[SOLVED] Firewalls & Edge Routers

[appletatoes]

Hello,

I'm trying to understand the differences between the two and if an Edge Router can be used as a Firewall or should that be a separate hardware device and or computer? I would like to incorporate a Firewall for some of my clients and was going to look at just buying a simple Firewall device to place between their network and the Internet. I was only able to find a "Ubiquiti Networks Networks Edgerouter Lite 3-Port Router" on Amazon that seemed to have Firewall properties built in it. I know I could download PFSense and use that on a computer with Ethernet ports?

Are there hardware devices specifically just for Firewall purposes or are these devices now called Edge Routers? Please help me understand and if there are Firewall devices could you please list some fairly affordable ones that would be great for say a small business.

Thank you,
Appletatoes

 

[alceryes]

'Edge Routers' are typically the whole device that routes traffic between two different networks (typically your ISP's WAN and your internal network). Edge routers have 'firewall' functions built in. One of the most basic being SPI.
'Firewall' is a more general term that is many times used interchangeably with 'edge router' or just 'router' devices. There's no hard and fast rule with the nomenclature. Manufacturers can (and do) make up names for devices that some think fit with the device capabilities while others just say, "You gotta be kidding!"

Some devices will have better features or protect you from specific threats that others don't. You will need to pick the best device for your specific needs.

What do you currently have between your client's network and the internet? Is it just the ISP provided modem/router?

 

[kanewolf]

Hello,

I'm trying to understand the differences between the two and if an Edge Router can be used as a Firewall or should that be a separate hardware device and or computer? I would like to incorporate a Firewall for some of my clients and was going to look at just buying a simple Firewall device to place between their network and the Internet. I was only able to find a "Ubiquiti Networks Networks Edgerouter Lite 3-Port Router" on Amazon that seemed to have Firewall properties built in it. I know I could download PFSense and use that on a computer with Ethernet ports?

Are there hardware devices specifically just for Firewall purposes or are these devices now called Edge Routers? Please help me understand and if there are Firewall devices could you please list some fairly affordable ones that would be great for say a small business.

Thank you,
Appletatoes

All home or SMB routers have some firewall capabilities. The most basic of the firewall capabilities is NAT. The more logging or more features you need, then a separate firewall device is needed.

 

[bill001g]

Maybe better what exact threat do you think you need a device to protect against. Don't just buy something because you heard the term and think that means you need one. You actually must configure firewalls for them to be most effective and to do this you have to know what you intend to accomplish.

If you do not know what you need the protection provided by NAT in even the cheapest router likely is good enough since it prevent any access to your internal machines from the internet.

 

[appletatoes]

'Edge Routers' are typically the whole device that routes traffic between two different networks (typically your ISP's WAN and your internal network). Edge routers have 'firewall' functions built in. One of the most basic being SPI.
'Firewall' is a more general term that is many times used interchangeably with 'edge router' or just 'router' devices. There's no hard and fast rule with the nomenclature. Manufacturers can (and do) make up names for devices that some think fit with the device capabilities while others just say, "You gotta be kidding!"

Some devices will have better features or protect you from specific threats that others don't. You will need to pick the best device for your specific needs.

What do you currently have between your client's network and the internet? Is it just the ISP provided modem/router?

Right now it is just a modem and separate router with WiFi built in the router and I could configure Firewall settings from the router itself but thought it might be worth wild if I placed a separate device between the modem and router to handle specifically traffic that is desired inside the network and traffic that is not desired such as unwanted communication with specific websites, ports and also only allow traffic to communicate with specific MAC addresses which I believe is configured more from the router.

What are your thoughts?

Thank you

 

[appletatoes]

All home or SMB routers have some firewall capabilities. The most basic of the firewall capabilities is NAT. The more logging or more features you need, then a separate firewall device is needed.

So the NAT capabilities would mean that only allow traffic through if the device inside the network has requested to do so?

 

[appletatoes]

Maybe better what exact threat do you think you need a device to protect against. Don't just buy something because you heard the term and think that means you need one. You actually must configure firewalls for them to be most effective and to do this you have to know what you intend to accomplish.

If you do not know what you need the protection provided by NAT in even the cheapest router likely is good enough since it prevent any access to your internal machines from the internet.

I'd like to offer the ability to completely lock down a network while being able to offer a fairly simple but secure network setup. I intend on letting the business owners make the final decision but I want them to have the options to be picky if they want to. So preventing unwanted traffic, blocking websites, blocking certain ports, white listing and black listing websites and also white listing and or black listing MAC addresses within the network.

 

[bill001g]

Mac address locking is pretty worthless. Ethernet and some wifi it is as trivial as typing in whatever you want in the nic settings. You need something very advanced that like microsoft domain server that forces a login and then can track the mac/ip address. There are other ways to do it but no simple firewall is going to do this.

Blocking websites is almost impossible even with the most advanced firewalls. The problem is everything is encrypted so you can't actually look at traffic. To some extent you can spy on DNS calls but microsoft is going to make encrypted DNS standard very soon it is already in some of he win10 test builds. That leave IP address blocking. Problem is everyone is using hosted services like google,microsoft, akamai etc. You now have mulitple web sites sharing the same ip address and even if you found a IP it means little because they change for load balance reasons or to increase performance.

On top of all this even the 10yr old kid knows all he does is load a VPN to bypass anything you try to do.

What a actual firewall is generally used for is when you have a server that is providing a service to the internet and want to protect it. Since you must allow some access for it to work but want to limit certain attacks,for example leaving half open sessions.

In most cases security is not the firewall it is the person and their knowledge to configure them.

 

[appletatoes]

Mac address locking is pretty worthless. Ethernet and some wifi it is as trivial as typing in whatever you want in the nic settings. You need something very advanced that like microsoft domain server that forces a login and then can track the mac/ip address. There are other ways to do it but no simple firewall is going to do this.

Blocking websites is almost impossible even with the most advanced firewalls. The problem is everything is encrypted so you can't actually look at traffic. To some extent you can spy on DNS calls but microsoft is going to make encrypted DNS standard very soon it is already in some of he win10 test builds. That leave IP address blocking. Problem is everyone is using hosted services like google,microsoft, akamai etc. You now have mulitple web sites sharing the same ip address and even if you found a IP it means little because they change for load balance reasons or to increase performance.

On top of all this even the 10yr old kid knows all he does is load a VPN to bypass anything you try to do.

What a actual firewall is generally used for is when you have a server that is providing a service to the internet and want to protect it. Since you must allow some access for it to work but want to limit certain attacks,for example leaving half open sessions.

In most cases security is not the firewall it is the person and their knowledge to configure them.

Thank you for the extensive reply. Would you mind explaining to me a simple setup that would be very lock down for a small business; say 4 workstations, 1 server and some wireless devices. If you could list the devices you would use to configure the network and maybe what key settings you would set on those devices please.

Thank you

 

[bill001g]

Your main problem is if you can not trust the users then it is hard, if you can trust the users then it is easy.

With trusted users all you need is the simple NAT in any router. This protects them from outside attack. The end clients generally the default microsoft firewall and virus protection are fine. You generally do not worry about if one user is going to attack another user inside the office.

Server is too a generic a term to make recommendation. A simple file share is far different than say some application with a large database running on it. You want to use setting on the server so that it only allows access to the users you want. Hard to say since what you are doing on a "server" depends on the application.
The goal is to use the firewall on the server to limit access as much as you can and still have the device function. This is not so much you worry about a intentional attack but more someone hooks up a personal device with malware on it. There is no real protection from stupid people. Most companies try to have a rule that disallows personal devices or they put in a guest network that only allows internet access.

 

[alceryes]

@bill001g's posts are spot on.
If you don't mind spending the $$$, there are some firewalls, edge routers, security appliances (whatever you want to call them) that offer some more advanced protections.
Meraki security appliances with the advanced security license offer advanced malware protection, intrusion prevention system, and layer 7 geolocation blocking (so you could block all of Russia, China, North Korea, etc.). Cisco ASA's have the optional FirePOWER license that includes intrusion prevention and advanced malware protection. They offer some extra protections but do get expensive and most are subscription-based.

 

[appletatoes]

Thank you @bill001g and @alceryes for the information. I really appreciate it and it does help me understand where to stand on the question of whether or not to use a Firewall in a network setup or not. Do you have any recommended IPS or IDS systems that you can think of?

Thank you!

 

[bill001g]

You should not need any form of IPS or IDS. They are used to protect servers that you expose to the internet. like some web service. Most companies now use hosting services that include some of these functions.

In your case the device you have are end client station. You are not providing some data to the internet users.

IPS and IDS can do almost nothing to protect end clients because the data in encrypted and they can't see the traffic.

 

[alceryes]

Something like a Meraki MX 64, with advanced security license works great for small offices and does offers IDS/IPS.
Note that Meraki's work on a subscription-based model so you will have to keep renewing/repurchasing the license for it.

 

[appletatoes]

Okay thank you for all the input everyone