Home firewall recommendations

Hello all

I am thinking ahead, upgrading my home system with the future in mind. Very small network, only for home use; but with network-attached storage of my photos and music, maybe some VPN use in the future, VOIP, and a cable modem that means open to attack.

I'm currently running an SMC Barricade (SMC2804WBR) consumer wifi router which of course has some built-in security features. I suspect this gives me a decent level of protection today and I am not feeling paranoid.

However, I am thinking of getting something more sophisticated - say $500 - to give me a better level of protection in the future. It would not need to have the wifi element - I could add that separately. In my mind I distinguish between the wifi security aspect (which is not what this post is about) and the network security aspect (which is why I want a firewall).

I have seen people in this group praising Watchguard and Juniper Netscreen products: for my kind of money I would be looking at a Netscreen 5GT or a Watchguard Firebox Edge or Soho.

My questions are: would that level of product really give me a worthwhile protection over and above what I have today? And would anybody recommend any other products in particular?

Thanks for your suggestions - if you think this would be a waste of money, that would also be good advice!

Reply to
Loading thread data ...

What kinds of threats do you want to be able to protect against?

Do you need the device to watch HTTP and FTP and detect viruses on the fly? Same for HTTPS? Same for POP, IMAP, SMTP?

Is this for a "block all unauthorized from outside, but assume everything from inside is authorized" situation, or do you assume that you need to protect against viruses trying to go outward, or do you assume that you will want to block outgoing programs that take evasive action to negate firewalls (e.g., Skype, several IM programs).

You mentioned kids deeper in the thread: do you need differential outgoing access (you can go somewhere they can't)? Do you need web site censorship^B^B^B^B^B^B^B^B^B^Bfiltering ? Traffic shaping? Time-based access controls?

At some point might you get multiple external IPs? Will you be running any servers? Do you need multiple physical interfaces (for DMZ)?

802.1Q VLAN support? Any need to firewall internal devices from each other? If so, what internal data rate must be supported (since external ISP rates are generally much much lower).

You mentioned VPN -- any -incoming- VPN traffic? Which particular VPN technologies? e.g., will you need to be able to form GRE tunnels? Will you need to be able to do "Layer 2 Transparent VPN" so that you can get IPX, Appletalk or other non-IP across the VPN? Will you need NETBIOS broadcasts to traverse the VPN, or will you be Ok with WINS and/or LDAP? Will you need WebVPN support?

Will you be needing PPPoE? Multiple PPPoE accounts?

If you need to be able to define port forwarding (static port address translation) then what parameters do you need to be able to select upon?

You will certainly want Stateful Packet Inspection, with integrated NAT (network address translation) adjustments to protocols: which protocols will you need inspected?

Reply to
Walter Roberson

Try contacting your ISP and see what (if any) traffic they may already be filtering. Ask their advice about what works best with their system, normally ISP's have recommended hardware and configurations for that hardware that complement their services. A hardware solution will normally be both cheaper and easier for you to maintain, as well, hardware solutions are normally more secure than running cut down operating systems with complicated text files managing access (unless you're using Checkpoint Firewall, but that's out of reach for home users)

Wayne McGlinn Brisbane, Oz

Reply to

I own a Watchguard Wireless Firebox Edge and love it. It has good wireless security and it is very easy to configure. You can control outbound ports. I use wired and my son uses the wireless for his laptop. It has an option network that you can put the wireless network on and it has no access to the wired LAN and you can control who access the wireless network by MAC address which is extra security.

Reply to

You may want to take a look at the Cisco 870 series of routers. The world of Cisco isn't for everyone, but these routers are very flexible with lots of features.

Reply to

Wow, that's a lot of things to think about. But despite a lot of questions, there are only a small number of security products in my budget, or indeed the choice of sticking with what I have now, which does indeed have SPI and NAT.

I think I need to compare the different firewalls, most of which are designed for soho or teleworker use, using some of the parameters you have set out. Thanks for your input on this.

Reply to

"Try contacting your ISP and see what (if any) traffic they may already be "

Thanks, Wayne. I didn't know that ISPs did that. Maybe it lowers the threat somewhat. But honestly the people who man the phones at my ISP are so dumb (French cable company) that, if I ask about filters, they will think I mean cigarettes.

Checkpoint do make a small firewall called Safe@Office - maybe I'll check that out.

My point on all this has been to try to look ahead at possible threat levels that may exist in a few years and to equip myself appropriately now. Maybe I am being paranoid after all.

Reply to

There's currently a promotion on the 5 user wireless box - $100 mail in rebate. It makes the price as low as ~$200 for a Check Point firewall with top wireless security for less than half of what you planned to spend. :)

formatting link

Reply to

TechGrrl wrote

"There's currently a promotion on the 5 user wireless box - $100 mail in "

Mmmm... looks pretty interesting. Thanks for finding that. I'll have to see if I can get the same deal in France.

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.