Community Forum

Gigabit Internet and Internet Security (Firewall/UTM/IDS/IPS)

Frequent Visitor

Gigabit Internet and Internet Security (Firewall/UTM/IDS/IPS)

Full disclosure: I work in the wired and wireless networking industry, mostly focused on technical proof of concept demos of enterprise wired, wireless, and network access security (802.1x, RADIUS, NAC, etc.).

 

I am seeing an industry problem with home internet. I am looking for any advice and hoping that this thread will be beneficial to other power users out there.

 

Situation: Home internet is now as fast (or faster) as business internet. I upgraded to gigabit because I needed faster upload speeds for uploading files for work. I really hate that I had to go to gigabit to get something over 10Mbps upload speed.

 

Problem: There does not appear to be any "home" network security appliances (e.g. NextGen Firewall, aka NGFW, Unified Threat Management, aka UTM, Intrusion Detection System, aka IDS, or Intrusion Protection System, aka IPS) that can handle the speed of home internet.

 

The only devices that I can find that can support gigabit speeds for UTM/IDS/IPS cost thousands of dollars because they are designed for businesses with hundreds of users connected. I recently downloaded an app called Little Snitch, which does a great job of telling me where all my traffic is going. Let me tell you, it was no fun to see cookie readers connecting into Chrome from China, when I didn't have any websites open!

 

Am I just being overly paranoid? What are others out there doing? I have way too many IoT devices on my network to rely on software installed on my computers. I currently have about 64 devices on my network (wired and wireless). Over 50% of those are IoT devices (Alexa, security cameras, thermostats, TVs, AppleTVs, and other home automation devices.

Expert

Re: Gigabit Internet and Internet Security (Firewall/UTM/IDS/IPS)

I went back to my Apple Airport Extreme 6th Gen, because for some reason this router doesn't seem to be as vulnerable to the more recent series of exploits (especially the DNS rebinding and spoofing ones).  I don't have any issues getting gigabit speeds on my Ethernet either.

 

At some point I might segment my LAN by putting the IoT devices into their own subnet (thereby keeping my more sensitive devices out of reach of my more vulnerable IoT ones) but right now I don't see the need to. 


I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Frequent Visitor

Re: Gigabit Internet and Internet Security (Firewall/UTM/IDS/IPS)

I want the flexibility to block connections by country. Unfortunately, home routers don’t seem to be able to handle that. Some UTM/IDS/IPS would be nice too. There are a couple home security routers that can do this, but they max out at 300Mbps. Smiley Sad
Expert

Re: Gigabit Internet and Internet Security (Firewall/UTM/IDS/IPS)

What about customized firmware like DD-WRT or Tomato? I know those boost the capabilities of some consumer grade routers, but I'm not an expert so I can't say for sure.


I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Frequent Visitor

Re: Gigabit Internet and Internet Security (Firewall/UTM/IDS/IPS)

Not a bad idea, if they can handle the speed. Right now I’m running PFSense as a VM. But a couple issues that I ran into:

1. Doing IDS on PFSense cannot handle gig, even with more resources than required. In fact it can barely provide 700Mbps with IDS turned off.
2. It is not easy to manage.
3. After a power outage, if the modem comes up before PF, which it will for sure since it is a VM, then the modem needs a full reboot (off for 2 minutes).

I would think some company would have something not so hacked together that could provide true internet security for home broadband. Something that is simple to manage, so you don’t have to understand firewall rules and ACLs, in order to be protected.
Frequent Visitor

Re: Gigabit Internet and Internet Security (Firewall/UTM/IDS/IPS)

Unfortunately, Tomato, DD-WRT, nor OpenWRT actually perform UTM/IDS/IPS duties. Smiley Sad

 

<rant>It really grinds my gears that our consumer industry and ISPs have completely confused the public into thinking that router=wifi. Doing searches for Firewall Throughput for home, results in wifi throughput tests. Smiley Sad </rant>

Expert

Re: Gigabit Internet and Internet Security (Firewall/UTM/IDS/IPS)

That's too bad, I thought maybe one of them would have that option. 

 

Then again, most people can't tell the difference between modem, router, and gateway either. Cat LOL


I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Frequent Visitor

Re: Gigabit Internet and Internet Security (Firewall/UTM/IDS/IPS)

I think I am just going to have to deal with PFSense. I'm going to put it on an older Intel NUC that I have. I found some USB Ethernet adapters (USB 3.0 gigabit) that reviewers say work with PF and FreeBSD. Grabbed 2 and will LACP them to my switch, using the internal ethernet on the NUC for the connection to the modem. Hopefully that will solve the boot up issues. Management and filtering will still be a pain though. Smiley Sad

New Poster

Re: Gigabit Internet and Internet Security (Firewall/UTM/IDS/IPS)

To be fair to pfSense, if you're not getting the throughput you'd like for a given config (lots of firewall rules, IDS/IPS like Suricata or Snort, proxies, etc.) you're likely not running on sufficient hardware. Running on an old NUC, especially using USB NICs, will certainly not be enough to achieve gigabit throughput. Idk what you're budget is, but Supermicro makes boards that are suitable or just buy a device directly from Netgate.