(Source: Rawpixel.com/Shutterstock.com)
It’s true that traditional network firewalls no longer provide absolute protection and peace of mind to network administrators that they once did. A lot of successful attacks today, such as phishing for user credentials or software vulnerabilities in web applications, are not blocked by simple filtering firewalls that inspect Transmission Control Protocol and User Datagram Protocol traffic against a white list of allowed protocols, sources, and destinations. Next-generation firewalls and unified threat management devices continue to stuff new features and capabilities into a device that frontlines your company’s protection from the internet, like inspecting all email attachments and downloaded files that cross that firewall. These latest firewalls can be expensive and require recurring subscription fees to keep their threat intelligence feeds up-to-date. Fortunately, with options such as OPNsense, pfSense, and Sophos XG Firewall Home Edition, you can protect smaller networks or even home networks by using commercial firewall features at a fraction of the cost.
Historically, firewalls from front-runner companies such as Cisco and CheckPoint behaved like high-performance network routers that provided stateful firewall inspection through mostly static rules. These devices were reliable, provided high throughput, and supported complex router configurations. Networks could be isolated through virtual local area networks, and features such as port forwarding, network address translation, and virtual private networks (VPNs) enabled companies to securely access sensitive resources from the internet. Their high cost, however, made them unreasonable for smaller networks such as small office/home office (SOHO) or even small- to medium-sized businesses (SMBs). SOHO and SMB IT admins were often limited to the skimpy protections their internet service provider (ISP) broadband modem/router offered.
In the early 2000s, a few lower-cost options such as m0n0wall and pfSense began to provide commercial firewall features under an open-source license. These firewalls ran on hardened FreeBSD—an open-source UNIX-like operating system—on top of which additional modules could be installed. Administration of these firewalls was through a web front end. Over time, several of these projects have forked as developer groups pushed for their own, preferred direction to take their vision of the product. For example, pfSense forked from m0n0wall, and OPNsense forked from pfSense. In addition, some security companies have released limited-license products for specific use cases. The Sophos XG Firewall Home Edition is one example of this: a commercial-grade firewall available for free for home users.
These low-cost firewalls such as OPNsense, pfSense, and Sophos XG Firewall Home Edition support a wide range of security features and offer much more than the simple router software that your ISP provides. Most of these products can be deployed in a variety of ways, such as from a USB drive, as a virtual appliance, or on a traditional computer. Alternatively, you can purchase dedicated hardware (often the size of a paperback book) that includes multiple network ports, is physically smaller than a computer, and is more power-efficient than a larger computer to run these products.
OPNsense, pfSense, and Sophos XG Firewall Home Edition provide sophisticated features and advanced protection beyond simple network filtering. For example, with Sophos XG, you can monitor and manage web surfing, configure rules by user, and check downloads and email attachments for viruses. Its monitoring and reporting are robust: For example, you can enumerate current activities to spot-check devices on your network and where and with whom they’re communicating. Other commercial features available in the Sophos XG home license include the ability to create custom intrusion-prevention system signatures, alerting or blocking of unwanted web content (e.g., adult content or online chat sites), and advanced threat protection that analyzes HTTP and Domain Name System traffic to alert (and optionally drop) suspicious behavior. Its firewall rules block traffic based on protocol, source, and destination, and you can also configure additional layer 7 (application-layer) protections to try to block exploits of web application code vulnerabilities. OPNsense and pfSense offer robust features and include and integrate well with other popular open-source security packages. For example, OpenVPN and tinc allow secure, remote connections to devices on your network; Squid HTTP proxy and SquidGuard proxy provide filtering to help you better manage web content. All these firewalls provide advanced routing and load balancing, as well.
These lower-cost firewall options often require a bit more homework to successfully configure and deploy, but many helpful and informative guides are available on the internet in addition to the product documentation that developers offer. Many of these projects remain strong and their features actively developed, making them good alternatives when cost is a primary driver or when the built-in filtering on your ISP cable modem at home isn’t quite enough for security needs.
Jeff Fellinge has over 25 years’ experience in a variety of disciplines ranging from Mechanical Engineering to Information Security. Jeff led information security programs for a large cloud provider to reduce risk and improve security control effectiveness at some of the world’s largest datacenters. He enjoys researching and evaluating technologies that improve business and infrastructure security and also owns and operates a small metal fabrication workshop.