We all know that the internet is a dangerous place and you can't be too careful out there. As someone who has worked in the IT and Cyber Security fields, I am a strong believer in layered defense (sometimes called defense in depth). Today, I wanted to talk a little about firewalls. There are essentially two main types; software based and hardware based. Software firewalls are the ones most home users are familiar with. If you use a modern version of MacOS or Windows, it comes with a built-in software firewall. What I want to talk about today is hardware firewalls for the average home user.
A hardware firewall can be thought of as your first line of defense against attacks. Depending on the capabilities of the firewall, it can not only deny unauthorized traffic into your network, but it can also block traffic based on application, or based on suspicious activities using Intrusion Detection System software. It also serves as your gateway to the internet and can be used to do web and content filtering using web proxy services (if configured).
There are several kinds of firewall operating systems out there. Most of these are specialized versions of Linux that are designed to be used specifically as a firewall. These are operating systems that get installed onto a computer, not software applications that get installed within an operating system (like a McAfee firewall). Basically, you need to have an extra computer lying around that you can install this firewall OS on, but the good news is that it does not have to be beefy. An older computer with a dual-core processor, 20 GB of storage, at least 2 NICs, and 2 GB of memory will work in most cases, but I'd recommend at least 4 GB if you want to utilize the full capabilities that the firewall has to offer. The minimum requirements will vary from distro to distro, so make sure to do your homework.
I've tried several hardware firewall platforms over the years from Untangle to Endian, to Smoothwall, to IPFire. This is just my personal opinion, but to me, all of them fell short in some regard except for IPfire. Untangle's UI was a mess and their business model focuses on selling you "plugins" to enable features that are free in most other firewalls. I could see how it might be useful for a mid size business, but not for the average home user. Endian worked ok, but the interface was a bit of a mess. Smoothwall (free version) worked fine and had a nicer interface, but what I hated was that all of the special features that you'd want to use were not included inside the distro and were instead available as free "add-ons" that you had to manually move onto the system and install via the command line. Even more frustrating was that each time you upgraded the version of Smoothwall, it broke most of those add-ons, forcing you to reinstall them all. Plus, many of them had incorrect code in them, which required digging through the Smoothwall forums to find the problem inside the code and learn how to change it. Then, came IPfire.
I was very impressed with IPfire from the first time I tested it out. The user interface was great and what I liked most was that it came with all the features built-in that I had to install separately into Smoothwall via command line. It was nearly perfect out-of-the-box. Just how much do I like it? Well, I've been running it as my hardware firewall for about 5 years now. It has been rock solid and I don't really have any complaints. My one gripe is with the web proxy function because it can sometimes block valid websites and whitelisting the site doesn't seem to have any effect. Aside from that, it works great. The web content filter is great for blocking porn, gambling, social media, dating, and other such sites (there are many more categories to choose from) if you have such a need to block them. You can also have the firewall scan files that are downloaded from http sites (can't scan https since that is encrypted) to check for malicious content before they even reach your computer. I also use the IDS functionality to detect suspicious network behavior and I use the Guardian utility to block traffic based on what is captured by the IDS.
There are many more capabilities that IPfire has to offer. Some might appeal to you while others may not.
Some of you might be saying, "Why would I need a hardware firewall? I already have a wireless router that acts as a firewall." That's partially true. Most home routers do SOME firewall tasks, but mostly by implementing Stateful Packet Inspection. Think of this as basic firewall protection. It's ok, but definitely not the best. If you could see the firewall logs on your home router (if it even offers this capability) and then compare it to the firewall logs offered by a firewall such as IPFire, you'll be blown away at all the attacks it is blocking that you never even knew were happening. Did you know someone was running port scans against your external IP? Did you know someone was trying to run attacks on ports they found open and/or running fingerprinting attempts? If you just have a wireless router, odds are that the answer is no.
Hopefully I've captured your interest by now. Maybe you're wondering how difficult it is to set this up. It's really not that difficult. Remember, you do need an extra computer to install the firewall OS on though since it is a hardware firewall. The most basic (and common) setup is known as a Red-Green configuration. This is the setup that I use as well. In this context, Red means untrusted and Green means trusted. That means the Red NIC would be connected to the Internet (cable or DSL modem) and the Green NIC would be connected to your internal LAN, usually via a switch or one of your wireless router's ports.
In case you are scratching your head trying to figure out how all your equipment would be connected to make this work, I will try to explain based on my setup. If you have a wireless router that is currently doing your DHCP, firewall, and NAT services, you will need to disable all that so that your wireless router is now acting as just a simple wireless access point. Disconnect the WAN port from your cable or DSL modem. Then, connect your cable/DSL modem to the RED NIC on the firewall. Connect the Green NIC to your internal switch and then connect one of the LAN ports of your wireless router to one of the ports on the switch. If you don't have a switch, you will have to connect one of your wireless router's LAN ports to the Green NIC and then connect your other ethernet devices to the remaining ports on your wireless router. Once your firewall is installed and configured, it will then handle your DHCP, NAT, and firewall functions for all of your network, so you just need the wireless router to let your wireless devices onto the network.
The installation of IPfire itself is text based. It helps if you know which NIC is which based on the chipsets they use. If worse comes to worse, it may just take some trial and error based on their mac addresses. Once you know which NIC is which based on the mac addresses, write that information down in case you ever have to rebuild. The installation is pretty straightforward and the IPFire wiki has some good install instructions. Once installed, you will administer the firewall via a web-based GUI just like most home routers. You can experiment by enabling services and see how you like them.
Having a hardware firewall is great, but remember, security is about layered defense. Make sure you have a software firewall running too, even if it's a basic one. Most cyber attackers will go after softer targets rather than spend hours, days, or weeks trying to get into someone's hardened home computer. Don't be a soft target.
I like untangle. I paid 50$ for a full license per year. So I do not pay extra for add-ons.