Thoughts on home firewall/security device...

GoodBishop

So I'm looking to beef up my home network a bit - do you folks have any recommendations on solid multifunction devices that can do firewall/VPN/IDS/IPS/AV for a home network?

I'm not looking to spend a lot of cash, and I'm more inclined to get a device that I can set up once and never bother with again.

I currently have Comcast (boo) and a Linksys WRT610N set up on my home network. Looking through my old devices that are collecting dust, I have a US Robotics Secure Storage Router Pro VPN/Firewall/NAS Model USR8200 (hey, I forgot I had that - last firmware update was 2006), as well as a Linksys 4 Port Gigabit Security Router with VPN Model RVS4000 (also ancient). Heh, man, I remember when I had all those devices in one network, all groovin... until I got married and had to cut down on the device count. And laptops too.

Ideally in a perfect world I would have: Internet from Comcast > Firewall (multifunction security device) > Router > Wireless (guest)/Wireless (home)/Wireless (lab). Guest, Home, and Lab wireless networks would not be able to get to each other, and I would be able to do any particular routing and VLAN segregation that I would need to.

I also want to be able to connect to my home network securely through something like OpenVPN. Also, I need to figure out a way to use something like dynamic DNS to make sure that I can access my network even though the IP changes...

Thoughts?

paul78

I'm looking to do something similar. I'm planning to use pfsense on some custom devices that I have lying around. In the past, I did use OpenVPN to access my home network - I highly recommend it - and I plan to set it up again. I'm toying with the idea of getting business class internet services at home so I don't have to deal with DynDNS or similar services.

As for IDS - I haven't decided yet so I'm looking forward to seeing what others suggest.

coffeeluvr

@GoodBishop...what about DD-WRT on your Linksys WRT610N?....Snort for IDS.. Both DD-WRT and Snort are open source.

paul78

I use dd-wrt on my routers but I didn't think it did more than basic stateful inspection and firewall. Does it have proxy functionality? I didn't see that on the web site.

One of the reasons why I like pfsense is that it can be updated with a Squid proxy and does include Snort.

GarudaMin

How about Fortinet Desktop Series? Fortigate/FortiWiFi-20C or-40C ($200-$400). It's UTM solution so it does all you are looking for and more.

wes allen

Maybe one of the smaller, branch office SRX or ASA? If you want a "project" you could do it with a linux machine and iptable, snort, squid, bro, etc.

Asif Dasl

I think you would be looking for something like Untangle. I don't know much about it, but I'm going to play around with a trial and see what it's like to use. I'm in the market for a better firewall solution too.

nerdinhiding

Sophos UTM 9 is a great solution as long as you have less than 50 IP devices the home license is free... Runs great on old PCs, just slap an extra nic in it or New Egg has a great Intel Atom 1U server on special for $349.00 with dual nics.

aaron0011

ASA 5505 10 user bundle. Can be had easily for $200.

izatt82

untangled on x86 hardware?

and or security onion?

not sure how much you are wanting to do.

kriscamaro68

I would say either untangle or pfsense.

GoodBishop

I'm not really looking for a project per-se... more like a all-in-one device. Looking up, the FortiWiFi devices seem close to what I'm looking for. I like how they support multiple SSIDs, so I could have my Home wireless, my Guest wireless, and my Other wireless (pentesting wireless).

DD-WRT is very cool - didn't know they had that out there. And open source you say? Very interesting! I will definitely have to take a look at that one.

Cisco ASA5505 is also a nice device, though no wireless.

Looking at this stuff... SonicWall devices, Cisco devices... man, they're all subscription-based. Any of these devices not subscription-based? I'd rather pay one chunk of money upfront rather than small chunks later on.

I think what I would like to also do is have separate VLANS, so I can have my pentesting traffic on a different VLAN than my normal stuff.

Asif Dasl

For the wireless, all you would need is a wireless access point with Multi-SSID to different home, guest & pentesting VLANs. Then at least the wireless would be upgradeable instead of replacing the entire device. Just a thought.

MentholMoose

DD-WRT is very nice and newer versions support OpenVPN. pfSense, SmoothWall, Untangle, and similar products are also great, but running an old PC 24/7 will use a lot of electricity. A low-power Intel Atom CPU/mobo, or AMD equivalent, plus RAM can be had for under $100 and may outperform an old PC anyway.

If you want to try a PC-based setup for learning purposes, use a regular Linux or BSD distribution and do everything yourself via CLI. It is actually relatively easy to get started. Most services (e.g. DNS, DHCP) include functional default configurations so getting them running often only requires installing (e.g. yum install blah) and starting it (service blah start), and a basic NAT firewall configuration in Linux is only 3 or 4 iptables commands. I like to use Fedora for this but any general-purpose Linux distribution can be used.

Whiteout

+1 for DD-WRT. I use it and it works great for all my needs. For robust little firmware upgrade.

datgirl

As others as have stated I would be inclined to go with pfSense, OpenBSD, Untangle, Snort, or Microsoft's Microsoft Forefront Threat Management Gateway (Forefront TMG).

coty24

+1 for security onion https://www.youtube.com/watch?v=6aodYTLC1L4

HectorP

I’ve used Untangle since about 2007 and I have to say it’s good stuff. I had an old HP PC laying around, threw a second nic card and loaded Untangle. Pretty easy to set up and configure.

vanquish23

Snort for IPS/IDS on a VM. ASA 5505 for Access Control and VPN. The IDS module will cost more than the ASA itself and requires a license.

crrussell3

I will put another vote in for Untangle. Been using it for five years I imagine. Pretty much set it and forget it. I use the free version. Only issues I have had are the following:

1. Failed automatic update. This was only a result of the hdd failing. Trashed the whole install and I didn't have a new enough backup so started from scratch. Very fast to setup though.

2. Issues with AV scanning and Netflix apps (xbox, bluray, etc). This didn't affect streaming netflix from pc. Just added the device mac to a bypass rack policy on so it wouldn't be scanned anymore.

My untangle runs on an old HP 2000 P4 with a 40gig ide hhd and is setup with three nics:

1. WAN
2. Private LAN - This includes my private wlan also.
3. Guest WAN - This nic is attached to an old Linksys that friends/family can use to access wifi at my house. The only thing it can do is go straight out the WAN nic, doesn't have any access to PLAN.

I have looked into setting up pfsense but haven't taken the time as its a little more *nix than I have experience with.

paul78

@GoodBishop - I'm curious what you ended up using. I decided to use m0n0wall instead since it was a bit lighter. I was re-using some custom 1U devices which only have 128Mb RAM and a 32MB disk.

antielvis

You could look at used CISCO equipment. CISCO equipment tends to stay relevant for long periods of time unlike other computer hardware. The older models had a GUI to configure but the more recent ones don't seem to. I have an 860 at home and the java based GUI doesn't work on it.

GoodBishop

I'm not fully decided yet, but it looks like this will be what I would use: Phoenix Uno pfSense Appliance | Hacom , along with this for deployment - http://www.hacom.net/sites/default/files/doc/Hacom%20pfSense%20Deployment%20Guide.pdf

I like pfsense. It's good stuff.

I also think this is sexy - Amazon.com: ASUS ASUS RT-AC66U Dual-Band Wireless-AC1750 Gigabit Router: Computers & Accessories and Buy Linksys EA6500 Wireless Router | Free Shipping , but I need to do more research on it.

Patel128

I will put in another vote for pfSense. I have been using pfSense for a few years now, and it has been great.