All-in-one devices are attractive from a cost and simplicity perspective, especially when Internet Service Providers (ISPs) include them for free. An acceptable level of risk might be achieved if they are used solely for Internet access from computers with software firewalls and other appropriate endpoint protection, similar to using a hotel hotspot. In practice, small office and home office firewalls are required to do much more, including protect computers, printers, network attached storage, and an increasing number of IoT devices.
Hardware commonly provided by ISPs includes basic firewall functionality, but these devices are chosen primarily for their ability to connect household computers and mobile devices at minimal cost to the ISP. To reduce support costs, ISP customer service representatives (including those located in global outsourcing locations) are able to remotely access the devices, view, and modify their configuration. For this reason alone, ISP-managed modems and routers belong outside the logical security perimeter.
In most cases, the best approach is to turn off all wireless features, place ISP-provided DSL and cable modems in passthrough mode, and then configure a user-owned router or firewall to use the appropriate protocol (usually DHCP or PPPoE) to connect to the Internet.
Consumer-oriented devices from big box stores should, in theory, allow the owner to take full control of the device. Unfortunately, while some exceptions may exist, these devices generally have a poor reputation for security and include features such as Universal Plug and Play (UPnP) that allow applications to modify the security policy. Products intended for residential use often include other constraints, including the number of simultaneous endpoints they support.
Businesses looking for a high level of security should consider unified threat management (UTM) and next-gen firewalls (NGFW) from vendors such as CheckPoint, Cisco, Fortinet, Palo Alto Networks, and Sophos. These products offer advanced features such as Layer 7 traffic inspection, intrusion prevention, and anti-malware. This functionality requires considerably more compute resources than traditional routers and firewalls, as well as frequent signature updates, and can reduce throughput. This is reflected in price; entry level appliances cost in the $600 to $1000 range with annual maintenance of $100 to $300.
Between seriously lacking consumer-grade and high-end commercial products lie three noteworthy solutions. The UniFi Security Gateway (USG) from Ubiquiti Networks retails for $150. The appliance is easy to configure using free management software. It can function on its own as a basic, reliable stateful firewall. However, it really shines when combined with a switch and one or more wireless access point from Ubiquiti. The same management software is used to configure and monitor all the devices, making VLANs and multiple SSIDs as easy as it gets. This is ideal for separating business and family networks in a home environment, or providing guest access at the office.
At around $140, the Ubiquiti Edgerouter Lite offers substantially more configuration options via its web-based interface, and advanced customization through the command line. This three-port gigabit router includes full stateful packet inspection capability. While the average home user could follow instructions and use web-based wizards to configure the router for DHCP or PPPoE Internet connectivity, using the device as an OpenVPN server requires substantially more expertise. This product has gained a lot of popularity in IT circles, but those who do not require the advanced configuration options are better served by the USG.
Finally, the free open source darling of firewalls is pfSense. Based on FreeBSD, pfSense can be purchased pre-installed on an appliance, or installed on commonly available PC hardware. Mini-PCs with a quad-core Intel Celeron J1900 processor, four Intel gigabit ethernet ports, 8 GB of RAM, and a small SSD are available for about $300 and make excellent pfSense-based firewalls. Basic firewall configuration is relatively straight-forward, and with the help of additional software modules pfSense makes an excellent OpenVPN server. Fueled by the popularity of this open source software, an extensive user community makes it easy to find help.
Perhaps in the future, ISPs will take security more seriously and big box stores will offer better security products. But until that happens, businesses and security conscious consumers need to look elsewhere for a first-rate firewall.
Have a security question you’d like answered in a future column? Please send me an email.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…