Deep Packet Inspection router/firewall needed at home? Pros and cons

[Jonnie Cache]

I’m setting up a new home network and I’m struggling with the router selection. I’m looking at the Ubiquity Edge series, which seems to perform very well. But, it doesn’t seem to offer any of the more advanced security features to protect against malware/viruses, for example. I'm examining the options for deep packet inspection, streaming malware scanning, and intrusion detection.

The problem is that such routers/firewalls that are affordable seem to be a big bottleneck in terms of throughput.

I will be getting Gigabit Internet on Monday and I don’t want to have the router slow things down. But looking at firewalls with SPI that have enough PPS cost >$1000-1500. That’s more than I want to spend. I’m not afraid to spend for performance and security, but I would rather not spend that kind of coin if I can help it.

Questions: How important is a true firewall for a home? Is NAT enough or do I need SPI? Is there an appliance out there that will perform well enough for Gigabit speeds and provide good security for <$1000?

I’m okay spending money for an ongoing subscription. Although I would like to try to avoid it for many reasons, I’m not above building my own box. I would rather buy something off the shelf so that it just works, has a warranty, support, etc.

Any help is appreciated!

 

[pege63]

There is the Ubiquiti EdgeRouter X SFP lots of options and it can have 24 V passiv PoE on the ports.
Then you have TP-Link Deco M5 AC1300 it has build antivirus in it sp you have protections on all you connected things.
Take a look on the Ubiquiti Routers

 

[degrub]

It will be difficult to fill a gigabit pipe unless you have a lot of users streaming 4k video uncompressed.

Do you run a server that you allow access to across the Internet ?

Do you have users that click on clik bait, click on all email links, run torrents, and generally visit sites that are likely to be malicious ?

A box will need a lot of horsepower to do deep packet inspection of https connections that are so prevalent these days, so the cheapest route is likely a self build with a subscription third party software service. Or perhaps subscription to a "cloud" version. Both are subject to the throughput of the internet. You will want a CPU that supports hardware encryption/decryption that is used with https.

 

[ColinTaylor]

Is NAT enough or do I need SPI?

Even the most basic home router does SPI, it's part of the NAT process (connection tracking). Without it services like FTP wouldn't work. Of course there are more sophisticated devices that have more thorough security features but these are typically only used in a commercial environment (because of the expense).

 

[System Error Message]

ubiquiti can be used for malware protection but not at your speeds. Use pfsense instead.
a core2 quad running pfsense can be used for gigabit speed WAN and various protections. Ofcourse the better the hardware you throw at it the faster it'd be. I'd put the minimum hardware as a core2quad or amd phenom ii (with 800 series chipset and core unlock). Combined with DDR3 ram to have a decent amount you can use various protective features at gigabit speeds. So dont go with other hardware, go with pfsense. Pick a platform and a quad port 2nd hand intel server NIC and you'd have yourself a speedy and inexpensive platform.

Even the AMD fx series can be a bargain as well and older iseries based used intel xeons.

 

[Jonnie Cache]

Even the most basic home router does SPI, it's part of the NAT process (connection tracking). Without it services like FTP wouldn't work. Of course there are more sophisticated devices that have more thorough security features but these are typically only used in a commercial environment (because of the expense).

Okay. I must misunderstand what constitutes SPI. Perhaps it is more accurate to indicate that I'm concerned about malware/virus filtering at the gateway. Perhaps deep packet inspection, streaming malware scanning, and intrusion detection would be more appropriate.

 

[abailey]

If you want to do Virus scanning, Webfiltering and such at the gateway it will take a lot of horsepower for a gigabit connection. I don't know of any off the shelf consumer routers that can do it at that speed. There are commercial appliances that can do it that fast but they get real expensive. The only lower cost alternative I know of is to purchase equipment yourself and load a firewall software onto it. That way you can get the power you need for a gigabit connection. As far as Intrusion Detection, you don't really need it unless you are exposing ports to the internet. The reason for this is because NAT will drop all unsolicited traffic coming into your network.

 

[Jonnie Cache]

Thank you everyone for your advice. I have looked around a lot and it looks like I either need to build a pfSense system or I need to just stick with a router. I'll probably buy a router first and then experiment with pfSense to see how it goes.

 

[CaptainSTX]

Thank you everyone for your advice. I have looked around a lot and it looks like I either need to build a pfSense system or I need to just stick with a router. I'll probably buy a router first and then experiment with pfSense to see how it goes.

Before investing a lot of time and money in Pfsense, buy a manual on Pfsense and read up on it then decide if you want to invest the effort in getting it functioning with all the advanced features it can offer. Pfsense is fairly simple to get going in a basic router mode with the default firewall but beyond that plan on spending a lot of time and effort. Pfsense was designed as a professional grade OS so you only get the maximum capabilities if you put the effort in to master all its complexities.

 

[Jonnie Cache]

Before investing a lot of time and money in Pfsense, buy a manual on Pfsense and read up on it then decide if you want to invest the effort in getting it functioning with all the advanced features it can offer. Pfsense is fairly simple to get going in a basic router mode with the default firewall but beyond that plan on spending a lot of time and effort. Pfsense was designed as a professional grade OS so you only get the maximum capabilities if you put the effort in to master all its complexities.

Great idea. Thanks! I have seen some "How-tos" about it and it seems pretty straight forward for a basic setup. I get that it could get complicated quickly, though!

 

[CaptainSTX]

Great idea. Thanks! I have seen some "How-tos" about it and it seems pretty straight forward for a basic setup. I get that it could get complicated quickly, though!

Also be aware that many of the how to videos deal with earlier versions of Pfsense. As Pfsense has progressed certain features don't work and are not implemented in the same way in new versions. This makes it confusing when you are relying on how to videos. Same applies to manuals.

 

[Jonnie Cache]

Also be aware that many of the how to videos deal with earlier versions of Pfsense. As Pfsense has progressed certain features don't work and are not implemented in the same way in new versions. This makes it confusing when you are relying on how to videos. Same applies to manuals.

Yeah... I've kinda gathered that. I think it will be enough for me to get the gist and then decide if that's what I want to try out. If I do go for it, it looks like I need to sign up for a Gold Membership to keep up on the current version of the manual? $99 per year isn't so bad, I guess.

 

[MichaelCG]

Keep in mind true AV scanning at the network layer (which is what a router is doing) will have limited success/benefit these days since a large majority of Internet traffic is now encrypted. Will help some? I'm sure it will, but AV scanning in general should not be your only selling point.

If you are really concerned about security, focus on limiting outbound FW access in general, consider using OpenDNS or something similar to filter out some bad domains, and keep your clients patched and updated as much as possible.

My environment is a pfSense FW that has an AV scanning proxy. My file server and other specialized function boxes have very limited outbound Internet. The majority of my devices are forced through the proxy server for filtering and logging. I use OpenDNS to provide a basic high level filtering option.

 

[Cake]

+1 for pfsense, or better yet opnsense
There is a dev who is very fast to reply on the opnsense forums over there.

 

[Jonnie Cache]

+1 for pfsense, or better yet opnsense
There is a dev who is very fast to reply on the opnsense forums over there.

I’ve been looking at pfSense v. OPNSense. Difficult to discern which one I should try. I don’t really have the time to dedicate to examining both. Why do you suggest OPN Over pf?

 

[MichaelCG]

I’ve been looking at pfSense v. OPNSense. Difficult to discern which one I should try. I don’t really have the time to dedicate to examining both. Why do you suggest OPN Over pf?

I am running pfSense mostly because I have been using it for many years now and haven't had a need to change. I came from the m0n0wall days until that project was retired.

There are many who don't like/agree with the direction pfSense is being taken since it is being somewhat commercialized these days. That is where in theory OPNsense comes in. The code bases are related but they are somewhat starting to take their own path. If you are starting new and building your own, I would probably start with OPNsense.

I have not really dug into all of the differences in detail between them. I know at a basic level, they both can do the same tasks.


Sent from my iPhone using Tapatalk

 

[Jonnie Cache]

I am running pfSense mostly because I have been using it for many years now and haven't had a need to change. I came from the m0n0wall days until that project was retired.

There are many who don't like/agree with the direction pfSense is being taken since it is being somewhat commercialized these days. That is where in theory OPNsense comes in. The code bases are related but they are somewhat starting to take their own path. If you are starting new and building your own, I would probably start with OPNsense.

I have not really dug into all of the differences in detail between them. I know at a basic level, they both can do the same tasks.


Sent from my iPhone using Tapatalk

Thanks for the info! I’ll be giving OPNsense a try, then! It does look like it has a much nicer interface.

 

[Samir]

For what you're describing you want, you need enterprise level equipment. And those are quite expensive if you buy them brand new. However, secondhand equipment is usually in great shape and works perfectly as it was simply upgraded vs removed from service for a problem. These devices can be a bargain for the level of threat protection you're looking for. I'd look into fortigate products as well as watchguard.

Another great resource to find enterprise equipment discounted is the cdw outlet. We purchased our gigabit capable watchguard m200 for a fraction of the price. There's a t30 for under $200 now that can exceed 100Mbps: https://www.cdw.com/shop/products/WATCHGUARD-FIREBOX-T30-W-1YR-SUP-BS/4678536.aspx?pfm=srh#PO

But even at outlet prices, you're still going to be paying north of $500 for gigabit speeds, although it looks like there are a few units made by both fortigate and watchguard that can do gigabit for under $1000.