Router/Gateway with Greater Security than traditional consumer equipment

silekonn

Honorable
Aug 2, 2013
5
0
10,510
I currently utilize an off the shelf Netgear router. I am hoping to move to something with better security. I set up an Ubiquiti Unified Security Gateway (USG) and was told its advantage is in part IDS/IPS (aside other features).

Some research shows options are numbered: Sophos, Sonicwall, Untangle, pfSense, Fortinet and Watchguard among the up and coming consumer offerings, Norton Core, Cujo (terrible reviews), BitDefender Box, etcetera. My budget is up to $1,000 or slightly North and if necessary $2-300 for a yearly subscription.
I am not a network administrator. I do have technology expertise. I set iup the USG in a few minutes and the device only cost $110. It leads me to believe consumer equipment should and can be bested and without paying for something astronomical (e. g. an $1x00 yearly Meraki subscription, before the price of the hardware). Can anyone recommend a step up?

Thanks in advance.
 
What do you actually plan to have running behind the router. If you do not have a server that you are providing some function to the internet you do not actually need any fancy IDS etc. Any server is best placed in a hosting center where you get some of the IDS/IPS as part of the host service.

By default with no port forwarding or DMZ options set nothing can send traffic to any internal machine. This is purely because the NAT is stupid and when it does not know which machine to send traffic to it will drop it. So this is a the same as rule in a firewall that says block all traffic initiated from the internet but even your lowest end consumer router gives you that feature with the NAT.

Now if you are concerned about restricting you internal machines then you have a much different problem.

In any case if you don't want to spend much money just buy a dual nic pc and load pfsense on it.
 
pfsense can run very well on low end x86 pcs. running IDS and other services will use a lot of cpu.
You can go with a low spec atom or similar. there are a ton of options on amazon.

I personally really like running it inside KVM on proxmox. you can also run other virtual servers on the same box. NAS, plex, etc.
I run ipfire on the edge with QoS and Squid/clamav and then pfsense for snort, vlan/trunking.
Unifi switch, the Unifi 8-60W is great, and unifi APs. vlan/trunking also easy on these.
I'd recommend xeon, 8G ram ECC, ZFS mirror /w ssd cache if you want a box for KVM. $700 for box, switch is 110, APs 80-100ea, all the software is free.
 

silekonn

Honorable
Aug 2, 2013
5
0
10,510
It took me a while to return. To begin what should have been clarified was I am seeking a minimal maintenance system. I would like something my family can use without having to ask for exclusions and reconfiguration. If it works out I will recommend a similar setup for other family members. If pfSense the solution?
 
Again what is your goal. What are you trying to prevent.

From what you have said so far you need nothing to protect your internal machine from attack if you have no port forwarding or DMZ settings. The NAT by itself prevent any attack from the internet from reaching your internal machines


If you want to prevent your internal machine from doing something on the internet that is quite involved configuration.
 

Any rule-based firewall will be better than your consumer NAT box, and most will let u bring it home, plug it in, change a password and fire up and will work with its default settings, but if you want to configure further features, like bill asks what you want to do with it, then additional, non trivial configuration is required.

Security is a package thing and should be multi-layer, no one expensive box can take care of it all for you.
 

jfreggie2

Honorable
Sep 16, 2013
150
0
10,760
I agree with most of comments in here.. my favorite thing about something a bit more upscale from your typical NAT gateway would be the ability for Geo-Block. You would be amazed at the amount of traffic that tries to talk to/from China or Russia. i pfSense would be a good option if you've got an old computer laying around - you can also get some prebuilt ones from them. They're pretty easy to set up and have a ton of help online.
 

silekonn

Honorable
Aug 2, 2013
5
0
10,510
The understanding was in large part geo-block. I asked this question in another forum and they are gearing toward Sophos or pfSense. A fair discussion about the difficulty in setting it up and smoothing the kinks. I can spend time with it for a while (in weeks) to understand and reconfigure. Any opinions contrary to one of the two? Thank you for everything.
 
Not familiar with Sophos but I use pfsense, the good thing about PF is, is been around for a while, so large community support, although that doesn't mean folks will respond to totally green questions, and you can audition it for as long as u want as the software is totally free, use practically ANY old standard PC with 2 (Intel preferred) NICs and it should install no prob. Once u want to stay with it, the parent company Netgate will sell you a pre-loaded box if u so choose, rather than using your own hardware.