Home Firewall Use for Average People

naclh2onaznaclh2onaz Member Posts: 69 ■■□□□□□□□□
Many IoT devices are vulnerable to exploitation and use in botnets. I just saw an article that said there are 185,000+ vulnerable web cams that can be used in botnets. I've thought about home SOHO firewall use before and think this may be the solution to IoT devices being exploited. eg. a Juniper SRX100 or other SOHO firewall
What about home security companies starting managed firewall services? You could purchase this as an addition to home security.
Or ISP's could offer this. Although, it would take a lot of manpower to configure these devices. I just wonder why home firewall use has not gone mainstream. People have to realize someday that their devices may be vulnerable and could be used against them or without their knowledge.
Thoughts?
2017 Goals:
CISSP [X]
2018 Goals:
CRISC [ ]

Comments

  • iBrokeITiBrokeIT GICSP, GCIP, GXPN, GPEN, GWAPT, GCFE, GCIA, GCIH, GSEC, CySA+, Sec+, eJPT Member Posts: 1,308 ■■■■■■■■■□
    I don't know about you, but I know VERY few people that aren't in IT that know what a firewall does and why it is important. Most people barely know how to log into their home router, if that.

    They are more interested in just checking the UPnP box so that their IoT device works without understanding the security implications of doing so. Just look at how many users are still struggling with the ransomware thing which is more of a direct impact to them and you wonder how home router/iot isnt solved yet?
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA | eCPPT | eWPT | eCTHP

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security
  • jamesleecolemanjamesleecoleman Member Posts: 1,899 ■■■■■□□□□□
    I've been looking at PF Sense or Untangle as a firewall. I'll use the appliance that they sell because setting up a box won't work due to electricity and the other half nagging at me about it. I don't trust home routers for security that I'm comfortable with.
    Booya!!
    WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
    *****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
  • GSXR750K2GSXR750K2 Member Posts: 325 ■■■■□□□□□□
    Years back when I was heavy into learning Cisco stuff, I used an ASA 5520 at home. It was for educational purposes and not out of fear or concern, but I admit I went to bed feeling like I had the most protected network on the block.

    As for the reasons it hasn't gone mainstream? Lack of promotion and education maybe. Many people think their out-of-date antivirus software is all they need to protect them at home from anything. Like iBroke said, home routers are pretty hands-off for the vast majority of people as they just want stuff to work. A sure fire way to ensure that home security appliances never take off is to put them in the hands of average Joes and tell them they need to configure them to work properly.
  • naclh2onaznaclh2onaz Member Posts: 69 ■■□□□□□□□□
    Looks like someone at Norton had the same idea:
    Norton's new home router that acts as a firewall, ids, ips
    https://us.norton.com/core
    2017 Goals:
    CISSP [X]
    2018 Goals:
    CRISC [ ]
  • jamesleecolemanjamesleecoleman Member Posts: 1,899 ■■■■■□□□□□
    It looks like a failed remake of the "sphere". But I think the features are cool :)
    Booya!!
    WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
    *****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
  • MacGuffinMacGuffin Member Posts: 241 ■■■□□□□□□□
    It seems to me that just the common NAT used on a typical router should stop most every attack into a home network. I think that a hardware firewall beyond that would be redundant. I don't trust software firewalls on general principle. The firewall builtin to Windows (desktop or server) is a software solution to a software problem and generally on the same computer, it's broken from the start. Perhaps a Windows firewall protecting an IoT device isn't too broken on principle but I'm not sure it's better than nothing.

    Seems to me the problem is that a router would have a flaw that some piles of excrement exploit to get to IoT devices in the home. It doesn't help that some of the IoT devices are broken too with their own security flaws which can be exploited if someone gets past the router.

    I think what we need is an organization that gives some sort of verification on the security of devices. Think of something like Underwriter Laboratories or Consumer Reports that focuses on the network security of devices. Even then people have to see value in this for it to be effective. People (including myself) will often just look for the cheapest thing that does what they want and stop there. They'll need enough forethought and knowledge to think of the security implications of a device and what to look for in how to avoid it.

    The real problem though is that people don't think much of network security, it's just not much of an issue yet. Not many people think of operational security either, which is becoming a problem. For some reason I was just thinking of a case of a guy that posted on Craiglist, or something like it, that he had some stuff on his driveway that was free for the taking while he was at work. Now a lot of people leave home for hours everyday to go to work, leaving their home unguarded, but their is usually enough ambiguity on if someone would be home or not to deter thieves. But he posted his address and when he'd be able to come home on the internet to people with the idea in their head of free stuff. He gets home and find his driveway clear... as well as anything of value in his house that wasn't nailed down, and even a few things that were. Someone decided to break into his house and the crowd just followed in. Perhaps that's another diversion from the original point but it does show that people still have a lot to learn on security before they think of firewalls for their home networks.

    If the NAT at the router doesn't let people in then it usually stops there. Another common attack vector I've seen is a badly coded IoT device that "phones home" to the manufacturer, for some reason or another, and people exploit this to get access. A firewall may not fix this, at least not without disabling features on the device. It would be easier to just fix the broken IoT device than try to make a firewall that could fix the problem.

    I do believe that people need to think of securing their home networks, and a firewall may be part of how that's done. What has to happen is people seeing value in it. Not just value in that it would be nice to have, but enough value in that it's worth spending sufficient money and time on fixing.

    The people that would sell these things have to convince people that their IoT devices are somehow broken enough to need a firewall, and these are likely going to be the people that made those broken IoT devices. That's going to be a tough sale.
    MacGuffin - A plot device, an item or person that exists only to produce conflict among the characters within the story.
  • FadakartelFadakartel Member Posts: 144
    naclh2onaz wrote: »
    Many IoT devices are vulnerable to exploitation and use in botnets. I just saw an article that said there are 185,000+ vulnerable web cams that can be used in botnets. I've thought about home SOHO firewall use before and think this may be the solution to IoT devices being exploited. eg. a Juniper SRX100 or other SOHO firewall
    What about home security companies starting managed firewall services? You could purchase this as an addition to home security.
    Or ISP's could offer this. Although, it would take a lot of manpower to configure these devices. I just wonder why home firewall use has not gone mainstream. People have to realize someday that their devices may be vulnerable and could be used against them or without their knowledge.
    Thoughts?


    It is not your ISP problem to secure your home network, ISP just move bits not secure them
  • TechGromitTechGromit GSEC, GCIH, GREM, Ontario, NY Member Posts: 2,028 ■■■■■■■■□□
    I actually think it's a good idea, but it has to be cost effective and will require more of your time to keep it effective. Ebay has quite a few second hand firewalls at reasonable prices, but without a software license agreement, they are pretty useless. The most cost effective and versatile solution would be to set up a Linux server based firewall. After all a firewall is nothing more than a device that has an input and output and blocks or allows traffic based on a rule set. A Linux server with two network cards meets those requirements. The most important thing about a firewall is it has to be monitored, to be truly effective. If you not going to log in at least once a week (daily for a business) and look at the logs and adjust the ruleset as needed, they have limited effectiveness. I wouldn't say they are completely useless, but without monitoring, once an attacker gets in, he rendered your firewall defense useless.

    As for the average person, they continually fail to use complex passwords, do you really think a out of the box firewall solution, with no monitoring is going to be of any use? Once attackers figure out how to bypass the "default" firewall configurations on one firewall brand/model, they effective rendered everyone else who owns one useless as well.
    Still searching for the corner in a round room.
  • diffiediffie Member Posts: 13 ■□□□□□□□□□
    Large scale consumer adoption is going to have to involve the ISPs or it's never going to happen. In the US, average people are using the equipment provided by their ISP, given that, what security features are built into the equipment they offer and which features are enabled by default?

    My view is, there has to be some critical event that can be tied back to the lack of consumers having a firewall, for anything to change. IoT devices becoming bots isn't a significant enough event, since the average consumer is unlikely aware it's happening.
  • MacGuffinMacGuffin Member Posts: 241 ■■■□□□□□□□
    TechGromit wrote: »
    Once attackers figure out how to bypass the "default" firewall configurations on one firewall brand/model, they effective rendered everyone else who owns one useless as well.

    Seems to me that default passwords isn't the problem it used to be. I see routers now with default passwords that are randomly produced and unique to the device. They must be burned to a ROM at manufacture as it seems they survive a hard reset.

    This doesn't mean that they are free from being attacked, there's other flaws that open some of these up for getting bypassed. It does mean though that the manufacturers are at least starting to take security seriously.
    MacGuffin - A plot device, an item or person that exists only to produce conflict among the characters within the story.
  • MacGuffinMacGuffin Member Posts: 241 ■■■□□□□□□□
    diffie wrote: »
    Large scale consumer adoption is going to have to involve the ISPs or it's never going to happen.

    I'll disagree for two reasons. First, it seems that you assume ISPs don't take customer security seriously. The ISPs buy the same hardware from the same places that the consumers do. Now that the network equipment makers are taking security a bit more seriously the people that install the hardware are forced to do so as well. They'd have to do more work now to make it insecure than to keep it secure. As in in the past the installers might not bother with setting a password that is unique, now that the passwords are unique from the start the installer would have to go through the motions of setting an insecure password. I did a quick look at a handful of local ISPs and they all have on their website offers for free or discounted computer security software. It might be a software firewall, anti-malware scanner, or whatever. They make a few bucks on this just like the big box stores do on selling product protection plans.

    Second, even if the ISPs do nothing there is enough people out there trying to make a buck selling computer security that this is gaining some traction. I mentioned that devices are more secure by default and that big box stores are up selling security software. Even though the major network device makers are doing much better in securing devices there are still a lot of people out there selling insecure crap. The ISPs cannot really fix this. They can help by informing customers of the need to secure their devices. There's a potential for money making here but security is not a product, it is a process. Security is hard and training some minimum wage "geek squad" or "nerd herd" to do this is not trivial.

    Getting the ISPs involved would certainly help but I don't see it as required. First they have to care, and I'm not sure if they can be made to care. They can care about customer security to the point of selling them a firewall, I guess, but that's a product and not a process. The internet citizen is going to have to take this on to the point of learning the process themselves or to the point of paying someone to do it for them. This can come from a number of places, and it doesn't have to include the ISPs to be successful.
    MacGuffin - A plot device, an item or person that exists only to produce conflict among the characters within the story.
Sign In or Register to comment.