the answer!

Why the requirement for closed source firmware?

Because open source solutions like IPCop and the likes can be exploited by anyone, while closed-source can be exploited by fewer.
Is this correct?

But I never really heard anything bad about open source hardware firewalls.
People seem to be satisfied with it.

 

[dbhosttexas]

I am soooo glad I didn't have any liquids in my mouth when I read your reply!

Closed source products are MUCH slower to respond to security threats. To give you an example, take a look at how many active virii there are out there for Windows versus Linux. Yes there is malware out there for Open Source software, but active projects get patched very quickly where as closed source implementations not so much... Take a look at the freight train sized security holes in Cisco / Linksys EA series routers versus DD-WRT or Tomato based routers... Open Source wins hands down... (I got rid of my Linksys EA2700 because of it...)

I am not saying Open Source is a fix all for every problem, but it does offer solutions, sometimes better, stronger solutions than closed source software.

I would go into detail on the who and why of open source, but if I get too deep, I violate Non Disclosure Agreements. Needless to say, certain HUGE security sensitive enterprises rely on Open Source day in and day out.

All I am really saying is keep an open mind, and judge a product on its specific merits.

 

[someperson472034]

I said that, because I once read that it would take much more skill to find exploits in a locked up,
closed-source hardware firewall than in an open-source code free for everyone to read and modify.

By the way. I support open source projects and appreciate them very much.
Much more than closed source projects.
But in this case I am just unsure, because of my little experience.

 

[dbhosttexas]

No big deal. Not sure where you read that, but consider this...

When the NSA decided to build their Role Based Authentication Control (RBAC), they first attempted to build it on their own custom written operating system, and abandoned that attempt to focus on enhancing security of the Open Source GNU / Linux operating system / environment (SELinux). A good number of open source firewall implementations are based on SELinux and IPTables.

Just keep an eye out for specific ones you would be interested in and make sure they meet your needs.

Since you based your budget limit in Euros, I am pretty sure you aren't in the U.S. so I can't help you with specific hardware. Sorry, just not familiar with what is available on your side of the pond as it were...

Are you looking for a dedicated firewall only appliance, or are you looking for a router / firewall type device?
Very few home / small business networks utilize a dedicated firewall appliance. Typically you would use a broadband router, with, or without WiFi.

Almost everything available with TCP/IP is going to have some sort of support for SNMP. The vulnerability there is data disclosure, and first things first, you can typically disable SNMP, or at the very least, change the community string to something strong, like a strong password. Disabled is honestly best, but with SNMP enabled and a strong community string set, you have it available for monitoring the statistics about your various network hosts using a variety of SNMP tools.
UPNP is another story all together, while it is generally a BAD thing when exposed to the Internet, but if your router / firewall does allow for presenting UPNP only to your LAN, and not forwarding it through your WAN port, there really is not that big of an issue with it unless you have a malicious hacker within your LAN.

Honestly, your best bet IMHO would be a DD-WRT capable router with DD-WRT installed. You can lock it up good and tight, there is a huge security conscious community building and supporting this thing,

Give it an honest look, and check out the various config options from the DD-WRT demo interface. It is worth a good long look. Especially if you look up the security holes in Linksys, D-Link, etc... closed source routers and firewalls... I think within your budget range, that might be what it boils down to. At the moment, your budget of 150 euro, which at current exchange rates is a little under $113.00 USD, means you won't be buying anything top of the line. Again, that leaves you looking at a mid range DD-WRT router being your best / most secure option...

 

[dbhosttexas]

Something to consider...

http://news.cnet.com/8301-1009_3-57596851-83/wi-fi-routers-more-security-risks-than-ever/

 

[someperson472034]

By dedicated firewall you mean a standalone firewall, right?
Yes I am looking for this and definitely not a router, router/firewall combination.
Thanks for explaining the possible SNMP and UPnP security risks!

What firewalls do you use If I might ask?
I would also be interested in what hardware firewalls bill001g and Shadowjk or anyone on this forum uses.
Explaining why you decided for that specific firewall would be great.

 

[bill001g]

At work we of course use juniper and cisco. At home i use nothing. I am not worried my machines might attack someone so I do not care to restrict what my stuff does. I do not port forward anything so anyone on the outside can not get past my router purely because of NAT being stupid. NAT by itself does most of what a firewall does. Now I do use a commercial cisco router as my router but that is mostly because I use them all day everyday and feel more comfortable with them. I could if I choose use many of the firewall features in the router and I do use the SSLVPN server feature sometimes but most the time it is running pretty simplisticly. The key reason NAT protects you is if a packet comes in from the outside destined for a port it must look this port up in its table and find a corresponding ip and port for a machine on the inside. Since it also takes into account the ip of the machine the packet it coming from it will never find a entry. This is equivalent to going to all the trouble to set up a firewall rule that says only traffic that was initiated from the inside network is allowed to return.

 

[someperson472034]

I have spent some hours looking for commercial firewalls and found a few.
Now please help with this last decision:

Should I go the closed source or the open source way?
Explain why I should choose one of those solutions.

I am still interested in what hardware firewalls everyone on here uses.
Explanations why you decided for that firewall are welcome.

 

[choucove]

The first firewalls that I had ever worked with were Cisco ASA5505 units. I had a terrible time with them. Incredibly difficult and confusing to get set up for something as simple as NAT port forwarding. Never could get a site-to-site VPN established even with the two firewalls plugged directly together. Now granted, I've had a little more training and experience now with networking concepts since then, but literally those beasts were great quality firewalls, but nightmares for me to configure.

So I tried out Sonicwall. These firewalls are cheaper, so they are a lot more affordable for my customers, and they are night and day difference in configuration honestly. Much easier to implement things like port forwarding, access rules, and VPN configuration. You can still configure the interfaces to set up the Sonicwall in a "transparent" mode so it doesn't actually have to do any of the routing if you don't want it to.

 

[someperson472034]

I researched a bit more and roughly compared the update frequency of commercial and free products.

Open source:

Alpine Linux updated on 2013-08-07
Devil Linux last updated on 2013-12-31
Endian Firewall Community last updated on 2012-01-30 (outdated somehow)
IPCop was last updated almost a year ago on 2012-10-28
IPFire last updated on 2013-08-06
m0n0wall also seems outdated: 2012-11-12
OpenWrt last updated on 2013-04-30
pfSense last updated on 2013-04-15
shorewall latest release: 2013-07-24
SmoothWall Express latest stable release on 2007-08-21, almost 6 years ago
SmoothWall Express 3.1 RC released on 2013-07-23
Turtle Firewall last updated on 2011-05-20 (also outdated)
zeroshell 2.0 RC3 updated on 2013-08-07

Commercial:

2 Cisco ASA products had their latest firmware update in April and May 2013
2 Level One products of the FBR series were updated in February and August 2011
2 Level One products of the WBR series were last updated in May and June 2012
2 Juniper MAG products were updated in July 2013
1 TP-LINK product of the TL-R series was updated in January 2013
1 TP-LINK product of the TL-ER series was updated in June 2013
1 ZyXEL ZyWALL product was updated in July 2013
3 ZyXEL USG products were updated in January and April 2013
2 ZyXEL ZyWALL USG products were updated in January 2013

So if I were to go the open source way, which one of the following firewall distributions should I choose in terms of security?

Alpine Linux, Devil Linux, Endian Firewall Community, IPCop, IPFire, m0n0wall, OpenWrt, pfSense, shorewall, SmoothWall Express, Turtle Firewall, zeroshell

Because I am worried about outdated open source firewalls,
especially when I saw an exploit report on the IPCop sourcefourge webpage which hasn't been patched since 3 months.
I don't know if that message is a fake one or not, but the ticket says open.

 

[dbhosttexas]

I researched a bit more and roughly compared the update frequency of commercial and free products.

Open source:

IPCop was last updated almost a year ago on 2012-10-28
IPFire last updated on 2013-08-06
m0n0wall also seems outdated: 2012-11-12
OpenWrt last updated on 2013-04-30
pfSense last updated on 2013-04-15
shorewall latest release: 2013-07-24
SmoothWall Express latest stable release on 2007-08-21, almost 6 years ago
SmoothWall Express 3.1 RC released on 2013-07-23

Commercial:

2 Cisco ASA products had their latest firmware update in April and May 2013
2 Level One products of the FBR series were updated in February and August 2011
2 Level One products of the WBR series were last updated in May and June 2012
2 Juniper MAG products were updated in July 2013
1 TP-LINK product of the TL-R series was updated in January 2013
1 TP-LINK product of the TL-ER series was updated in June 2013
1 ZyXEL ZyWALL product was updated in July 2013
3 ZyXEL USG products were updated in January and April 2013
2 ZyXEL ZyWALL USG products were updated in January 2013

So if I were to go the open source way, which one of the following firewall distributions should I choose in terms of security?

IPCop, IPFire, m0n0wall, OpenWrt, pfSense, shorewall, SmoothWall Express

Because I am worried about outdated open source firewalls,
especially when I saw an exploit report on the IPCop sourcefourge webpage which hasn't been patched since 3 months.
I don't know if that message is a fake one or not, but the ticket says open.

I admit it, I am too lazy to look. Do any of those products come in within the OPs budget limit?

The biggest limiting factor here is budget. I can recommend plenty of great HW stand alone firewalls if you had a couple of grand laying around not doing anything... But for 150 Eur I highly doubt it...

Within the budget range, I would think maybe one of the Zywall products, which begs the question, why not use a DD-WRT or OpenWRT router instead?

 

[someperson472034]

Those products came up as a result of the firmware update comparison and have nothing to do with the budget.
I looked for a commercial firewall and in the end only came up with 12 products in my price range and with almost matching criterias from the companies Cisco, D-LINK, Level One, Netgear and TP-LINK.
Using OpenWrt would be great, if there weren't so many other open source distributions.
I just can't decide.

 

[someperson472034]

Please help me choose the right open source firewall distribution.
See this post:

Anyone?

 

[bill001g]

The key problem is you have not really defined what your primary use of a firewall is. If you do not know then you likely do not need one.

Just a couple of examples. Some firewall are primarily used to service VPN of various kinds. Some firewall are use as intrusion detection devices and are dependent on good signature subscriptions. Some firewalls are used as access control devices where you need dynamic insertion of rules based on user credentials. Some companies use them to prevent users from accessing certain content (ie porn) and again these type firewall are dependent on loading lists on a regular basis. So your selection of firewall mostly depends what you intend to do with it.

If your goal is to prevent someone from attacking your home machines from the internet you likely do not need a firewall. The router running just NAT does 99% of that already. Simple firewall rules in the router can even protect you if you are doing port forwarding.

 

[someperson472034]

It should be a dedicated hardware firewall and it doesn't need to have antivirus signatures, VPN services, content control and that kind of thing.
Just a pure firewall to protect the local network.

 

[bill001g]

You likely do not need a firewall then. Like I said NAT alone does most that function since traffic is only allowed to return from a destination that was first contacted from your inside network.

This is the KEY rule you would turn on in a firewall where you did not have NAT...ie traffic must be initiated from the inside.

The vast majority of consumer routers in addition to the nat can do simple port and ip address filters. Once you eliminate the need to detect signatures and other advanced feature like that all a firewall is a bunch of simple access lists. More than likely you can pick up any router that says it has firewall feature and it will meet your needs. Every commercial cisco router..even 10 yr old ones can do simple stuff like this.

Still the problem is you have to be able to clearly define what you are trying to do. For example you would say machine xxx can only go to tomshardware forums form 8am to 9pm on weekdays. If you cannot define what you want to do at that level then you don't need a firewall.