BitDefenderBOX, is it stupid?

Dangerous Thinking · November 4, 2020

https://www.youtube.com/watch?v=v1WJDq4sHvI

so basically WTF is this thing?

Is it some sort of DNS that doesn't list malicious websites?

Some sort of firewall?

A proxy with filtering, that you route all your traffic through?

Network sniffer?

What would be so hard about making this as PC software? It's just a server that connects via WiFi, right?

Surely if it's that great, there would be some equivalent in the enterprise market.

If I wanted those features for a business, what would I buy?

Can I do similar with open-source software?

I have a 12C 2.4GHZ home server that can run Linux VMs so I'm not lacking for hardware.

I have heard of Pf-sense, but don't want to use it as I can't have regular downtime on the network (Windows Update)

Any other software you would recommend to beef up my network security? Preferably stuff that won't take the network down when it reboots.

brwainer · November 4, 2020

Its not stupid, but its not for every situation. I have one at my house and one at my grandmother's house.

It is a home router with integrated wireless (802.11ac Wave 2). The main feature it lacks compared to other home routers is that it only has a single LAN port.

You can set it up as the only device besides your modem (that's how I have it at my grandmother's house). Or you can disable the internal wireless and connect other stuff to the LAN port (that's how I have it at my house).

Traffic going through the device is inspected in multiple ways - it does malicious site DNS filtering, IP address reputation checks, and basic IPS focused on security for IoT devices. The subscription for the Box ($99/year after the first year) includes an "unlimited" (single family) license for the full BitDefender software on computers and mobile devices, and any alerts from those devices show up in the same dashboard as alerts from the Box itself.

Some of the alerts I have received from the Box (not from the software installed on computers/devices) have included ads that tried to install malware, attempts to access websites that are known to be infected, and a device on the LAN that appeared to be infected and trying to attack the rest of the network (it was). You can also get a notification whenever a new device is connected.

The equivalent in the enterprise market is products from Untangle, or WatchGuard, or Sophos, or Fortinet - they are called Next-Gen Firewalls (NGFW) and/or Unified Threat Management (UTM). They also cost many times more.

You can do similar using Snort or Suricata on PFSense or OPNSense, combined with PFBlocker or PiHole for DNS filtering. You will have to trust the freely available lists, which often don't get updates as quickly and may have more false positives which you will have to manage yourself.

If you don't want to actually run your network through the server due to it needing to reboot, then you can run Snort or Suricata in IDS mode, meaning you give it a copy of all your traffic and it just detects events without blocking them. This requires you to have a managed switch which you can enable port mirroring from your router's LAN port to a port connected to the server/VM. You also can't use the builtin wireless in your router if you want that traffic to be inspected.