computerilliterate Posted March 16, 2016 Share Posted March 16, 2016 I'm having trouble shopping for a secure firewall/router. I understand the need for speed and the question of how far the thing can reach. But that's all the reviews talk about. What about the most important thing: Firewall quality. I'm yet to read a review that discusses the quality of the firewall in a home firewall/router. In fact, the word firewall rarely even appears in reviews. Can anyone help me with a link or explanation for this? Are all home firewalls the exact same circuitry and rule set? Any thoughts? Link to comment
Solid-State Posted March 16, 2016 Share Posted March 16, 2016 I'm having trouble shopping for a secure firewall/router. I understand the need for speed and the question of how far the thing can reach. But that's all the reviews talk about. What about the most important thing: Firewall quality. I'm yet to read a review that discusses the quality of the firewall in a home firewall/router. In fact, the word firewall rarely even appears in reviews. Can anyone help me with a link or explanation for this? Are all home firewalls the exact same circuitry and rule set? Any thoughts? ]https://www.pfsense.org/products/[/VIDEO] Link to comment
Paul R Posted March 16, 2016 Share Posted March 16, 2016 Depending upon just how fast and just how secure you want to be, there are plenty of really good devices out there. For simplicity combined with good security and excellent performance, I usually recommend the Apple Airport Extreme BaseStation. Easy to setup, well supported, and for the most part, "just works." Stepping up from there, you get into the low end Cisco line, like this one: Cisco RV130W Wireless-N Multifunction VPN Router - Cisco A little more difficult to setup, but provides excellent excellent security, and good wireless performance. You can step up from there as far as your wallet will stretch, but I suspect the Airport Extreme might be the ideal model for you. Give a few more details about what you are concerned with, and we can go a bit deeper. Yours, -Paul Anyone who considers protocol unimportant has never dealt with a cat DAC. Robert A. Heinlein Link to comment
Iain Posted March 16, 2016 Share Posted March 16, 2016 I'm having trouble shopping for a secure firewall/router. I understand the need for speed and the question of how far the thing can reach. But that's all the reviews talk about. What about the most important thing: Firewall quality. I'm yet to read a review that discusses the quality of the firewall in a home firewall/router. In fact, the word firewall rarely even appears in reviews. Can anyone help me with a link or explanation for this? Are all home firewalls the exact same circuitry and rule set? Any thoughts? Routers and Switches for Small Business - Main Page - Cisco Systems Home - SmallNetBuilder A few key words among others to look for in product descriptions, are firewall and security. Don't forget that you get what you pay for here. http://www.soundonsound.com/ Link to comment
Jud Posted March 16, 2016 Share Posted March 16, 2016 Like many things in tech, it is the low-tech stuff that's key. Network address translation, a very simple thing that pretty much every router has, should work simply and well to protect your home network **if you are very good about setting a good password** for your router. A good password mainly means a long one. (To understand why, Google "rainbow tables.") Beyond that you don't want to give bad stuff permission to come in (careful what you click). Then if you want to be more sophisticated, you can look into something like pfsense. Also have a look at OpenDNS, which is a nice DNS service. One never knows, do one? - Fats Waller The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein Computer, Audirvana -> optical Ethernet to Fitlet3 -> Fibbr Alpha Optical USB -> iFi NEO iDSD DAC -> Apollon Audio 1ET400A Mini (Purifi based) -> Vandersteen 3A Signature. Link to comment
orgel Posted March 16, 2016 Share Posted March 16, 2016 Depending upon just how fast and just how secure you want to be, there are plenty of really good devices out there. For simplicity combined with good security and excellent performance, I usually recommend the Apple Airport Extreme BaseStation. Easy to setup, well supported, and for the most part, "just works." Speaking as a network ignoramus, I support this recommendation. I have a couple of Airport Extremes (older one at home, newer one at work), and I've never had any trouble configuring them, nor have I had any problems after configuration. Wireless performance on the newer one (802.11ac) is spectacular. --David Listening Room: Mac mini (Roon Core) > iMac (HQP) > exaSound PlayPoint (as NAA) > exaSound e32 > W4S STP-SE > Benchmark AHB2 > Wilson Sophia Series 2 (Details) Office: Mac Pro > AudioQuest DragonFly Red > JBL LSR305 Mobile: iPhone 6S > AudioQuest DragonFly Black > JH Audio JH5 Link to comment
computerilliterate Posted March 16, 2016 Author Share Posted March 16, 2016 Depending upon just how fast and just how secure you want to be, there are plenty of really good devices out there. For simplicity combined with good security and excellent performance, I usually recommend the Apple Airport Extreme BaseStation. Easy to setup, well supported, and for the most part, "just works." Stepping up from there, you get into the low end Cisco line, like this one: Cisco RV130W Wireless-N Multifunction VPN Router - Cisco A little more difficult to setup, but provides excellent excellent security, and good wireless performance. You can step up from there as far as your wallet will stretch, but I suspect the Airport Extreme might be the ideal model for you. Give a few more details about what you are concerned with, and we can go a bit deeper. Yours, -Paul What I'm concerned about is security from the unknown. I know I have to look out for sources of malware, but we're all bound to hit something on accident. But, based on reviews I've read, the firewall provides no security improvement if one moves from a $20.00 TP-Link N300 TL-WR841N up to a $300.00 Asus RT-AC88U. You get more whip-zammy speed and the reach will let you watch video from the next county, but nothing is said about whether one will block a malware attack any better than the next. Now, you look at malware prevention stuff like Bitdefender or whatever, and everybody performs tests right and left, throwing a stack of malware files at them. But this is never done with the firewall in a router. That's where I am puzzled. Link to comment
Jud Posted March 16, 2016 Share Posted March 16, 2016 Now, you look at malware prevention stuff like Bitdefender or whatever, and everybody performs tests right and left, throwing a stack of malware files at them. But this is never done with the firewall in a router. That's where I am puzzled. Because what routers and firewalls deal with is mostly where bad things come from (e.g., whitelists and blacklists) and possibly some fairly general content monitoring (This is executable code, do you want to let it in?). Antivirus and malware prevention software deals in a very sophisticated and constantly changing way with content (please download today's updated virus definition file). I suppose they could be combined in a single user interface, but I'm not familiar with anyone who's done that. One never knows, do one? - Fats Waller The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein Computer, Audirvana -> optical Ethernet to Fitlet3 -> Fibbr Alpha Optical USB -> iFi NEO iDSD DAC -> Apollon Audio 1ET400A Mini (Purifi based) -> Vandersteen 3A Signature. Link to comment
computerilliterate Posted March 16, 2016 Author Share Posted March 16, 2016 Because what routers and firewalls deal with is mostly where bad things come from (e.g., whitelists and blacklists) and possibly some fairly general content monitoring (This is executable code, do you want to let it in?). Antivirus and malware prevention software deals in a very sophisticated and constantly changing way with content (please download today's updated virus definition file). I suppose they could be combined in a single user interface, but I'm not familiar with anyone who's done that. I'm a little (very) confused by your reply. It sounds like you're trying to prove my point. True, firewalls deal with where bad things come from, so, we should be buying based on how well the firewall deals with bad things. But, from what I can tell, every firewall has the same "instructions" as to what should be accepted or blocked and the same ability to carry out those instructions. If that is so, if I buy a 20 buck unit, I am just as "safe" as the guy who spends $300. Then, it all falls on ones choice of anti-malware and ones ability to play it safe. Am I right or am I missing something? Of course, the units they call "enterprise firewalls" have a bunch of gizmos that let you make exceptions based on your need. But, from what I'm reading, they don't have a super duper powerful capability. They're just made with more flexibility. So, I'm back to the question of "is one firewall any better than the next?" Link to comment
JohnSwenson Posted March 16, 2016 Share Posted March 16, 2016 As Jud mentioned a network firewall looks at where something is coming from and what protocol it is using. There are two common philosophies in use in network firewalls: 1) let everything through by default, block specific things known to be bad 2) block everything by default, let through specific things you want The second is much more secure, but it takes effort to figure out what you want to let through. One approach with this is let through a few things you know you want and then start using it. When something gets blocked, decide whether you really want it. For example if you never play any games over the internet you can block the game protocols, you can never get hacked through a game. But if you do play games you need to open up the game protocols. Because of the difficulty of implementing strategy #2, almost all home routers use #1, but most give you some way to block specific locations/protocols, but very few people ever do that. I personally use pfSense on a small dedicated industrial computer as my router, I get to set it up exactly the way I want, but I'm a network nerd and like to deal with that sort of stuff. John S. Link to comment
computerilliterate Posted March 16, 2016 Author Share Posted March 16, 2016 As Jud mentioned a network firewall looks at where something is coming from and what protocol it is using. There are two common philosophies in use in network firewalls: 1) let everything through by default, block specific things known to be bad 2) block everything by default, let through specific things you want The second is much more secure, but it takes effort to figure out what you want to let through. One approach with this is let through a few things you know you want and then start using it. When something gets blocked, decide whether you really want it. For example if you never play any games over the internet you can block the game protocols, you can never get hacked through a game. But if you do play games you need to open up the game protocols. Because of the difficulty of implementing strategy #2, almost all home routers use #1, but most give you some way to block specific locations/protocols, but very few people ever do that. I personally use pfSense on a small dedicated industrial computer as my router, I get to set it up exactly the way I want, but I'm a network nerd and like to deal with that sort of stuff. John S. Thanks, John, for the further education. Now, when I'm shopping and comparing "Asus" vs "Lynksys" vs "TPLink" vs "whatever", how do I know if one is using strategy 1 or 2? How do I know if one did a pretty shabby job at implementing their choice of strategy? That's where I (and possibly all of us) am flying blind. Again, you can read paragraph after paragraph about how fast and far reaching the thing is, but you can't find one sentence about how secure the thing is. What to do? Link to comment
JohnSwenson Posted March 16, 2016 Share Posted March 16, 2016 Thanks, John, for the further education. Now, when I'm shopping and comparing "Asus" vs "Lynksys" vs "TPLink" vs "whatever", how do I know if one is using strategy 1 or 2? How do I know if one did a pretty shabby job at implementing their choice of strategy? That's where I (and possibly all of us) am flying blind. Again, you can read paragraph after paragraph about how fast and far reaching the thing is, but you can't find one sentence about how secure the thing is. What to do? You can assume that anything marketed for "home use" or "small office use" is going to use #1, and will be essentially the same as far as the firewall itself is concerned. The big difference is going to be the GUI for modifying the rules if you want to do so. Some are easy to use, but not very flexible, some are flexible but horrible to use, and once in a great while you can find one that is both flexible and easy to use. But this is only necessary if you are going to dive in and modify things for your own needs. If you are not going to be modifying things then pretty much any of the "home" routers are going to be essentially the same from a firewall perspective, ie pretty much wide open so the people in the house can do whatever they want on the internet without worrying about whether the firewall is going to block them. There are few things that every firewall blocks by default, that nobody has a legitimate need for using, but that is pretty much standard. John S. Link to comment
JohnSwenson Posted March 16, 2016 Share Posted March 16, 2016 One more important aspect to this is the reliability of the code. Some routers need to be rebooted every month and others can go for years on end. Many routers will start getting slower and slower as the time from the last reboot increases. For me this is a very important aspect of a router. Unfortunately there is no way to know from looking at marketing material which is good and which is bad. The best place to find out about this is either the amazon reviews or internet network forums. If there are significant issues with a router they will be reported somewhere on the net. Price has little bearing on this, some inexpensive routers are rock solid, but most of the really reliable ones tend to be on the more expensive side. John S. Link to comment
computerilliterate Posted March 16, 2016 Author Share Posted March 16, 2016 You can assume that anything marketed for "home use" or "small office use" is going to use #1, and will be essentially the same as far as the firewall itself is concerned. The big difference is going to be the GUI for modifying the rules if you want to do so. Some are easy to use, but not very flexible, some are flexible but horrible to use, and once in a great while you can find one that is both flexible and easy to use. But this is only necessary if you are going to dive in and modify things for your own needs. If you are not going to be modifying things then pretty much any of the "home" routers are going to be essentially the same from a firewall perspective, ie pretty much wide open so the people in the house can do whatever they want on the internet without worrying about whether the firewall is going to block them. There are few things that every firewall blocks by default, that nobody has a legitimate need for using, but that is pretty much standard. John S. Thanks again John S. Though that is, of course, not good news. No wonder there is such a problem with malware. We are all sitting ducks. Oh well, you just saved me a couple hundred dollars. I guess I'll just spend 20 bucks and focus on other forms of protection. Link to comment
Allan F Posted March 16, 2016 Share Posted March 16, 2016 You may want to read this for more info about router firewalls: How do Firewalls Work? "Relax, it's only hi-fi. There's never been a hi-fi emergency." - Roy Hall "Not everything that can be counted counts, and not everything that counts can be counted." - William Bruce Cameron Link to comment
Jud Posted March 17, 2016 Share Posted March 17, 2016 Thanks again John S. Though that is, of course, not good news. No wonder there is such a problem with malware. We are all sitting ducks. Oh well, you just saved me a couple hundred dollars. I guess I'll just spend 20 bucks and focus on other forms of protection. No, we're not sitting ducks. Get a router to do *its* job (fast, reliable, the usual/typical firewall capability), and use malware/anti-virus protection to do *its* job. Bitdefender, which you mentioned, is a good choice. One never knows, do one? - Fats Waller The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein Computer, Audirvana -> optical Ethernet to Fitlet3 -> Fibbr Alpha Optical USB -> iFi NEO iDSD DAC -> Apollon Audio 1ET400A Mini (Purifi based) -> Vandersteen 3A Signature. Link to comment
plissken Posted March 17, 2016 Share Posted March 17, 2016 You need to layer your protection. Firewalls minimize ingress, to services that your computer runs, from the outside world and also inspect traffic for common attack vectors. IP Spoofing, malformed packets/payloads, etc... I like Zyxel for an affordable and still very much business class solution. Next is Anti-Virus Next is Managed DNS (OpenDNS) Next is using a managed email service. Next is using your computer with a Standard user, and not Administrator, account. Next is having a backup plan in place. A firewall will not protect you from doing something unfortunate though. Link to comment
Allan F Posted March 17, 2016 Share Posted March 17, 2016 No, we're not sitting ducks. Get a router to do *its* job (fast, reliable, the usual/typical firewall capability), and use malware/anti-virus protection to do *its* job. Bitdefender, which you mentioned, is a good choice.Not to mention a good free software firewall as well, e.g. Privatefirewall: https://www.privacyware.com/personal_firewall.html "Relax, it's only hi-fi. There's never been a hi-fi emergency." - Roy Hall "Not everything that can be counted counts, and not everything that counts can be counted." - William Bruce Cameron Link to comment
Jud Posted March 17, 2016 Share Posted March 17, 2016 You need to layer your protection. Firewalls minimize ingress, to services that your computer runs, from the outside world and also inspect traffic for common attack vectors. IP Spoofing, malformed packets/payloads, etc... I like Zyxel for an affordable and still very much business class solution. Next is Anti-Virus Next is Managed DNS (OpenDNS) Next is using a managed email service. I like Fastmail. One never knows, do one? - Fats Waller The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein Computer, Audirvana -> optical Ethernet to Fitlet3 -> Fibbr Alpha Optical USB -> iFi NEO iDSD DAC -> Apollon Audio 1ET400A Mini (Purifi based) -> Vandersteen 3A Signature. Link to comment
Iain Posted March 17, 2016 Share Posted March 17, 2016 What I'm concerned about is security from the unknown. I know I have to look out for sources of malware, but we're all bound to hit something on accident. But, based on reviews I've read, the firewall provides no security improvement if one moves from a $20.00 TP-Link N300 TL-WR841N up to a $300.00 Asus RT-AC88U. You get more whip-zammy speed and the reach will let you watch video from the next county, but nothing is said about whether one will block a malware attack any better than the next. Now, you look at malware prevention stuff like Bitdefender or whatever, and everybody performs tests right and left, throwing a stack of malware files at them. But this is never done with the firewall in a router. That's where I am puzzled. Because what routers and firewalls deal with is mostly where bad things come from (e.g., whitelists and blacklists) and possibly some fairly general content monitoring (This is executable code, do you want to let it in?). Antivirus and malware prevention software deals in a very sophisticated and constantly changing way with content (please download today's updated virus definition file). I suppose they could be combined in a single user interface, but I'm not familiar with anyone who's done that. Actually the future is here, albeit in the top-end routers for now: Virus Protection, Zone Alarm, for Consumer and Home | Check Point Software Security Appliances and Services | ZyXEL http://www.soundonsound.com/ Link to comment
Jud Posted March 17, 2016 Share Posted March 17, 2016 Actually the future is here, albeit in the top-end routers for now:Virus Protection, Zone Alarm, for Consumer and Home | Check Point Software Security Appliances and Services | ZyXEL The first link, if I understand correctly, appears to be for a combination *software* firewall and AV, which have existed for a very long time. I happen to dislike software firewalls as a matter of personal preference, as at least at the consumer level I've never yet run into one that didn't start off too intrusive and wind up too permissive, because the algorithms weren't good enough to distinguish truly harmful content from ordinary at a very specific level in the way that good AV software does. I don't know enough about the ZyXEL enterprise-level stuff to comment, though my assumption would be that the price range isn't what our OP is looking for. One never knows, do one? - Fats Waller The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein Computer, Audirvana -> optical Ethernet to Fitlet3 -> Fibbr Alpha Optical USB -> iFi NEO iDSD DAC -> Apollon Audio 1ET400A Mini (Purifi based) -> Vandersteen 3A Signature. Link to comment
Jud Posted March 17, 2016 Share Posted March 17, 2016 Oh, one other comment to the OP: Google the programs and services that launch on startup to see whether there's anything running on your machine that sends bad stuff to other computers and/or invites bad stuff to yours. You may also find programs that aren't harmful but aren't necessary and load your machine down. One never knows, do one? - Fats Waller The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein Computer, Audirvana -> optical Ethernet to Fitlet3 -> Fibbr Alpha Optical USB -> iFi NEO iDSD DAC -> Apollon Audio 1ET400A Mini (Purifi based) -> Vandersteen 3A Signature. Link to comment
plissken Posted March 17, 2016 Share Posted March 17, 2016 I don't know enough about the ZyXEL enterprise-level stuff to comment, though my assumption would be that the price range isn't what our OP is looking for. I've seen current Zyxel's with wireless included for $40 after rebate (this happens occasionally). A really awesome feature in Windows 8/10 Ultimate or Enterprise is APPLocker. You can create a white list of programs that are allowed to run (by .exe and even for an .exe a particular release version). That way if you errantly click on a link to deliver an exe to your machine it won't run. Also Null Proxying your web browsers and using a proxy white list of sites you want to go to. Link to comment
plissken Posted March 17, 2016 Share Posted March 17, 2016 [/url]Security Appliances and Services | ZyXEL The ability with some of their product to Geoban IP address resolution is awesome. See a bunch of new activity from Chinese address. Just drop the Geoban hammer and all the sudden traffic to Chinese subnets is cut off. Link to comment
Jud Posted March 17, 2016 Share Posted March 17, 2016 I've seen current Zyxel's with wireless included for $40 after rebate (this happens occasionally). The enterprise level stuff in Iain's link? A really awesome feature in Windows 8/10 Ultimate or Enterprise is APPLocker. You can create a white list of programs that are allowed to run (by .exe and even for an .exe a particular release version). That way if you errantly click on a link to deliver an exe to your machine it won't run. Yeah, or you can run Linux or FreeBSD and get a system set up from the start not to give admin privileges to most executable code without your permission. Also Null Proxying your web browsers and using a proxy white list of sites you want to go to. OpenDNS can be used for whitelists, blacklists, or a combination. I personally am too lazy to set this up. One never knows, do one? - Fats Waller The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein Computer, Audirvana -> optical Ethernet to Fitlet3 -> Fibbr Alpha Optical USB -> iFi NEO iDSD DAC -> Apollon Audio 1ET400A Mini (Purifi based) -> Vandersteen 3A Signature. Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now