High end home firewall/proxy

The network is the forum.

Moderators: Steel, notfred

High end home firewall/proxy

Postposted on Mon Jan 16, 2012 9:15 pm

So I'm looking for suggestions for a good home network firewall/router/proxy device. What I really need/want is good filtering rules so that I can filter IP/port combinations, port ranges, devices, protocols, pretty much as much filtering control as I can get, as well as the standard NAT and in bound port forwarding options. A reasonable amount of URL filtering would be good as well. Caching is not a requirement. The proxy must allow for filtering as well.

I have a 13 year old daughter who absolutely loves her Google Voice account, which her dad made the mistake of getting her. :oops: There was actually good intent behind it as I will not get her a mobile phone right now as she has no need, but the ability to text family and friends is useful and she has an Android tablet. Not really worried about her going places on the web that she shouldn't, she just can't seem to stop texting and chatting when she is supposed to be doing other stuff, like homework.

So, the ability to block Google Voice and Google Talk traffic without blocking gmail or google search is a good example. I need to be able to block both the web interface and app traffic for both. These are the current examples, but I'm sure I can come up with others.

So, suggestions for a device? I'm willing to pay a fairly significant amount for a good device, especially if it supports a good DHCP server and VPN as well. I know I can do it with a Linux box, but honestly I spend enough time doing that kind of stuff for my day job. I'm happy to pay the money to save my time, assuming the appliance I buy has a reasonable interface and features.

Thanks for the suggestions.

--SS

PS: 19" rack mount form factor is a good bonus.
SecretSquirrel
Gerbil Jedi
Gold subscriber
 
 
Posts: 1704
Joined: Tue Jan 01, 2002 7:00 pm
Location: The Colony, TX (Dallas suburb)

Re: High end home firewall/proxy

Postposted on Mon Jan 16, 2012 10:22 pm

Should note that wireless is not a concern. While a nice addition, since I could drop the separate wireless AP, I'm not going to pay additional for it.

Right now the leader is the ZyXEL ZyWALL USG 50 with the runner up being the Netgear ProSecure UTM10. The base ZyWALL is cheaper and looks like it may do my IM apps and such. Yearly subscriptions for AV, IDP, and content filtering are also reasonable ($75-80 each). Probably only use AV and IDP, if that.

Thanks for the suggestions and keep them coming.

--SS
SecretSquirrel
Gerbil Jedi
Gold subscriber
 
 
Posts: 1704
Joined: Tue Jan 01, 2002 7:00 pm
Location: The Colony, TX (Dallas suburb)

Re: High end home firewall/proxy

Postposted on Mon Jan 16, 2012 10:54 pm

A cheap PC with two NICs that runs m0n0wall or pfSense?

Or maybe a non-tech solution like moving her computer out into the living room where you can watch her.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3157
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: High end home firewall/proxy

Postposted on Mon Jan 16, 2012 11:24 pm

bthylafh wrote:A cheap PC with two NICs that runs m0n0wall or pfSense?

Or maybe a non-tech solution like moving her computer out into the living room where you can watch her.


Not helpful. :roll:

While limiting physical access might help, it certainly isn't a complete solution, beyond the limitations and requirement it would place on me. As for the Linux box, I already addressed that.

--SS
SecretSquirrel
Gerbil Jedi
Gold subscriber
 
 
Posts: 1704
Joined: Tue Jan 01, 2002 7:00 pm
Location: The Colony, TX (Dallas suburb)

Re: High end home firewall/proxy

Postposted on Tue Jan 17, 2012 2:04 am

I know you said you would rather just have a pre-built appliance, but an Untangle box is quite painless to set up. Just get it up and running, turn on the modules on the web interface, and block the ports you want. I don't know what kind of connection you have at your home, but Untangle likes CPU power. You may even be able to get by with an Atom, which is recommended often for home users on the Untangle forums. Just get at least a dual-core model; D510/D525/D2500/D2700. Plus give it 2GB of RAM and a dual-port PCI Intel NIC and you are set.
Fun: 3.333GHz Ci7-980X EE 6C/12T | 24GB | 2xEVGA GTX 480 SLi 1.5GB
Fun 2: 3.60GHz Ci5-680 2C/4T | 12GB | EVGA GTX 460 SC 1GB
Work: Dual 2.0GHz Xeon E5-2650 16C/32T | 32GB | PNY Quadro 600 1GB
Work-M: 3.066GHz C2DM T9900 2C/2T | 8GB | Quadro NVS 160M 256MB
P4Power
Gerbil
 
Posts: 85
Joined: Fri Oct 01, 2004 8:28 am

Re: High end home firewall/proxy

Postposted on Tue Jan 17, 2012 3:57 am

Zywalls are OK, I've got 3-4 of them installed and they mostly work without issue. I've never used the particular one you're looking at though.

If you're looking to avoid taking your day job home by buying off the shelf kit then I wish you good luck :wink:
Fernando!
Your mother ate my dog!
cheesyking
Minister of Gerbil Affairs
 
Posts: 2254
Joined: Sun Jan 25, 2004 7:52 am
Location: That London (or so I'm told)

Re: High end home firewall/proxy

Postposted on Tue Jan 17, 2012 7:27 am

cheesyking wrote:Zywalls are OK, I've got 3-4 of them installed and they mostly work without issue. I've never used the particular one you're looking at though.

If you're looking to avoid taking your day job home by buying off the shelf kit then I wish you good luck :wink:


Not so much avoid taking my day job home, but control the parts of it I take home. I have enough equipment I can't avoid it, but I try and go for fire and forget solutions as much as possible and I don't really feel like spending a week putting a new system together. Plus, for everyone talking about putting a cheap system in with a couple of NICs, be aware that the base USG-50 is $235. I'm going to be pretty hard pressed to put together a system that will do the job well in a 1U rack mount case for $235.

--SS
SecretSquirrel
Gerbil Jedi
Gold subscriber
 
 
Posts: 1704
Joined: Tue Jan 01, 2002 7:00 pm
Location: The Colony, TX (Dallas suburb)

Re: High end home firewall/proxy

Postposted on Tue Jan 17, 2012 9:36 am

My first response was going to be a Linux/BSD based firewall until you said you didn't want that. Maybe take a look at some of the 3rd party firmware options if the manufacturer ones don't have enough control?
notfred
Grand Gerbil Poohbah
 
Posts: 3731
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Re: High end home firewall/proxy

Postposted on Tue Jan 17, 2012 10:21 am

I have never used them, but I have friend that swears by Fortinet.
Cubical 10
I only know enough to be dangerous.

Do ubuntu? pfsense
cubical10
Gerbil First Class
 
Posts: 184
Joined: Fri Mar 03, 2006 2:52 pm
Location: Montreal

Re: High end home firewall/proxy

Postposted on Tue Jan 17, 2012 10:55 am

We have a Netgear UTM in place at work for a small office. Honestly it gets the job done, but the GUI/Management is terrible.
This forum owns.
Chaseme
Gerbil Team Leader
 
Posts: 203
Joined: Thu Aug 28, 2003 6:21 am
Location: Lachine

Re: High end home firewall/proxy

Postposted on Tue Jan 17, 2012 12:37 pm

It all depends on the know how. The better firewalls are much better, but are also harder to learn to use properly. A few friends of mine work with proffessional stuff and still use miniITX boards with premade firewall OSS deployments at home. Once setup, which is basically an image burned to flash, they are just as gui and cli as any other decent firewall.

Fortinet have good stuff. Personally I use Juniper SSG-series(SSG-5) based on ScreenOS. The Cisco comparative of that is an ASA5505. Those three would be my main choices for any things remotely called high-end, and that is home user high end, or decent for a SOHO solution.
Aphasia
Grand Gerbil Poohbah
 
Posts: 3426
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden

Re: High end home firewall/proxy

Postposted on Tue Jan 17, 2012 1:39 pm

The Fortinet gear looks nice, but boy they make it hard to get useful information. Definitely focused at the business user. They want full contact info to give you any real info.

The Juniper SSG gear is in the range of what I'm after and looks reasonably comparable to th ZyWall and NetGear.

Thanks for the note on the NetGear GUI.

Right now, it looks like I will be picking up a Zywall USG 50 on the way home. Beyond being 1/2-2/3 the price of the others, the local Frys has them in stock and one of the guys here at work has one. No complaints from him either, other than his was $500 when he bought it.

Oh, and to those commenting on the custom Linux/BSD solutions, I whole-hardheartedly agree that you can put together a much much better solution going that route that will do exactly what you want, efficiently and effectively. I'm trading money for time here as I have other hobbies to spend my time on. While it is the fun, geeky thing to do, if I can spend less money and time and get what I need, off the shelf, I'm headed that route. Whatever I do, I will report back my experience though.

--SS
SecretSquirrel
Gerbil Jedi
Gold subscriber
 
 
Posts: 1704
Joined: Tue Jan 01, 2002 7:00 pm
Location: The Colony, TX (Dallas suburb)

Re: High end home firewall/proxy

Postposted on Fri Jan 27, 2012 11:28 pm

So I thought I'd report back after a while regarding the Zywall. All-in-all, not a bad system, especially for the money. Very configurable. The web interface is a bit sluggish at times, but not horrible to use. And if the web interface annoys you, there is command line for everything, including some stuff you can't do from the web interface. Very modular system and pretty flexible. So far I have only come across one "well that is stupid" item.

When you set up content filtering, you create a profile, which defines what kind of content to filter and then you set a policy which selects to which systems the profile is applied. My thinking? Great, I set up a profile for social networking, another for audio/video streaming, another for Instant messaging sites, and so on. Then I can set up policies for each one applying them to the range of IPs I want to have filtered and enable/disable as needed. Turns out that when an is checked against the policies, the system goes to the first policy match and applies the profile associated. If the URL doesn't fall foul of that profile, it is allowed past, even if it would be blocked by another active profile. This means that a source IP address can only match one policy. Not a huge deal, but it prevents you from doing something like setting up general filtering for something, say adult content, and then setting up scheduled filtering on something else, like email or YouTube.

Now for the down side.... I'm not a whole lot closer to solving my problem than I was before. The reason? Damn SSL. All the content and URL filtering is rendered useless since most things use SSL connections these days. Block mail.google.com? Not a problem, load up https://mail.google.com. Block https traffic altogether and you might as well shutdown anything you have to log in to. The Android Google Voice client? It uses an SSL conenction for all non-voice traffic so you can't even really block it. The security side of me says this is good. The network admin side of me is mightly annoyed.

So, as far and the parental blocking goes, I'm back to "you screw up with one thing and all access on all your devices goes away". I am going to keep the Zywall though. I have been meaning to replace my old Netgear for a long time and having network level virus scanning will certainly be nice.

I did take a bit of time to pull down and play with Untangle. I set up a test install in a VM and I must say, I was very impressed. Very easy to use and very nice interface. The content filter does slightly better at handling custom URLs than the Zywall does. However, it still suffers from the same SSL issues as the Zywall. Its content filter will block SSL connections, but only by IP address, not by URL, and you have to pay for the commercial content filter package for that. This brings me to the other point about Untagle. If you exceed the capabilities of the free (lite) setup and need to go with the commercial package, you pay dearly. Content filtering, which would be ~$90 a year for the Zywall is ~$270 a year for Untangle. While you get a little more in functionality, I don't think it is that much more.

The commercial Smoothwall appliances do SSL connection filtering, but I can't find a published price for them or for the per computer licenses needed when likely means that it falls into the "if you have to ask" category.

Just my thoughts and comments.
--SS
SecretSquirrel
Gerbil Jedi
Gold subscriber
 
 
Posts: 1704
Joined: Tue Jan 01, 2002 7:00 pm
Location: The Colony, TX (Dallas suburb)

Re: High end home firewall/proxy

Postposted on Sun Jan 29, 2012 11:34 am

Just thought I'd throw in the idea of using ClearOS. If you have a spare tower laying around, just put in a secondary Ethernet card. 2 Ethernet ports, one connected to the outside world, and the other heading towards your home network. ClearOS used to be ClarkConnect. It's a Linux distro, specialised in being a firewall, gateway, web server, etc etc.... It has a web interface for configuring it once you have it installed.
Change sucks
moresmarterthanspock
Gerbil First Class
 
Posts: 108
Joined: Wed Jan 25, 2012 5:50 pm
Location: Podunk, Idaho

Re: High end home firewall/proxy

Postposted on Sun Jan 29, 2012 12:31 pm

I would second Fortinet, though I have only used it so far for businesses.
Your bargaining posture is highly dubious.
Coldfirex
Graphmaster Gerbil
 
Posts: 1109
Joined: Wed Dec 26, 2001 7:00 pm
Location: College Station, TX


Return to Networking

Who is online

Users browsing this forum: No registered users and 1 guest