Domestic hardware firewall

zom

Could you please advice hi-speed (360mb) hardware firewall for someone who wants to set up his own web server at home. Or at least router with decent firewall if you think this will be enough? Mostly for web activity, no email or spam filtering needed, VPN would be nice, but not necessary.

Almost forgot - price is main factor. Is it general rule for hardware firewalls (Zyxel, Cisco, FortiGate) to have licences for its features (renewal)?

zom

zom wrote: »

Could you please advice hi-speed (360mb) hardware firewall for someone who wants to set up his own web server at home. Or at least router with decent firewall if you think this will be enough? Mostly for web activity, no email or spam filtering needed, VPN would be nice, but not necessary.

Almost forgot - price is main factor. Is it general rule for hardware firewalls (Zyxel, Cisco, FortiGate) to have licences for its features (renewal)?

Personally a locked down Unix distro with iptables would do me, if you later wanted further functionality you can add as you go... For instance if you wanted a VPN solution then add OpenVPN. There are some specific distros designed for this (ipfire and pfsense) but personally i've never used them.

The professional solutions (FortiGate, CP, etc) are generally expensive and require yearly licenses, off the top of my head I can't think of a commercial FireWall that doesn't require this but my experience has been with enterprise level solutions, I've never looked into entry level stuff before. Having a quick google it looks like Cisco and Zyxel have some sub €200 solutions which might suit you but I've no personal experience with them.

Firewall is just one piece of the puzzle, make sure that person patches and keeps the server in a DMZ away from any other networked devices.

zom

Deleted User wrote: »

Personally a locked down Unix distro with iptables would do me, if you later wanted further functionality you can add as you go... For instance if you wanted a VPN solution then add OpenVPN. There are some specific distros designed for this (ipfire and pfsense) but personally i've never used them.

The professional solutions (FortiGate, CP, etc) are generally expensive and require yearly licenses, off the top of my head I can't think of a commercial FireWall that doesn't require this but my experience has been with enterprise level solutions, I've never looked into entry level stuff before. Having a quick google it looks like Cisco and Zyxel have some sub €200 solutions which might suit you but I've no personal experience with them.

Firewall is just one piece of the puzzle, make sure that person patches and keeps the server in a DMZ away from any other networked devices.

There will be no other networked devices, just server. Kind of mini hosting training, but doesn't want to end up with bunch of expolites spreading internet with spam from that machine.

I was considering separate PC with software firewall on it - how fast hardware I need to filter 360MB traffic? It may be not that competitive price-wise, I would aim in some small factor PC if any.

zom

zom wrote: »

I was considering separate PC with software firewall on it - how fast hardware I need to filter 360MB traffic? It may be not that competitive price-wise, I would aim in some small factor PC if any.

https://www.pfsense.org/hardware/#requirements

"101-500 Mbps No less than a modern Intel or AMD CPU clocked at 2.0 GHz. Server class hardware with PCI-e network adapters, or newer desktop hardware with PCI-e network adapters."

Some further reading....

http://arstechnica.com/gadgets/2016/01/numbers-dont-lie-its-time-to-build-your-own-router/

BoB_BoT

Sophos have a free version of their UTM firewall for home use. Might be worth looking at - https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

Also, if you're using a spare PC to run this, make sure you have gigabit NIC's.

syklops

zom wrote: »

There will be no other networked devices, just server. Kind of mini hosting training, but doesn't want to end up with bunch of expolites spreading internet with spam from that machine.

I was considering separate PC with software firewall on it - how fast hardware I need to filter 360MB traffic? It may be not that competitive price-wise, I would aim in some small factor PC if any.

Im confused. If you are only going to have a web server on it, what will the firewall be blocking access to?

Does it even need to be hosted on the internet?

ishotjr2

If its only a webserver then you need more a Web Application Firewall. That is tuned to find SQL injection/XSS...... etc... Developing signatures to discover attacks in stuff like Angular/Jquery/PHP etc..... will be a paid for service.

The idea that iptables will protect you and that is what every firewall vendor uses is not true. You will at least need a Suricata/Snort on top, you need to know what you are doing here, which comes down to how much time you have to invest. (You can get the emerging threat signatures for free).

If this is not a public facing website then just use a VPN. Or even use SSH as a SOCKS proxy there is even some firefox addons that make that easy. If this is a public facing website and you are not willing to buy a Web Application Firewall or pay for the signatures you should be confident that value of the information stored is proportional to the investment in security.