Like many internet users, I was content to protect my home network behind whatever passed for a firewall on my router, and the software firewalls and antivirus solutions on my individual devices. I've used an encrypted password manager for years. I'm good at not going to sketchy sites and clicking on links, and I thought I was doing a fairly good job at being safe online. But I've been exploring hardware firewalls lately, and they've shown me that my previous efforts weren't enough.
The firewall solutions I was using before only protected two points on my network, where data enters and leaves my home, and the barrier between my computer and the rest of the network. Those are still part of a good security setup, but they did nothing to stop any threats navigating inside the network. They were also the old style of firewall with rules only, and didn't offer any of the advanced security features of a modern hardware firewall. Now I've got one running on my network with all traffic passing through it, and not only is my network more secure, it's performing better as I've managed to block a ton of unnecessary traffic.
5 reasons you need a hardware firewall
Secure your entire network with a single network appliance.
5 Better control over network traffic
I can ensure my network traffic is mine, trusted, and going to the right places
The base function of a hardware firewall is to block unauthorized traffic on your network. It does this with a set of pre-defined rules, that you have to adjust over time based on your specific networking needs. But it can also monitor your network traffic, build up a picture of the usual usage, and alert you if anything out of the ordinary starts happening, giving you potentially early warning of threats.
A Next-Generation Firewall also adds deep packet inspection to that list, checking more than just the headers on data packets to weed out potentially malicious packets. It could also do many other things, including:
- GeoIP restrictions to block threats before they can try to connect
- Limits visibility to risky protocols
- Ensures specific programs can only communicate with the devices they need
- Run IPS/IDS software to identify and monitor threats
By adding more monitoring of network traffic and combining it with lists of known threats generated by the cybersecurity community, a hardware firewall can block most threats without human intervention. And by knowing which users should be on your network and their usual active hours, any traffic that falls outside those bounds can be looked at more closely to see if it's a threat.
5 networking tools to safeguard your home lab from the inside out
Whether youβre a pro or new to home labs, securing your self-hosted systems is vital. These 5 networking tools will keep threats at bay.
4 Reduced threat risks
Having a network built on Zero Trust means I can sleep soundly
Between my hardware firewall and my wireless access points (APs), my network runs on a Zero Trust architecture, with every device that's connected to the network only given enough access to network resources to do what it needs to for functionality. This not only limits the amount of unnecessary network traffic, but if any device does get hacked, it can only access a few other things at most, and a limited list of IPs, protocols, and so on.
It also means that I get a notification when any device tries to connect to the network that hasn't before, so I can approve or deny the connection. Most of the time, this is one of the household smartphones reconnecting when the MAC address is rotated for privacy, but this lets me know that it'll work if something unknown tries to connect.
3 Segregating my IoT devices
Not limiting my smart home was really, really dumb
I used to have all of my smart home devices on the same SSID and LAN as the devices holding my personal data, but no longer. Granted, I didn't need a hardware firewall to accomplish this, as I could have used VLANs on a managed switch or even used the guest network on my old Wi-Fi router, but then I wouldn't have the rest of the functionality I now have access to. Smart home devices are often lacking in security or don't receive regular firmware updates to fix bugs, but by keeping them all on one VLAN that's away from everything else, and monitored by the firewall, the risk of any device getting hacked and infecting the rest of my networked devices is minimal.
2 Layered security is the way
No single network security solution can do it all
No security method is going to be 100% effective all the time, whether it's antivirus, software or hardware firewalls, MAC address filtering, or other methods of access control. That's why we have car alarms and engine immobilizers to stack up with locked doors and wheel bars. No single device will guard your stuff every time, but by stacking security in layers, it makes it very difficult or time-consuming for attackers to succeed.
Even inside my firewall, I have multiple layers of security, with rules-based packet inspection and default deny/allow rules backed up by deep packet inspection. The threat engine gets updates from the cybersecurity community when new threats are discovered, and it's smart enough to recognize patterns of possible malicious behavior even if it doesn't recognize the signature of the program making those network requests. Plus, it has a paired intrusion prevention system (IPS) and intrusion detection system (IDS) to flag issues and investigate, and it can quarantine downloaded files if it notices something amiss.
5 reasons to use Suricata or Snort for your home lab firewall
Bring some enterprise-grade security tools into your home.
1 Improved privacy
I can block ads and trackers from the source before they get onto my network
Most hardware firewalls run either Linux or FreeBSD, which means they're really little operating systems that are able to add modules written for them, or to host containerized services to add more functionality. That means you can add things like Pi-hole to blackhole any ad server requests, keeping them off your network and making DNS lookups faster.
But it's not just advertising that can be blocked. Smart devices, particularly TVs, are notorious for sending connection requests far more often than needed. These requests fill up your network's capacity and slow things down for everyone else, and it's not always easy to figure out which devices are the culprits. With a whole-house hardware firewall, I can see which devices are sending more requests than needed and block them from traversing the network.
To make this easier to do, I've inventoried every device on my network at the MAC address level and named them all properly in my firewall's management pages. That way, I don't have to waste time hunting for which device matches a MAC or IP address, and troubleshooting can start straight away to find misbehaving apps, devices, or other annoyances.
6 overlooked security practices I implemented at home and I regret not using sooner
Check out these security practices you aren't using at home. I wish I engaged them sooner.
I don't know why it took me so long to switch, but I'm glad I did
I've always known about hardware firewalls, but I used to think they were only for enterprise environments, where thousands of users and devices are managed daily. Except my understanding was outdated, and I hadn't considered how many devices I have on my home network, or how many apps and services are constantly sending traffic to each other and outside my network. Now I know what's happening on my network, have visibility into any potential threats, and can see if anyone is probing my network to find security holes like open ports. The end result is a multi-layered approach to network security that I didn't have before, and every device on my network benefits.