As I've built upon my existing home lab with new tools and security features, one of the most enjoyable aspects I've come across has been the networking side of things. Deploying OPNsense and having it communicate with my ISP to obtain an IP address over PPPoE felt like magic, and since then, I've spent hours looking into security solutions and improvements I can deploy. I ventured down the rabbit hole of Intrusion Detection and Prevention (IDS and IPS), and came across tools like CrowdSec, Suricata, and Zenarmor. Of all the software I've used in this realm, Zenarmor turned out to be my favorite.
In my case, I had initially deployed Suricata and CrowdSec, though I discovered that Suricata simply does not work with a PPPoE connection. This left me in a bit of a rough spot when it came to IPS, though I researched some more and found Zenarmor as a tool that was often touted as a Suricata alternative and worked with PPPoE. For the uninitiated, Zenarmor is a powerful plugin that turns my OPNsense deployment into a next-generation firewall (NGFW). It has advanced security features that can be applied on a per-device basis, detailed reporting and logs, and the ability to block new and emerging threats so that your devices can't communicate with them.
Taking things a step further, in an enterprise environment, Zenarmor also supports TLS inspection, which can decrypt traffic, inspect it, then reencrypt it and continue to send it on its way. You need some fairly beefy hardware to support it, and it's also not recommended in most contexts as it's essentially a man-in-the-middle attack that you control, though with a single point of failure. There are situations where a company may wish to deploy it, but by and large, most enthusiasts won't ever need or want to use this feature.
I recently received a trial of the highest tier of Zenarmor that includes the TLS inspection feature. Having used Zenarmor for quite a while now, I don't see any reason to stop using it.
About this article: I received a free trial of the SSE Zenarmor tier for testing. The company did not have any input into the contents of this article.
Zenarmor is a Swiss Army Knife of tools
You get a lot of control, especially on higher tier subscriptions
While tools like Suricata are free to use on any network (and the pro version is free as well with telemetry enabled), there are two downsides. The first is that Suricata won't work on a PPPoE connection, and the second is that the UI is rather rudimentary. It gets the job done, but any advanced data filtering would need to be done by you from the log file. In contrast, Zenarmor works on any interface and generates reports and filters for you in the UI. All data can be exported to an external Elastic database too (which I do), and you can access your firewall logs from either OPNsense or Zenarmor's website.
From Zenarmor's UI, you can look at blocked sites, initiate a WHOIS query on any domain in your reports, and choose to block or allow sites based on categories by default. When analyzing your data, you can filter by category, which means you can do things like only show entries that relate to social media or video streaming. The advanced security options, like "Recent Malware/Phishing/Virus Outbreaks" and "Botnet Command & Control", do exactly as they sound, and will apply to all traffic that flows outbound from your network. That means even compromised IoT devices can, in theory, be at least somewhat protected from communicating back home.
You can also block individual subcategories, too. You could block social media, or you could just block Facebook. You can enforce safe search network-wide, and you can entirely block specific URLs with the highest tier. Finally, you can build a whitelist and a blacklist of URLs for things that are mistakenly flagged, and you can opt to send your justification to Zenarmor for their own records if you wish. It's a powerful tool that makes it very easy to control your network's firewall, with a great UI on top of it.
The free version limits some of this, preventing you from accessing the more advanced security options like recent malware outbreaks, but what you get out of the box is more than good enough for a free user. The paid "Home" tier at $10 per month will give you access to it, and for some people, it's worth it. Other noteworthy features from paid tiers that you don't get in the free tier include cloud-scheduled reports, custom landing pages for blocked sites, time-based filtering, different filtering policies per interface, and RESTful API access from the business tier.
Zenarmor makes protecting your network easy
But it's not the only option, either
The beauty of Zenarmor is how simple it makes protecting your network. Everything is handled for you, and you don't need to dive into any additional settings if you don't want to. To be quite honest, the free tier is more than enough for most people who have a low threat profile. However, if you want just a little more, the Home tier at $10 a month might be worth it. From my research into the company, I was impressed that it seemed to genuinely care about balancing the needs of non-commercial, home users without themselves being abused by commercial users trying to get by on a cheaper tier.
Some people swear against Zenarmor, while others swear by it. I feel that there's a more nuanced position to take, in that not everyone needs it, but for those who want it, it does a great job. I like it, but that doesn't mean you have to. There's a free two-week trial that you can test out, and you can then try to get by on the free tier to see if it adds anything more to your setup. I use it concurrently with CrowdSec, and while I saw some state that they had CPU-usage concerns with using the two in tandem on a gigabit network, there have been no issues with my Pentium Gold 8505. I've assigned 16GB of RAM to my OPNsense VM out of an abundance of caution (and an excess in resources), but I was running this same setup on 8GB of RAM previously, too.
If you're looking for an NGFW platform to improve your network, I recommend giving Zenarmor a try. It's been one of the many tools that made deploying OPNsense in the first place worth it, and I can't imagine not using it in the future either, even if it's still on the free tier.