NGFW -- is it strictly for enterprise networks only??

shochanshochan Member Posts: 1,004 ■■■■■■■■□□
edited December 2019 in Networking
Do you have/use Next Gen Firewall at home?  or only at work? 

I was curious which brand do you prefer over the others.  I was thinking about getting one for the house with wireless included.  I am thinking the most affordable ones would be the Fortinet & Sonicwalls (according to the first link below).  I know majority of these are really for enterprises only, but would you reconsider with all of the hacks happening more often and you would want to protect your own home network with NGFW?

I found a few lists online, but wanted to get TE folks opinions/caveats/perspectives of the different products mentioned below.  Of course all of these articles are possibly bias opinions as some of these companies are paying the journalist to fluff up their products more.  Majority of these, list the same brands in their reviews, but there are a few that are not mentioned or I haven't heard of either.

Comments/Opinions welcomed!

Cheers & Hi5!

CompTIA A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+, ISC² CC, ISC² SSCP


  • LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
    This is a tough question, even without researching anything. Me personally, I take plenty of lifestyle precautions with my home systems, and as such, I honestly don't think I'd benefit all that much from running a NGFW (I hate this marketing term) at my home.

    The capabilities are always cool and fun to play with, however, for experience sake. I'm just not sure it's worth the money outlay for something like that.

    For home attacks, there's two major things a home firewall is going to do.
    1. It will block inbound attacks straight from the Internet. For most home users, unless your router is hanging it's admin functions on the outside interface or little Jimmy is self-hosting some poorly built web sites, this isn't much of a concern, and even the most basic of firewalls will keep things out.

    2. Exfiltration awareness and blocking/inspection. I suppose if you need or want this, feel free. The effectiveness of this, in my mind, is the same as when it's dropped into an enterprise: the time spent in tuning and attending to the inputs/outputs given. Keeping in mind that if you have kids or others in your home, you may be watching some of their browsing habits for better or worse...

    Personally, I prefer for home users to push security and protections into the endpoints. If you're catching and stopping something outbound on the firewall, something's already going wrong.

    That's just my initial morning 2 cents pre-coffee. :)

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
  • SteveLavoieSteveLavoie Member Posts: 1,133 ■■■■■■■■■□
    My company is a Sonicwall partner, so my opinion is biased. I have a Sonicwall at home with all services because I can get them really cheap. It is way overkill for home use.  I like it because I dont have to learn something else to do my traffic analysis, and content filtering.
  • yoba222yoba222 Member Posts: 1,237 ■■■■■■■■□□
    edited December 2019
    I wouldn't use one. Unless maybe I were running a public-facing web server, and then only if that web server wasn't segregated from the rest of my home network. FWIW, the NGFWs themselves are a liability unless they're correctly hardened.

    They're also a burden. They need to be tuned and monitored on a regular basis and tend to be only vaguely user-friendly. All you really get different from a regular firewall is a subscription to signatures of more sophisticated port probes and application level fuzz attempts, and then some geoip lists 99% of that doesn't even apply to the home environment. And open source stuff does that too as it is.

    From what I've seen, more than a few enterprise environments are happy to drop $50k of their budget on a shiny new firewall, but aren't willing to put in the hundreds of man-hours it will need to actually monitor and tune the device over the next several years.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • bigdogzbigdogz Member Posts: 881 ■■■■■■■■□□
    edited December 2019
    I have multiple NGFW's because I support them as part of my job. I use Cisco, Juniper, Checkpoint, Fortinet, Palo Alto, Ubiquiti, and others.

    Because I deal with them, I have configs that I slap in harden and I also make sure that my 'lifestyle precautions' are set. ;)

    I have them on a separate VLAN (sandboxed) because of patch management, job scope, and certification.
    I am very familiar with all of them and I switch them out for testing and benchmarking.

    Bleeding edge of technology has its own price. I like to use N -1 method. As many others here, I also have a belief of defense in depth and maybe I am just as paranoid as others here. I have another network configured for guests and configure it to my liking. I apply MFA so the tokens for guests are used for one session and it makes them mad.

  • thomas_thomas_ Member Posts: 1,012 ■■■■■■■■□□
    I am thinking about getting a small office/home office version of one.  The small office ones seem to run between $100 - $700 for the device depending on the manufacturer with an additional $100 - $500 annual licensing for the more expensive manufacturers.  

    However, I’m starting to get analysis paralysis after doing some preliminary research.  I’m not sure if I feel like shelling out the money for the well-known vendor for annual licensing.  I do think it would be interesting to see what type of traffic it might block.  I guess if I didn’t mind using whatever base license came with the device I could try a more advanced license out for a year.

    I think the thing that scares me the most are drive by downloads.  I can be minding your own business surfing reputable websites and have an exploit kit installed just because an advertisement was shown on the page even if  I didn’t click on it.  I’m not sure how well-protected endpoint security will keep me since exploit kits are continuously developed.  

    At the same time I was thinking of setting up a pi-hole with an upstream DNS provider like openDNS, cloudflare, etc and building on that later on as I felt like it.  Pi-hole would reduce the threat of drive by downloads by blocking ads and the upstream DNS provider would reduce the threat of unintentionally navigating to a malicious domain.
Sign In or Register to comment.