HW Firewall for home

bekax5

Limp Gawd
Joined
Jun 4, 2012
Messages
132
Hello my dear friends.

I have a few questions regarding this topic.

In the first step I have a home connection like this:
Internet - Modem (Bridge mode) - Router - Switch
All the devices are connected to the switch

I would like to understand, a HW firewall should be placed in between the router and the switch right? Is there any configuration in which it could be placed between the Modem and Router ?

I have been checking the most known devices (PIX, ASA, Sonicwall) but is there any of those devices that can fully work without any subscription?
If not what would be the most similar to a TZ210 or actually <$150 that I could buy ? (ebay is accepted)
 
The router is a hardware firewall (most likely.) It might not have a wide array of features, but which features are you interested in compared to what a simple wireless/wired router would provide?

Ideally, if your current router is a wireless router, you would put the hardware firewall between the modem and the wireless router, and make the wireless router into a wireless switch (basically shut off the "routing" part of it, plugging one of the 4 ports on the back of most residential routers in to the purchased appliance.)
 
I am most interested in IDS/IPS
Also the VPN option in interesting
And it should have SNMP

I have PRTG at the moment running with a sniffer on the internet connection.
I have setup some basic sniffs on the ssh port and in some others, and I would like at least to be able to block some ranges or mostly traffic coming from China

But mostly this would be to learn some basics about "firewalling"

Edit: It has a firewall, but I would like something a bit more "powerful"
 
I would like to understand, a HW firewall should be placed in between the router and the switch right? Is there any configuration in which it could be placed between the Modem and Router ?

So there is no "correct" positioning of a firewall. Different positioning allows for different functionality. Give IDS/IPS for instance, lets assume you have an ASA Firewall that does IDS/IPS also, if you put the firewall behind the router (who in almost all cases will have SOME form of ACL/Basic Firewall) you're going to be inspecting a lot less traffic as the router will filter a lot of packets. However, you've placed the router in front of the firewall and it's now the first device hit by incoming packets and probably be doing a lot more processing than it would if the firewall was in front. Your IDS/IPS inspected traffic is probably going to be a lot more useful to you unless you actually want to know EVERYTHING coming at you including the basic stuff your router isn't passing.

Routers also have more connectivity options in the enterprise (beyond just Ethernet) that a typical harware firewall probably wont have (Serial, ATM, T1, DSL). So in those cases it's probably not possible to put a firewall in front. It also comes down to how much power your devices have. An IDS/IPS can significantly bottleneck a fat pipe so you might not want it to inspect EVERYTHING.

The thing about subscription-less IDS/IPS is that a LOT of attack prevention/detection methods are signature based and new attacks require new signatures. Now if you're just looking for basic protection, some heuristic functionality, and learning then a Cisco ASA 5510 with an IPS module would probably do you just fine. If you're a Google Expert you can find some IPS signatures/updates software on the internet just like you can find IOS images. wink wink

I don't personally have any experience with anything outside of Cisco ASAs when it comes to IDS/IPS so I cannot offer any input on other vendors. But be prepared for a lot of studying...it's not easy.
 
So there is no "correct" positioning of a firewall. Different positioning allows for different functionality. Give IDS/IPS for instance, lets assume you have an ASA Firewall that does IDS/IPS also, if you put the firewall behind the router (who in almost all cases will have SOME form of ACL/Basic Firewall) you're going to be inspecting a lot less traffic as the router will filter a lot of packets. However, you've placed the router in front of the firewall and it's now the first device hit by incoming packets and probably be doing a lot more processing than it would if the firewall was in front. Your IDS/IPS inspected traffic is probably going to be a lot more useful to you unless you actually want to know EVERYTHING coming at you including the basic stuff your router isn't passing.

Routers also have more connectivity options in the enterprise (beyond just Ethernet) that a typical harware firewall probably wont have (Serial, ATM, T1, DSL). So in those cases it's probably not possible to put a firewall in front. It also comes down to how much power your devices have. An IDS/IPS can significantly bottleneck a fat pipe so you might not want it to inspect EVERYTHING.

The thing about subscription-less IDS/IPS is that a LOT of attack prevention/detection methods are signature based and new attacks require new signatures. Now if you're just looking for basic protection, some heuristic functionality, and learning then a Cisco ASA 5510 with an IPS module would probably do you just fine. If you're a Google Expert you can find some IPS signatures/updates software on the internet just like you can find IOS images. wink wink

I don't personally have any experience with anything outside of Cisco ASAs when it comes to IDS/IPS so I cannot offer any input on other vendors. But be prepared for a lot of studying...it's not easy.

That explained somethings =)
Thanks a lot!

I was thinking about Sonicwall TZ210 that looked to have better and faster features (with gui for novices like me) for the same price range as the Cisco ASA.
Does it also need a special part to be able to do IDS/IPS ?
Do you think it is also online "updateable" to allow these features ? :D
 
Depends on the hardware but that TZ210 doesn't appear to have hardware upgrades, it looks like it's all software and the license section has an IPS license so I imagine it's a subscription update service. No idea if you can "find" updates.

You can of course look through this:
http://208.17.117.208/downloads/SonicOS_Enhanced_5.6_Administrators_Guide.pdf

In the TZ210 user guide it says to look there for more information on advanced IPS administration. Again, never used SonicWalls for IPS.

About the GUI: Cisco ASAs, especially for IPS administration, use the Cisco ASDM and it's a full featured GUI application that can do nearly everything the command line can do. The ASDM is pretty much the only way to administer the IPS functions effectively.
 
I'm a huge fan of the lower end Fortinet models. I use a 60C at home and it works perfectly. Rock solid. Yes - you'll pay about 600 dollars, but it's the best router you could ever have.
 
I just looked through that pdf I sent you and it's nonsense. I doubt you're going to be able to learn anything from it if that's what you really want an IPS device for. The advanced guide doesn't suggest that you can configure it in any way, seems all auto-magic. Probably a fine device, especially for home but if you really want to learn IPS stuff, no.
 
but tomato/ddwrt/openwrt won't do packet inspection nor intrusion prevention/detection
These would be some features that I would like to see on the firewall

They are based od netfilter/iptables, which I think support all that.
 
Sonicwalls have an add on package called Comprehensive Gateway Security Suite (CGSS) which includes Gateway AV, IPS, Content filtering, Anti spyware, application control and technical support. There is an annual renewal fee around $200 depending on the model. Be sure the unit you are interested in supports your bandwidth speed if your connection is faster than 20Mbps.
 
It's not a really strong connection, so it would be just to make a few plays :)

I have outside a 24/1 Mbit connection
Inside it's everything Gigabit with 9k Jumbo


Anyway, which companies work without subscription, I mean that I can have the full features without having a fee ?
 
For a home setup or a small business office there is no point in having to split up functionality between various equipment.

That is if you currently have:

Internet - Modem (Bridge mode) - Router - Switch

and want to put in a firewall in there I would recommend you to do:

Internet - Modem (Bridge mode) - Firewall - Switch

In larger environments you often want to have a "separation of duties" mainly because there might be different departments doing networking vs firewalling. But also since you might have several firewalls (for different purposes) which needs to connect to a single point since you only have one or two uplinks.

Having it separated will also make it possible to do a basic filtering in the router before the packets are hitting the firewall. For example filter out RFC1918, perform BCP38 filtering, basic anti-spoofing and such (recommended to keep it at L3 level, if you start to filter at L4 (which you of course could do in the router) the firewall wont detect portscans and such).
 
I'm a huge fan of the lower end Fortinet models. I use a 60C at home and it works perfectly. Rock solid. Yes - you'll pay about 600 dollars, but it's the best router you could ever have.

Big fan of Fortinet stuff too!

There's actually a seller on Fleabay right now that's blowing out 60C's for $150. Check HERE

Unfortunately, for any of the scanning functionality, you'll need a subscription.
 
As an eBay Associate, HardForum may earn from qualifying purchases.
I'm a huge fan of the lower end Fortinet models. I use a 60C at home and it works perfectly. Rock solid. Yes - you'll pay about 600 dollars, but it's the best router you could ever have.

You could spend half that and run PFSense on an intel atom build. I've been running pfsense on a supermicro 1u server for years now with no issues. Cost me less than 200$ total.
 
I have been reading about this, and it seems that pfsense runs on those Firebox firewalls hardware.

I might get one of these in the cheap and then stuff it with pfsense.
Some model which runs ok with pfsense.
 
Back
Top