[SOLVED] Age old question - do I need a separate hardware firewall for my home office ?

[whynotme]

I work from home and have about 30 devices connected to my wifi network, both primary and guest. Using a Linksys mesh system with primary router and 2 satellites. What is your opinion on the age-old question - would I benefit from having a separate hardware firewall like a Firewalla or Fortinet device? I use Norton 360 on all machines and phones and have Windows Defender turned on as well on PCs. I'm debating getting a firewall, mostly because I love technology and it's not like it would hurt to have the extra protection?
What do you say?

 

[bill001g]

Protection from what.

Your router just because it uses NAT and is stupid blocks any ability for someone on the internet to attack your internal machines. Pretty much the router does not know which of your internal machine to send unknown traffic to so it toss it away.

Protecting from someone attacking you from INSIDE your network is massively complex. LAN is designed to promote fast and easy communication between machines. You would have to somehow force all traffic to pass though the firewall for traffic between machines. It is technical possible using the concept of private vlans but not something is supported on consumer grade equipment. Even a lot of commercial equipment does not have this feature.

Pretty much if you have a untrusted person already inside your building they could in theory just cable around your firewall.

You can I guess set the firewall on the end machine to be "public" network but that will make it impossible to use many of the file and printer sharing function in windows.

 

[whynotme]

Protection from what.

Your router just because it uses NAT and is stupid blocks any ability for someone on the internet to attack your internal machines. Pretty much the router does not know which of your internal machine to send unknown traffic to so it toss it away.

Protecting from someone attacking you from INSIDE your network is massively complex. LAN is designed to promote fast and easy communication between machines. You would have to somehow force all traffic to pass though the firewall for traffic between machines. It is technical possible using the concept of private vlans but not something is supported on consumer grade equipment. Even a lot of commercial equipment does not have this feature.

Pretty much if you have a untrusted person already inside your building they could in theory just cable around your firewall.

You can I guess set the firewall on the end machine to be "public" network but that will make it impossible to use many of the file and printer sharing function in windows.

I guess protection from the ever-increasingly complex cyberattacks powered by AI. I know the likelihood of me being a target is slim to none. Sounding like I don't need an extra piece of hardware sitting in my office for very little advantage over what I currently have. Thanks for your thoughts.

 

[bill001g]

Again nothing can get in via a direct attack because of NAT.

Almost all current attacks are indirect mostly against the person sitting behind the computer. Not much a firewall or any kind of software can do to protect someone who was tricked into running something.

The encryption of data both protect the users data but it also prevents things like firewalls from seeing data that is attempting to deceive the user.

 

[whynotme]

Again nothing can get in via a direct attack because of NAT.

Almost all current attacks are indirect mostly against the person sitting behind the computer. Not much a firewall or any kind of software can do to protect someone who was tricked into running something.

The encryption of data both protect the users data but it also prevents things like firewalls from seeing data that is attempting to deceive the user.

Understood. You've saved me $500 from buying a firewall.

 

[evermorex76]

You can technically get a firewall capable of inspecting certain encrypted traffic (anything using SSL/TLS and going over the right ports). A $500 model would probably not do it well enough, and if you did find one that could then you'd have to pay the subscription fee to keep using it (and usually to get firmware updates). And depending on your Internet service and how fast your Wi-Fi devices are, pay even more to get one that could do it without reducing throughput of those connections. A tabletop device that can do 2.5Gbps pure throughput may be reduced to 300Mbps doing inspection and still cost over $1000 with just one year of the feature subscription; a rackmount unit capable of 6Gbps still might still not manage 1Gbps with inspection and cost $4000. And you'd need to install the SSL certificate from the firewall on all the devices to allow it to act as "man in the middle" in order to be able to do the inspection without triggering warnings in the browsers/apps.

The main purpose of these firewalls and the additional features over a basic router is not keeping outsiders from getting in. It's keeping YOUR devices from doing bad things, or accessing bad servers, through intrusion prevention, data loss prevention, malware scanning both in and out for web and email traffic, website filtering, geo-location, etc. Some of those are considered "basic" features that you can always have enabled while others are part of subscription packages for "full security". Now that nearly every website uses HTTPS and browsers are often set to block unencrypted sites by default (or at least warn the user), many of the features are much less useful without the higher level services and using deep packet inspection, and if they're using any other kind of encryption than TLS for the data then there's no way your firewall can detect or scan the content, even if you knew which ports to monitor. The vendors know that if you're concerned about that sort of thing you're probably running a big network and are going to be willing to drop a wad of cash every year to get whatever protection you can.

If you were running any kind of servers inside your network, so that you were using port forwarding or even routing a public subnet, then the firewall's features would also be able to protect from some inbound attacks on those ports while still passing legitimate inbound connections. Most of them also provide a VPN server and their proprietary client, or an open server with which you can use any client, so that you don't have to run that on a system behind your router and provide an attack surface.

 

[whynotme]

You can technically get a firewall capable of inspecting certain encrypted traffic (anything using SSL/TLS and going over the right ports). A $500 model would probably not do it well enough, and if you did find one that could then you'd have to pay the subscription fee to keep using it (and usually to get firmware updates). And depending on your Internet service and how fast your Wi-Fi devices are, pay even more to get one that could do it without reducing throughput of those connections. A tabletop device that can do 2.5Gbps pure throughput may be reduced to 300Mbps doing inspection and still cost over $1000 with just one year of the feature subscription; a rackmount unit capable of 6Gbps still might still not manage 1Gbps with inspection and cost $4000. And you'd need to install the SSL certificate from the firewall on all the devices to allow it to act as "man in the middle" in order to be able to do the inspection without triggering warnings in the browsers/apps.

The main purpose of these firewalls and the additional features over a basic router is not keeping outsiders from getting in. It's keeping YOUR devices from doing bad things, or accessing bad servers, through intrusion prevention, data loss prevention, malware scanning both in and out for web and email traffic, website filtering, geo-location, etc. Some of those are considered "basic" features that you can always have enabled while others are part of subscription packages for "full security". Now that nearly every website uses HTTPS and browsers are often set to block unencrypted sites by default (or at least warn the user), many of the features are much less useful without the higher level services and using deep packet inspection, and if they're using any other kind of encryption than TLS for the data then there's no way your firewall can detect or scan the content, even if you knew which ports to monitor. The vendors know that if you're concerned about that sort of thing you're probably running a big network and are going to be willing to drop a wad of cash every year to get whatever protection you can.

If you were running any kind of servers inside your network, so that you were using port forwarding or even routing a public subnet, then the firewall's features would also be able to protect from some inbound attacks on those ports while still passing legitimate inbound connections. Most of them also provide a VPN server and their proprietary client, or an open server with which you can use any client, so that you don't have to run that on a system behind your router and provide an attack surface.

I appreciate the advice. I've decided a firewall is not necessary for my purposes of keeping unwanted actors out. Sounds like my router and Norton combo does what I want.

 

[evermorex76]

I appreciate the advice. I've decided a firewall is not necessary for my purposes of keeping unwanted actors out. Sounds like my router and Norton combo does what I want.

Norton 360 has the added benefit of being so bloated that bad actors can't do anything useful with the remaining CPU cycles even if they took control of your system. 🙃