Curious for better protection and wanting to learn about NGFW/UTM firewalls I started playing with some of them. I have used pfSense, OPNSense (second best to me) and ended up with the free Sophos XG Home Edition firewall for being a fully featured modern next generation firewall for home users.
With Sophos XG Home Edition you get:
- Basic & extensive firewall functionality
- Supporting TLS 1.3, IPv4 & IPv6
- Antivirus, malware scanning & Zero day protection
- Intrusion Prevention
- Sophos X-OPS realtime thread protection
- WEB & application filtering
- Continuous pattern updates like antivirus, country-2-IP
- Regular updates
- Third-Party Thread feeds
- Online support Community
- Remote Management with Sophos Central (no VPN needed)
- Remote Acces thru VPN, site-to-site VPN
- Extensive reporting and logging
- WEB and mailserver protection
- Traffic shaping
- ZTNA for remote acces
- Wifi Hotspot management if you use Sophos Wifi Hotspots
The Sophos firewall is easy to install but it requires registration to receive a free license. What you need is some basic hardware with a maximum of 6-GB memory and 4-CPU cores that is maximum supported in the free version and way more than enough for a home situation. I have installed the firewall software on a powerful HP Z230 SFF workstation and one HP NC365T 4 port network card in it using approximately 30 watts.
In our situation a Netgear RBR-743 mesh network is behind the firewall in AP mode. In this configuration throughput is even better with our Netgear network that is now only needed for transport and routing or firewall services are no longer needed.
Out of our security setup on application control blocking high level insecure classified traffic we saw some devices initially making insecure classified VPN sessions that can bypass firewalls, the ones that are secure are enabled but one strange session was a Chinese phone (Realme GT-2) making VPN-Tunnels to China. In this setup DOH (DNS over HTTPS) is blocked for it can be insecure so we had to disable that for using NEXTDNS as our DNS provider. Other things that are to be seen is traffic that does not comply with protocol rules and are denied.
Until today updating was never a problem. If mail is configured one will receive a notice. Logging on to the web-interface notes on new versions that can be installed what can be done in a few acknowledging clicks, the previous version is kept on the device so in case of any problem reversing back is easy possible. A link to release information is presented in the web-interface.
The Sophos XG Web-interface
Fortinet Fortigate Hardware Appliance
The other firewall I am using at home to play with and learning FortiOS is the Fortigate 90D. It is a fast a very usable firewall with a different web-interface. The problem with older Fortigate's is that you need a expensive licence for the NGFW capabilities each year you use it and firewall updates are hard to get outside Fortinet and in this situation only TLS-1.2 is supported as on most older models.
An advantage of this Fortigate is the in-house build ASIC's they are using. In our home situation 20 percent of the traffic is handled by this dedicated processor and keeps the load on the CPU low and traffic handling fast.
Another advantage is the build in DNS server that uses an external system configured DNS but keeps records in longer so there are on average 80% less external queries needed that can make things faster for some sites needing 30 to 50 different external sources to load.
Side note, take in mind that in general these firewalls are intended for in-company usage and lack things like UPnP, in situations as with gaming you need to manually enable port forwarding which is more secure anyway. Interconnection with in home devices like the NEST thermostat or Bluesound Node are acting without any problems.
Reacties
Een reactie posten