Home firewall recommendations

What kinds of threats do you want to be able to protect against?

Do you need the device to watch HTTP and FTP and detect viruses on the fly? Same for HTTPS? Same for POP, IMAP, SMTP?

Is this for a "block all unauthorized from outside, but assume everything from inside is authorized" situation, or do you assume that you need to protect against viruses trying to go outward, or do you assume that you will want to block outgoing programs that take evasive action to negate firewalls (e.g., Skype, several IM programs).

You mentioned kids deeper in the thread: do you need differential outgoing access (you can go somewhere they can't)? Do you need web site censorship^B^B^B^B^B^B^B^B^B^Bfiltering ? Traffic shaping? Time-based access controls?

At some point might you get multiple external IPs? Will you be running any servers? Do you need multiple physical interfaces (for DMZ)?

802.1Q VLAN support? Any need to firewall internal devices from each other? If so, what internal data rate must be supported (since external ISP rates are generally much much lower).

You mentioned VPN -- any -incoming- VPN traffic? Which particular VPN technologies? e.g., will you need to be able to form GRE tunnels? Will you need to be able to do "Layer 2 Transparent VPN" so that you can get IPX, Appletalk or other non-IP across the VPN? Will you need NETBIOS broadcasts to traverse the VPN, or will you be Ok with WINS and/or LDAP? Will you need WebVPN support?

Will you be needing PPPoE? Multiple PPPoE accounts?

If you need to be able to define port forwarding (static port address translation) then what parameters do you need to be able to select upon?

You will certainly want Stateful Packet Inspection, with integrated NAT (network address translation) adjustments to protocols: which protocols will you need inspected?

Try contacting your ISP and see what (if any) traffic they may already be filtering. Ask their advice about what works best with their system, normally ISP's have recommended hardware and configurations for that hardware that complement their services. A hardware solution will normally be both cheaper and easier for you to maintain, as well, hardware solutions are normally more secure than running cut down operating systems with complicated text files managing access (unless you're using Checkpoint Firewall, but that's out of reach for home users)

Wayne McGlinn Brisbane, Oz

I own a Watchguard Wireless Firebox Edge and love it. It has good wireless security and it is very easy to configure. You can control outbound ports. I use wired and my son uses the wireless for his laptop. It has an option network that you can put the wireless network on and it has no access to the wired LAN and you can control who access the wireless network by MAC address which is extra security.

You may want to take a look at the Cisco 870 series of routers. The world of Cisco isn't for everyone, but these routers are very flexible with lots of features.

Wow, that's a lot of things to think about. But despite a lot of questions, there are only a small number of security products in my budget, or indeed the choice of sticking with what I have now, which does indeed have SPI and NAT.

I think I need to compare the different firewalls, most of which are designed for soho or teleworker use, using some of the parameters you have set out. Thanks for your input on this.

"Try contacting your ISP and see what (if any) traffic they may already be "

Thanks, Wayne. I didn't know that ISPs did that. Maybe it lowers the threat somewhat. But honestly the people who man the phones at my ISP are so dumb (French cable company) that, if I ask about filters, they will think I mean cigarettes.

Checkpoint do make a small firewall called Safe@Office - maybe I'll check that out.

My point on all this has been to try to look ahead at possible threat levels that may exist in a few years and to equip myself appropriately now. Maybe I am being paranoid after all.

There's currently a promotion on the 5 user wireless box - $100 mail in rebate. It makes the price as low as ~$200 for a Check Point firewall with top wireless security for less than half of what you planned to spend. :)

TechGrrl wrote

"There's currently a promotion on the 5 user wireless box - $100 mail in "

Mmmm... looks pretty interesting. Thanks for finding that. I'll have to see if I can get the same deal in France.