NGFW -- is it strictly for enterprise networks only??

shochanshochan Senior MemberMember Posts: 892 ■■■■■■□□□□
edited December 2019 in Networking
Do you have/use Next Gen Firewall at home?  or only at work? 

I was curious which brand do you prefer over the others.  I was thinking about getting one for the house with wireless included.  I am thinking the most affordable ones would be the Fortinet & Sonicwalls (according to the first link below).  I know majority of these are really for enterprises only, but would you reconsider with all of the hacks happening more often and you would want to protect your own home network with NGFW?

I found a few lists online, but wanted to get TE folks opinions/caveats/perspectives of the different products mentioned below.  Of course all of these articles are possibly bias opinions as some of these companies are paying the journalist to fluff up their products more.  Majority of these, list the same brands in their reviews, but there are a few that are not mentioned or I haven't heard of either.

Comments/Opinions welcomed!

https://www.esecurityplanet.com/products/top-ngfw-vendors.html

https://www.infradata.com/news-blog/top-5-next-generation-ngfw-firewall-vendors-2019/

https://www.eweek.com/security/top-next-gen-firewall-vendors

https://www.networkworld.com/article/3313344/the-best-enterprise-level-firewalls-rating-10-top-products.html


Cheers & Hi5!







"It's not good when it's done, it's done when it's good" ~ Danny Carey
Tagged:

Comments

  • LonerVampLonerVamp OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS CCP, CCSK Member Posts: 435 ■■■■■■□□□□
    This is a tough question, even without researching anything. Me personally, I take plenty of lifestyle precautions with my home systems, and as such, I honestly don't think I'd benefit all that much from running a NGFW (I hate this marketing term) at my home.

    The capabilities are always cool and fun to play with, however, for experience sake. I'm just not sure it's worth the money outlay for something like that.

    For home attacks, there's two major things a home firewall is going to do.
    1. It will block inbound attacks straight from the Internet. For most home users, unless your router is hanging it's admin functions on the outside interface or little Jimmy is self-hosting some poorly built web sites, this isn't much of a concern, and even the most basic of firewalls will keep things out.

    2. Exfiltration awareness and blocking/inspection. I suppose if you need or want this, feel free. The effectiveness of this, in my mind, is the same as when it's dropped into an enterprise: the time spent in tuning and attending to the inputs/outputs given. Keeping in mind that if you have kids or others in your home, you may be watching some of their browsing habits for better or worse...

    Personally, I prefer for home users to push security and protections into the endpoints. If you're catching and stopping something outbound on the firewall, something's already going wrong.

    That's just my initial morning 2 cents pre-coffee. :)

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS SA-A, CCSK
    2020 goals: AWS Security Specialty, AWAE or SLAE, CISSP-ISSAP?
  • SteveLavoieSteveLavoie Member Posts: 697 ■■■■■□□□□□
    My company is a Sonicwall partner, so my opinion is biased. I have a Sonicwall at home with all services because I can get them really cheap. It is way overkill for home use.  I like it because I dont have to learn something else to do my traffic analysis, and content filtering.
  • yoba222yoba222 Member Posts: 1,078 ■■■■■■■■□□
    edited December 2019
    I wouldn't use one. Unless maybe I were running a public-facing web server, and then only if that web server wasn't segregated from the rest of my home network. FWIW, the NGFWs themselves are a liability unless they're correctly hardened.

    They're also a burden. They need to be tuned and monitored on a regular basis and tend to be only vaguely user-friendly. All you really get different from a regular firewall is a subscription to signatures of more sophisticated port probes and application level fuzz attempts, and then some geoip lists 99% of that doesn't even apply to the home environment. And open source stuff does that too as it is.

    From what I've seen, more than a few enterprise environments are happy to drop $50k of their budget on a shiny new firewall, but aren't willing to put in the hundreds of man-hours it will need to actually monitor and tune the device over the next several years.
    2017: GCIH | LFCS
    2018: CySA+ | PenTest+ |CCNA CyberOps
    2019: VHL 20 boxes
    2020: OSCP eCPPT OSCP eCPPT (a bit undecided)
  • bigdogzbigdogz Member Posts: 798 ■■■■■■■□□□
    edited December 2019
    I have multiple NGFW's because I support them as part of my job. I use Cisco, Juniper, Checkpoint, Fortinet, Palo Alto, Ubiquiti, and others.

    Because I deal with them, I have configs that I slap in harden and I also make sure that my 'lifestyle precautions' are set. ;)

    I have them on a separate VLAN (sandboxed) because of patch management, job scope, and certification.
    I am very familiar with all of them and I switch them out for testing and benchmarking.

    Bleeding edge of technology has its own price. I like to use N -1 method. As many others here, I also have a belief of defense in depth and maybe I am just as paranoid as others here. I have another network configured for guests and configure it to my liking. I apply MFA so the tokens for guests are used for one session and it makes them mad.



Sign In or Register to comment.