Bitdefender Box?

[vnangia]

This came across the feed reader a short time ago - a "home"-focused firewall as far as I can make it out, but they do make the claim that they can handle upto 100Mbit IMIX. I've yet to see any technical details though - anyone with any experience?

http://www.bitdefender.com/box/ for a link.

 

[System Error Message]

If you could just download/buy the OS and install it onto your own hardware you can get much higher throughput. Many internet connections are now faster than 100Mb/s. From what i've seen a network AV is a very good idea because many people i've seen always end up with some sort of malware/spyware/adware/unwanted software but there lacks choice. It would be great if the antivirus developers could also make standardised software modules for routers to implement if they wish or to allow for user to download and implement.

Its too easy for the non technical to end up installing an unwanted piece of software or adware that just uses up your PC and network resource.

 

[YeOldeStonecat]

While no experience with this particular BitDefender box....I do have a lot of experience with antivirus gateway scanners (UTM firewalls)...and IMO they help out a lot.

Not meant to replace the antivirus on your computers, it is meant to "complement" your existing antivirus. It is best to have a different brand antivirus on your computers. This way effectively everything gets scanned by 2x different AV engines...less chance of something slipping through.

And BitDefender is a one of the 3 top AV products.

 

[vnangia]

While no experience with this particular BitDefender box....I do have a lot of experience with antivirus gateway scanners (UTM firewalls)...and IMO they help out a lot.

Not meant to replace the antivirus on your computers, it is meant to "complement" your existing antivirus. It is best to have a different brand antivirus on your computers. This way effectively everything gets scanned by 2x different AV engines...less chance of something slipping through.

And BitDefender is a one of the 3 top AV products.

I've been reading some reviews that have popped up since I spotted this a week ago and the overall picture is a bit grim. Not particularly easy to manage or use. I've now spent almost a year looking into UTMs and haven't yet received a single specific recommendation - only generalities like "I have the Sonicwalls and love it" and so on. So for now we're running three VLANs and hoping there's enough security provided there through isolation. We are fortunate in that we have no Windows machines though and have actively removed Flash and Java. That reduces the threat envelope considerably.

 

[YeOldeStonecat]

I've now spent almost a year looking into UTMs and haven't yet received a single specific recommendation -.

Have you tried any? If you have some older x86 computer hardware hanging around, have you given Untangle or Simplewall a test drive?

Over the years I've played with the vast majority of *nix firewall distros, as well as many SMB grade off the shelf UTMs...Sonicwall, Fortinet, Watchguard, Juniper, a few others I'm sure that I can't remember.

 

[vnangia]

Have you tried any? If you have some older x86 computer hardware hanging around, have you given Untangle or Simplewall a test drive?

Over the years I've played with the vast majority of *nix firewall distros, as well as many SMB grade off the shelf UTMs...Sonicwall, Fortinet, Watchguard, Juniper, a few others I'm sure that I can't remember.

I tried Untangle but apparently have too many devices for the free version, haven't heard of Simplewall. Yes, I'm familiar with almost all of these brands. The issue is that I have no idea which to buy based on my setup. Given how expensive they are (particularly the annual licensing cost), I don't want to significantly overprovision, but I've been repeatedly told the numbers advertised aren't realistic. Hence my dilemma - I have a 75/75 symmetric line and I'd like to be able to do up to 100/100. Officially, I can go with the lowest-end Sonicwalls - even the TZ205 since I wanted failover WAN support; in practice, people have steered me towards the TZ500. That's a hell of a lot of money for someone at home on a tight budget.

 

[AdvHomeServer]

I tried Untangle but apparently have too many devices for the free version, haven't heard of Simplewall. Yes, I'm familiar with almost all of these brands. The issue is that I have no idea which to buy based on my setup. Given how expensive they are (particularly the annual licensing cost), I don't want to significantly overprovision, but I've been repeatedly told the numbers advertised aren't realistic. Hence my dilemma - I have a 75/75 symmetric line and I'd like to be able to do up to 100/100. Officially, I can go with the lowest-end Sonicwalls - even the TZ205 since I wanted failover WAN support; in practice, people have steered me towards the TZ500. That's a hell of a lot of money for someone at home on a tight budget.

I haven't commented in a while for various reasons, but I feel your pain. I traveled the same road a while back and found a few things out.

These devices are not ready for home use and may never be. By 'home use' I mean set and forget. The problems are false positives, the need to monitor and adjust, trying to figure out why common web sites no longer load (just today Google Search was false positived out for me for who knows why by snort - I just deleted all blocked ip addresses - they auto un-block after a set time anyway - and was up and running). Suricata is said to also have occasional issues but I haven't played with it yet. Snort is owned by Cisco.

There is almost a religious factor in who favors which software firewall. I built a router and loaded pfSense on it. Snort and pfBlockerNG provide additional protection. OpenVPN works great, btw. Most simple install ever. Pretty much all software routers use either Snort or Suricata for IDS/IPS, so anyone who says XYZ is a terrible risk to use is full of it.

It's generally believed that if you have no open ports, you don't need anything not standard with a home router. NAT and SPI do all you need. Open ports need protection and then it gets personal.

The home router is now based on an Intel j1900 fanless motherboard and a M350 case. It rarely used over a few percent of processor and 1GB of ram unless I'm doing a pfSense upgrade.

My Netgear R6300V2 (former AC1450) is now a wireless access point only using stock firmware. I wired my first floor with cat6 and the equipment is now in the basement. All phone and cable wall ports on the first floor were converted with keystone based connections. I used existing holes to run cable and YouTube provided all the instruction I needed to make patch cables and do punch down. Wireless is now a convenience instead of an elaborate systems.

 

[AdvHomeServer]

Also, continuing with my previous answer, putting an anti virus on the router is helpful, but not a cure-all. Anything in HTTPS is encrypted and won't be visible to the router anti-virus. It's basically a man-in-the-middle at this point. Anti-virus products that scan flows only, such as Clam, aren't as 'bad' as the reviews state. I'm not using it at this time and haven't tried it yet, but reviews that compare it to products that scan hard drives are comparing apples and oranges. It is said to read data as it flows by, figuring out if it's safe or not. It's not designed to find root kits.

I've played around with pfBlockerNG and an ad blocker list I found. It seems to help some, but local ad blockers work best. I haven't tried a Squid oriented ad blocker yet. Android can load AdBlocker, but you need find it outside Google Play and bypass some security settings to install it. It makes a big difference on my tablet.

If you build a router, you don't need a best of breed motherboard. You just need a good one with at least dual intel ports. Fanless is more costly but requires less power. Most advice seems to favor intel NICs and other ports have reliability problems at high speed. My J1900 has a passmark of about 1800 and it hardly budges off 3%. I have low usage. The temperature is consistently at 26.8C, according to pfSense. An active family with multiple downloads at all times on many devices at 100Mbps should probably have no issues. Don't let FUD make you spend a fortune unless your network is of commercial quality.

RE cat5e vs cat6: I don't know if running cable is of interest to you, but there is a current thread about running home cable: I would go with cat6. It costs only a little more and someone would be future proofing themselves with it. A few years ago Wireless-G was common and Wireless-N was hoo-doo. Then came AC and I'm only now starting to use it with attached devices. Cat5e is 1GB max. Cat6 is 10GB max. Running cable stinks in some parts of your house, especially if you need to be near insulation. I only plan to do it once, unless I choose to add another run. I also used existing holes for most openings, replacing media ports with keystone technology. Way easier. I kept it neat looking by making my own patch cables of the correct length. Ends are terminated with keystone punchdowns instead of a patch panel. It was easier to keep neat with my small network. Velcro tape is handy. On top of that, I figure I increased the value of my home about $1000 for a net investment of about $200, including tools and a switch (router not included). Everything is on a wall shelf in my basement next to where utilities come into the house. No snakepits - very tidy.

Anyway, these are all the answers I was originally looking for regarding building a home router. I hope they are helpful.

 

[vnangia]

Thanks for your detailed replies. The home networking side is set for now; it's just the gateway I want to lock down. As far as needs go, there's only a handful of open ports - mainly for VPN and Plex access - but the basic things I'm looking for is gateway AV and IDS/IDP. VPN and everything else can be handled by the existing infrastructure. I need failover/failback because somewhere between the headend and the office, our provider loses power regularly enough that it annoys me.

We're an all Mac household except for a single Windows VM and a single Ubuntu Server VM running under ESXi. At most, I may add a RasPi running Asterisk down the line (no pun intended). We run ublock here on the browsers and they work reasonably well; of course, Flash, Java and Silverlight are blocked from installation through a blacklist. The iOS devices are jailbroken and run Thireus' UHB; Android devices are rooted and using Adaway from F-Droid. We have endpoint AV on all the machines, except the Ubuntu Server VM, but that's really not doing anything so ... not worried. I've segmented the LAN into three bits - "inside only", "outside only" and "all access"; by default, devices get outside only access, which also has client isolation.

As to build vs. buy: I've previously tried using Snort, but the issue is that no matter what preconfigured lists you get for Snort, even months into the installation, you're still trying to dismiss alerts. That's basically where I gave up - the wife basically got annoyed she couldn't access her sites. Snort desperately needs a learning mode to establish a baseline. I'm aware of the relatively modest hardware needs of a DIY router, but unless the scene has changed significantly in the past few years (the last time I ran my own was in 2008/2009), I honestly can't get over my memories of how bad it all was. Hence why I'm leaning towards buy.

 

[AdvHomeServer]

As to build vs. buy: I've previously tried using Snort, but the issue is that no matter what preconfigured lists you get for Snort, even months into the installation, you're still trying to dismiss alerts. That's basically where I gave up - the wife basically got annoyed she couldn't access her sites. Snort desperately needs a learning mode to establish a baseline. I'm aware of the relatively modest hardware needs of a DIY router, but unless the scene has changed significantly in the past few years (the last time I ran my own was in 2008/2009), I honestly can't get over my memories of how bad it all was. Hence why I'm leaning towards buy.

Everything has improved since 2008/2009 but I understand your reluctance to jump in again. Everything I described I would not have even considered back then. Tech was too 'primitive'.

Snort is annoying, but the alternative is Suricata. It's open source and said to be competent, but also said to have its own 'learning curve' with respect to false positives. Someday I'll load it up to find out what the stories really mean. Snort has improved, as compared to descriptions of older versions. It has 3 modes, alert only, a medium mode, and a detailed mode (not their terminology). You can suppress offending rules or remove them from the database (true believers say removing rules is best, as opposed to using a suppression list ... To me it's a difference without a distinction since turned off works the same as as removed. Gone is gone.) With pfSense you can also put IPs you never want to accidentally block on a 'passlist' (a named list called an 'alias' in pfSense) and leave the rules alone. I have about 25 IP addresses on a passlist and maybe 15 suppressed rules. I, personally, try the passlist first unless the rule is really annoying.

My home made router uses almost no power and is fanless, meaning absolutely silent like just about every other router made. It uses almost no cpu. I'm thinking of later putting pfSense in a virtual machine and putting something else in another virtual machine to take up the unused capacity. A local community college is teaching a course in VMware and Hyper-V next Spring. I know a bit of Hyper-V but VMware owns the market. I may use my home router as a project. Unfortunately, I have no idea what to do with the other 75%+ of the pc capacity. I already have a dedicated NAS and the box is located in the basement. (The router is over-provisioned - 8GB RAM, 120 GB SSD, M350 case, Supermicro J1900 processor fanless motherboard - about $400 to build - one with lesser capabilities would have cost only a little less to build.)

AV at the outer ring requires a different thought process than on the local machine. As I mentioned, anything encrypted via HTTPS can't be read. You might be able to read the unencrypted parts. If you can read it, so can a man-in-the-middle. You're reading a flow, not a hard drive. You need a fast processor and a lot of RAM since it has to read files at a time, not bits at a time.

I'm still experimenting, and will consider myself as experimenting for a while. To me, you have to think in layers for a network defense at the router level. No one product can do it all and if someone thinks about using a PC level approach on a router, it's apples and oranges in detection needs. I'm trying pfBlockerNG for IP blocking, Snort for blocking the known bad ways to break in, and will play with Clam-AV later.

 

[AdvHomeServer]

This came across the feed reader a short time ago - a "home"-focused firewall as far as I can make it out, but they do make the claim that they can handle upto 100Mbit IMIX. I've yet to see any technical details though - anyone with any experience?

http://www.bitdefender.com/box/ for a link.

Finally, to answer your original question ... I just looked it up on Amazon. The answered questions state a different approach yet. Bitdefender coordinates the Box with all attached client devices which also have Bitdefender software. Apparently, when you install the Box you also install software on all network devices, replacing all antivirus along the way. It works as a unit. Nice idea, if it works without the need to fiddle around with false positives. A little costly but potentially more convenient.

 

[vnangia]

Snort is annoying, but the alternative is Suricata.

Suricata is different; not necessarily better.

My home made router uses almost no power and is fanless, meaning absolutely silent like just about every other router made. It uses almost no cpu. I'm thinking of later putting pfSense in a virtual machine and putting something else in another virtual machine to take up the unused capacity. A local community college is teaching a course in VMware and Hyper-V next Spring. I know a bit of Hyper-V but VMware owns the market. I may use my home router as a project. Unfortunately, I have no idea what to do with the other 75%+ of the pc capacity. I already have a dedicated NAS and the box is located in the basement. (The router is over-provisioned - 8GB RAM, 120 GB SSD, M350 case, Supermicro J1900 processor fanless motherboard - about $400 to build - one with lesser capabilities would have cost only a little less to build.)

I promise you, you don't need to sell me on the hardware. I have literally more chips and motherboards than I can count from ULV Pentium 2s and Trasmetas to Haswell Es and unlocked Broadwells and a lot in between. I'm quite familiar with the compute power of x86 chips; it's the ARM and occasional MIPS chips that pop up in COTS hardware I still don't have a handle on and hence it makes it very difficult to understand how much power I need to spend. If I do go down the DIY route, it'll be because I have a good handle on the software. As to virtualization, I deliberately know nothing about Hyper-V and the Microsoft products, but if you want any help with ESXi, let me know - that is something I'm quite comfortable using.

 

[YeOldeStonecat]

I tried Untangle but apparently have too many devices for the free version, haven't heard of Simplewall. Yes, I'm familiar with almost all of these brands. The issue is that I have no idea which to buy based on my setup. Given how expensive they are (particularly the annual licensing cost), I don't want to significantly overprovision, but I've been repeatedly told the numbers advertised aren't realistic. Hence my dilemma - I have a 75/75 symmetric line and I'd like to be able to do up to 100/100. Officially, I can go with the lowest-end Sonicwalls - even the TZ205 since I wanted failover WAN support; in practice, people have steered me towards the TZ500. That's a hell of a lot of money for someone at home on a tight budget.

There is no limit on number of devices protected by the "Lite" (free) version of Untangle. You just don't get the premium apps...that is the only difference.

A 100/100 connection is no problem with todays hardware, for a UTM.

 

[YeOldeStonecat]

Also, continuing with my previous answer, putting an anti virus on the router is helpful, but not a cure-all. Anything in HTTPS is encrypted and won't be visible to the router anti-virus. It's basically a man-in-the-middle at this point. Anti-virus products that scan flows only, such as Clam, aren't as 'bad' as the reviews state. I'm not using it at this time and haven't tried it yet, but reviews that compare it to products that scan hard drives are comparing apples and oranges. It is said to read data as it flows by, figuring out if it's safe or not. It's not designed to find root kits.l.

For the "free" UTM products...true. however, for some pay for products....some can scan httpS sessions. Untangle has a pay for module called the httpS inspector. Of course it requires its own SSL cert to be installed, for trusted interception.

Agree, the freebie versions mostly use just Clam...which is really quite useless with most of todays web based malware...really only decent for an SMTP scanner (mail scanner). But the pay for version typically use great AVs such as BitDefender, or Kaspersky. And most of the better UTM has several other anti-malware modules that add to web protection.

 

[AdvHomeServer]

For the "free" UTM products...true. however, for some pay for products....some can scan httpS sessions. Untangle has a pay for module called the httpS inspector. Of course it requires its own SSL cert to be installed, for trusted interception.

Agree, the freebie versions mostly use just Clam...which is really quite useless with most of todays web based malware...really only decent for an SMTP scanner (mail scanner). But the pay for version typically use great AVs such as BitDefender, or Kaspersky. And most of the better UTM has several other anti-malware modules that add to web protection.

I'm curious. How do the professional level products deal with false positives at the router level?

Months ago when I first took an interest in this type of product, I assumed it was load and go since so many with experience with them just blew off the details. I assumed the only issues were subscription costs and getting to the bottom of the vagueness of how much processor was required for adequate performance. Since then, my experience and experimentation has taught me a lot, as described in the comments above and in a security related article on my website.

To me, antivirus is only a small part of the picture and, even on well protected PCs, is only a dice throw with respect to zero day issues.

You still need IP blocking - inbound and/or outbound, or do professional level products have some automatic capabilities where you set and forget and it always works?

You still need IP attack protection that snort and suricata deal with, or do professional level products just enable you to set and forget and it always works?

Then there's those pesky false positives that shut down access to common web sites at the router level, causing family members to gripe about why the internet is broken. I assume that is also a set and forget issue with professional level products?

 

[YeOldeStonecat]

These UTM products have pretty much made it "set and forget". They all do some form of attack blocker/deep SPI, etc etc.

Reading firewall logs is a full time job...and then some.....nobody wants to take the time for that. Really only enterprise companies with a large full time IT staff have the resources for someone (or a team) to stay plugged into a firewall full time.

For SMB (small to medium business networks..which is what I do)..and especially residential...certainly "zero maintenance firewalls" is what's necessary. A lot of them integrate services such as SNORT...and lots more.

As for false positives...it's simply blocked, prohibited. On the rare occasion it's a false positive and it's causing an issue, you just whitelist the site/source.

IMO antivirus is a big part of the equation...but it should complemented with other security measures.
Instead of your ISPs DNS servers, setup safe dns services, such as OpenDNS or Norton safe dns services. (there are a few others).
Keep your web players up to date...java, pdf reader, flash, etc. Those are mostly what's exploited by todays web based malware threats.
Use a different brand AV on your computers.....than what's on your UTM. This way you get overlapping protection...what one misses, the other might get.
Use an ad-blocker..either in your browser, or on the UTM itself...since those ads are widely exploited to spread malware.

 

[vnangia]

There is no limit on number of devices protected by the "Lite" (free) version of Untangle. You just don't get the premium apps...that is the only difference.

A 100/100 connection is no problem with todays hardware, for a UTM.

This didn't jibe with my memory, so I checked again, and sure enough, it's now free for the basic service and there's a premium pay service. I tried it and was pleasantly pleased by it. A dual-core Atom seems like it's sufficient to push the traffic needs I have.

Unfortunately, between dual-stacking and the sheer number of devices (IP cameras which don't need internet connections still count once, for example), it looks like I would have to pay for the 51-150 tier, which means for even a single application like WAN failover, I'd be out over $300 a year. If I went for the whole package, it would be $2700 (!!!!!!!!!) a year. This is insane. It's five times what it costs to get the full suite on the Sonicwall NSA220 and that is at least supported by a megacorp which isn't in danger of folding, which I can't be sure of with Untangle.

 

[YeOldeStonecat]

The "Lite" version of Untangle always was free! I've been a reseller for about 10 years, since version 5.

But like you noticed...UTM appliances tend to be expensive for a residential user. They're geared towards businesses.

There's a lot more to the "count" for network size...it's not a hard shutoff to worry about or those IP cameras...setting it up properly you wouldn't count them.

Re: VS Sonicwall...well....quite a difference between the two. Supported by a "mega corp"...but how regularly do you have to deal with (aka suffer through) their support?
AND...don't go thinking support is included forever...it's an add-on...and wait til you pass the first year of costs...and you see the renewals. Now..compare that with Untangle.

...I've sold/installed/supported my share of Sonicwalls for around 15 years.

 

[vnangia]

Re: VS Sonicwall...well....quite a difference between the two. Supported by a "mega corp"...but how regularly do you have to deal with (aka suffer through) their support?
AND...don't go thinking support is included forever...it's an add-on...and wait til you pass the first year of costs...and you see the renewals. Now..compare that with Untangle.

Last week, I had my first tech support experience in 12 years, so yeah, I can relate. My suspicion though is that I'll still probably hit the internet for advice first and then go elsewhere.

So let me ask you as someone who has much experience with firewalls three questions. One, who would you recommend for home use? Two, who has the most truthful figures on IMIX? Three, do you have specific models you'd recommend to someone just getting started in UTM for home use, who doesn't have a corporate levels of cash available, and who needs roughly 100/100 IMIX?

 

[Wutikorn]

This came across the feed reader a short time ago - a "home"-focused firewall as far as I can make it out, but they do make the claim that they can handle upto 100Mbit IMIX. I've yet to see any technical details though - anyone with any experience?

http://www.bitdefender.com/box/ for a link.

I think Trend Micro in Asus router would work better. It uses DPI engine and also has malicious website blocking. I'm not sure about Bitdefender Box. I don't think it is as good as the one in Asus router as Bitdefender Box does not perform deep packet inspection(DPI) from https://www.security.nl/posting/409886/Anti-virusbedrijf+onthult+router+die+netwerkverkeer+scant (you can use google translate) while Asus router does, but I'm not sure whether Asus router perform this(https://www.asus.com/support/faq/1012070/) DPI engine on router while use online database or someway else. There is a function on Bitdefender Box that allow your phone to be protected even you are not in local network. Nonetheless, you can do that in Asus router as well, but u need to set up OpenVPN on your phone to connect to Asus router OpenVPN server which make it performs the same way as Bitdefender Box does. In addition, you can set OpenVPN on your laptop and other devices. All of Asus router's functions I mentioned above are all free when u have their products(Asus AC56U, AC68U, AC88U). If it works the same way as Bitdefender Box and u don't need to pay yearly for it, I think Asus Trend Micro is a better choice. Trend Micro and Bitdefender perform at pretty much the same protection performance based on AVTest results. https://www.av-test.org/en/award/2014/ DPI is like what u prefer: IDS/IPS