Thoughts on home firewall/security device...

GoodBishopGoodBishop Member Posts: 359 ■■■■□□□□□□
So I'm looking to beef up my home network a bit - do you folks have any recommendations on solid multifunction devices that can do firewall/VPN/IDS/IPS/AV for a home network?

I'm not looking to spend a lot of cash, and I'm more inclined to get a device that I can set up once and never bother with again.

I currently have Comcast (boo) and a Linksys WRT610N set up on my home network. Looking through my old devices that are collecting dust, I have a US Robotics Secure Storage Router Pro VPN/Firewall/NAS Model USR8200 (hey, I forgot I had that - last firmware update was 2006), as well as a Linksys 4 Port Gigabit Security Router with VPN Model RVS4000 (also ancient). Heh, man, I remember when I had all those devices in one network, all groovin... until I got married and had to cut down on the device count. And laptops too. :)

Ideally in a perfect world I would have: Internet from Comcast > Firewall (multifunction security device) > Router > Wireless (guest)/Wireless (home)/Wireless (lab). Guest, Home, and Lab wireless networks would not be able to get to each other, and I would be able to do any particular routing and VLAN segregation that I would need to.

I also want to be able to connect to my home network securely through something like OpenVPN. Also, I need to figure out a way to use something like dynamic DNS to make sure that I can access my network even though the IP changes...

Thoughts?

Comments

  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    I'm looking to do something similar. I'm planning to use pfsense on some custom devices that I have lying around. In the past, I did use OpenVPN to access my home network - I highly recommend it - and I plan to set it up again. I'm toying with the idea of getting business class internet services at home so I don't have to deal with DynDNS or similar services.

    As for IDS - I haven't decided yet so I'm looking forward to seeing what others suggest.
  • coffeeluvrcoffeeluvr Member Posts: 734 ■■■■■□□□□□
    @GoodBishop...what about DD-WRT on your Linksys WRT610N?....Snort for IDS.. Both DD-WRT and Snort are open source.
    "Something feels funny, I must be thinking too hard. - Pooh"
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    I use dd-wrt on my routers but I didn't think it did more than basic stateful inspection and firewall. Does it have proxy functionality? I didn't see that on the web site.

    One of the reasons why I like pfsense is that it can be updated with a Squid proxy and does include Snort.
  • GarudaMinGarudaMin Member Posts: 204
    How about Fortinet Desktop Series? Fortigate/FortiWiFi-20C or-40C ($200-$400). It's UTM solution so it does all you are looking for and more.
  • wes allenwes allen Member Posts: 540 ■■■■■□□□□□
    Maybe one of the smaller, branch office SRX or ASA? If you want a "project" you could do it with a linux machine and iptable, snort, squid, bro, etc.
  • Asif DaslAsif Dasl Member Posts: 2,116 ■■■■■■■■□□
  • nerdinhidingnerdinhiding Member Posts: 61 ■■□□□□□□□□
    Sophos UTM 9 is a great solution as long as you have less than 50 IP devices the home license is free... Runs great on old PCs, just slap an extra nic in it or New Egg has a great Intel Atom 1U server on special for $349.00 with dual nics.
  • aaron0011aaron0011 Member Posts: 330
    ASA 5505 10 user bundle. Can be had easily for $200.
  • izatt82izatt82 Member Posts: 18 ■□□□□□□□□□
    untangled on x86 hardware?

    and or security onion?

    not sure how much you are wanting to do.
  • kriscamaro68kriscamaro68 Member Posts: 1,186 ■■■■■■■□□□
    I would say either untangle or pfsense.
  • GoodBishopGoodBishop Member Posts: 359 ■■■■□□□□□□
    I'm not really looking for a project per-se... more like a all-in-one device. Looking up, the FortiWiFi devices seem close to what I'm looking for. I like how they support multiple SSIDs, so I could have my Home wireless, my Guest wireless, and my Other wireless (pentesting wireless).

    DD-WRT is very cool - didn't know they had that out there. And open source you say? Very interesting! I will definitely have to take a look at that one.

    Cisco ASA5505 is also a nice device, though no wireless.

    Looking at this stuff... SonicWall devices, Cisco devices... man, they're all subscription-based. Any of these devices not subscription-based? I'd rather pay one chunk of money upfront rather than small chunks later on.

    I think what I would like to also do is have separate VLANS, so I can have my pentesting traffic on a different VLAN than my normal stuff.
  • Asif DaslAsif Dasl Member Posts: 2,116 ■■■■■■■■□□
  • MentholMooseMentholMoose Member Posts: 1,525 ■■■■■■■■□□
    DD-WRT is very nice and newer versions support OpenVPN. pfSense, SmoothWall, Untangle, and similar products are also great, but running an old PC 24/7 will use a lot of electricity. A low-power Intel Atom CPU/mobo, or AMD equivalent, plus RAM can be had for under $100 and may outperform an old PC anyway.

    If you want to try a PC-based setup for learning purposes, use a regular Linux or BSD distribution and do everything yourself via CLI. It is actually relatively easy to get started. Most services (e.g. DNS, DHCP) include functional default configurations so getting them running often only requires installing (e.g. yum install blah) and starting it (service blah start), and a basic NAT firewall configuration in Linux is only 3 or 4 iptables commands. I like to use Fedora for this but any general-purpose Linux distribution can be used.
    MentholMoose
    MCSA 2003, LFCS, LFCE (expired), VCP6-DCV
  • WhiteoutWhiteout Member Posts: 248
    +1 for DD-WRT. I use it and it works great for all my needs. For robust little firmware upgrade.
    Never stop learning.
  • datgirldatgirl Member Posts: 62 ■■□□□□□□□□
    As others as have stated I would be inclined to go with pfSense, OpenBSD, Untangle, Snort, or Microsoft's Microsoft Forefront Threat Management Gateway (Forefront TMG).
  • coty24coty24 Member Posts: 263 ■□□□□□□□□□
    Passed LOT2 :)Working on FMV2(CHFI v8 ) Done!
  • HectorPHectorP Member Posts: 41 ■■□□□□□□□□
    I’ve used Untangle since about 2007 and I have to say it’s good stuff. I had an old HP PC laying around, threw a second nic card and loaded Untangle. Pretty easy to set up and configure.
  • vanquish23vanquish23 Member Posts: 224
    Snort for IPS/IDS on a VM. ASA 5505 for Access Control and VPN. The IDS module will cost more than the ASA itself and requires a license.
    He who SYNs is of the devil, for the devil has SYN'ed and ACK'ed from the beginning. For this purpose, that the ACK might destroy the works of the devil.
  • crrussell3crrussell3 Member Posts: 561
    I will put another vote in for Untangle. Been using it for five years I imagine. Pretty much set it and forget it. I use the free version. Only issues I have had are the following:

    1. Failed automatic update. This was only a result of the hdd failing. Trashed the whole install and I didn't have a new enough backup so started from scratch. Very fast to setup though.

    2. Issues with AV scanning and Netflix apps (xbox, bluray, etc). This didn't affect streaming netflix from pc. Just added the device mac to a bypass rack policy on so it wouldn't be scanned anymore.

    My untangle runs on an old HP 2000 P4 with a 40gig ide hhd and is setup with three nics:

    1. WAN
    2. Private LAN - This includes my private wlan also.
    3. Guest WAN - This nic is attached to an old Linksys that friends/family can use to access wifi at my house. The only thing it can do is go straight out the WAN nic, doesn't have any access to PLAN.

    I have looked into setting up pfsense but haven't taken the time as its a little more *nix than I have experience with.
    MCTS: Windows Vista, Configuration
    MCTS: Windows WS08 Active Directory, Configuration
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    @GoodBishop - I'm curious what you ended up using. I decided to use m0n0wall instead since it was a bit lighter. I was re-using some custom 1U devices which only have 128Mb RAM and a 32MB disk.
  • antielvisantielvis Member Posts: 285 ■■■□□□□□□□
    You could look at used CISCO equipment. CISCO equipment tends to stay relevant for long periods of time unlike other computer hardware. The older models had a GUI to configure but the more recent ones don't seem to. I have an 860 at home and the java based GUI doesn't work on it.
  • GoodBishopGoodBishop Member Posts: 359 ■■■■□□□□□□
    I'm not fully decided yet, but it looks like this will be what I would use: Phoenix Uno pfSense Appliance | Hacom , along with this for deployment - http://www.hacom.net/sites/default/files/doc/Hacom%20pfSense%20Deployment%20Guide.pdf

    I like pfsense. It's good stuff.

    I also think this is sexy - Amazon.com: ASUS ASUS RT-AC66U Dual-Band Wireless-AC1750 Gigabit Router: Computers & Accessories and Buy Linksys EA6500 Wireless Router | Free Shipping , but I need to do more research on it.
  • Patel128Patel128 Member Posts: 339
    I will put in another vote for pfSense. I have been using pfSense for a few years now, and it has been great.
    Studying For:
    B.S. in Computer Science at University of Memphis
    Network+
    Currently Reading:
    CompTIA Network+ Study Guide - Lammle
Sign In or Register to comment.