Since I started in IT consulting years ago, I’ve always had an interest in network security. It’s amazing how in the last 15 years the nature of threats has radically changed (from simple viruses, to malware, to phishing, to ransomware, and even mass device compromises to create botnets for coordinated Denial of Service or other highly-scaled attacks). Every new threat has been met with new defensive measures—especially for corporations. We take security seriously at Don’t Panic Labs and at businesses–there’s no shortage of solutions as the threats and costs of exploits are so high.
But what does this mean for us at home? After all, many of us are bringing work home and also becoming increasingly reliant on smart devices. And our homes are becoming more attractive targets for hackers too. While we might not have large troves of customer information, the amount of bandwidth available to us is rapidly increasing—and this is a very valuable resource to hackers. Remember back in October 2016 when internet disruptions were widespread from a botnet attack?
We could simply rely on the modem/router devices provided by our ISP. Unfortunately, this is a non-starter for me for two reasons: 1) The attack surface is large—this is the same device, configured the same way for a large number of users— thus it’s more valuable target and 2) I’m not comfortable with any external administrative control of the device whether it’s available to me or others. In addition to wanting things locked down to local access for tighter security, it’s also really disconcerting to call up your ISP for support and have them start rattling off information about every device connected to your home network. Although the majority of us have nothing to hide, that moment felt like a random stranger snooping around my house without my permission.
I started to re-think things a few months ago when it was found that my trusty Netgear R7000 was vulnerable to a really bad exploit. I was lucky that I had the expertise to apply an open-source and secure firmware on the router that plugged the hole faster than Netgear could patch it. But I quickly started to realize my router was completely dependent on one person to package and test the firmware for use on my router. Although I like the firmware a lot, this isn’t an ideal situation. This started my quest to try and find a better way of security my home network.
I started looking at other brands of routers, but I quickly realized that Netgear was not alone. It seems that the focus on consumer routers is on performance and features over security. As I looked at other vendors, Linksys recently had quite a few vulnerabilities exposed, D-Link has “catastrophic vulnerabilities”, and ASUS recently settled an FTC action against them for lax security and privacy handling in their home routers.
I started to realize that this wasn’t going to be an easy or straight-forward solution. I continued to research and started collecting a list of requirements. In broad-strokes, two things were important 1) a strong defensive firewall at the perimeter, and 2) some level of scanning of traffic to make sure all my devices are behaving. Here’s where the more detailed list currently stands:
- Device provides wireless and firewall functionality
- Device designed with security in-mind
- Regularly patched operating system and software
- Support for the operating system and software by an organization
- Support for high-speed broadband (100M/100M)
- Runs on equipment capable of running on a UPS for an extended period of time
- IDS/IPS Availability
As I continued the search, I started to find interesting new solutions—only none of them quite met my requirements. I was most intrigued by a new breed of home routers focused on security (Norton Core, BitDefender Box, F-Secure Sense, and CUJO. Unfortunately, none of them meet my needs. Norton’s Core is still struggling to support lag-free online gaming, is lacking basic router features such as assigning IP address, and can only achieve a maximum of 75M throughput. BitDefender Box has even slower performance (however a Box 2 has been announced). Reviews of F-Secure sense are a bit sparse right now, so I’m not confident it’s better than Norton’s Core. And finally, I learned that although CUJO can support my full 100M, it only monitors network traffic but doesn’t actually firewall a network.
The closest consumer router I’ve found so far is made by Synology. It was clearly built with security in mind (publishing the results from a 3rd party security audit on every major OS version) and it looks very solid. Unfortunately, the performance tops out at about 75M again. I’m also slightly hesitant to bet on a company with such a short track-record of making routers as so many companies enter and exit this competitive field. Had the device had a bit more power, I likely would have made the purchase.
I was also impressed by the eero mesh network (it’s advertised as being built for security), but unfortunately there isn’t any true IDS/IPS capabilities (only DNS-based blocking of risky traffic). DNS-based blocking is actually a really handy technique that everyone should consider. If you switch your DNS servers away from your ISP to a free service like OpenDNS, the DNS servers will not resolve domains that are known to have malware—a great upgrade!
At this point I realized that I might be asking too much of one device. Perhaps I should split the function (one device serving as a firewall, and the other providing wireless coverage). This would allow me to confidently use about any high-performing wireless network device on the market. The question—who makes a solid firewall fulfilling the above requirements at a price-point a consumer can afford?
Some semi-affordable entry-level devices I found were by Watchguard or Fortinet. Firewall-only options were fairly affordable (Firebox T10 ~$300 for 3yrs) and could deliver the performance I wanted. Unfortunately when I wanted to add IDS/IPS and support 100M, the costs trended towards $1,000. I really like the idea of true enterprise-grade security at home, but I hate to give up 30% of my bandwidth (dropping down to about 70M) just to make the device affordable.
So what about open source options? It seems the best of breed is a firewall developed by pfSense running on FreeBSD and IDS/IPS performed by Snort. This could be the best option for me right now—I could buy a pre-configured device from a company called NetGate that would give the performance I need for about $550 (or cheaper on Ebay). Still more than I’d like to pay, and requires more admin time than I’d like, but it’s worth considering given there are no annual fees. I just finished installing pfSense on an old server and so far it’s working well. The downside is that it took me about 5 hours and some fairly advanced networking knowledge to get everything going and configured.
In short, I’m disappointed with how tough this search has been. I thought with a little research, a clear winner would emerge—but it appears I’m in a bit of a unique situation given that we’re fortunate to have fiber and I’d like a more proactive firewall. I plan to wait another month or two to see how the pfSense firewall performs and how devices like Norton’s Core and Bit Defender’s Box 2 evolve.
Are there any solutions that you would recommend I consider?