Security Appliances For Home Networks?

[TheSaint]

Was browsing the web and saw this: 

 

https://www.mgtci.com/content/products/sentinel/index.html#

 

There's a short video on an unboxing of an early sample unit.

 

While we're all familiar with anti-virus software for our PC's, are there any home/power-user oriented hardware security devices that you would recommend? It has always seemed to me that antivirus/antimalware is always defensive and reactive security instead of proactive. Granted, I'm not an I.T. expert when it comes to security, but my intuition would suggest that perhaps a hardware based solution on the very edge of your network where the outside world comes in would help mitigate some of those security threats.

 

Are there any good security products for the home/power-user environment you can recommend? 

 

Some options I'm considering:

 

• pfSense 
• VyOS (command line only, not easy for newbs)
• MGT Sentinel (from the video/link above, not available for retail sales just yet)
• Buying an enterprise-grade appliance (Watchguard Firebox, Sonic Wall, etc.)

What solutions are you using in your home for security appliances? Some used enterprise grade gear? Some open source solution? I'm not aware of too many other homeowner style devices like the MGT Sentinel that are out there, specifically targeted towards the home market and ease-of-use. What's your thoughts for adding an additional layer of security for someone who isn't a network admin by trade, but would like to find out what additional steps can be taken to harden things up? 

[Tsuki]

i Highly recommend looking into Pi-Hole.

its a network wide, DNS based adblocker(white list LTT of course).   that alone, can stop so much crap from getting on the network, and its stupidly easy to set up. all you need is a raspberry pi(even the RPi 0 works)

 

[leadeater]

10 minutes ago, TheSaint said:

• pfSense 
• VyOS (command line only, not easy for newbs)
• MGT Sentinel (from the video/link above, not available for retail sales just yet)
• Buying an enterprise-grade appliance (Watchguard Firebox, Sonic Wall, etc.)

I went with a FortiGate 60D but for most people I'd recommend Sophos XG Home Edition which is free, very good.

 

https://www.sophos.com/en-us/products/free-tools/sophos-xg-firewall-home-edition.aspx

[TheSaint]

10 minutes ago, Tsuki said:

i Highly recommend looking into Pi-Hole.

its a network wide, DNS based adblocker(white list LTT of course).   that alone, can stop so much crap from getting on the network, and its stupidly easy to set up. all you need is a raspberry pi(even the RPi 0 works)

 

@Tsuki Thanks for the pointer. Just looked over their website. Very interesting. Don't have a pi device to install it on at the moment, but now seems like a good a time as any to buy one. I saw in the short youtube vide that they suggest you change your router's DNS to pi-hole's info. I'm currently using OpenDNS by Cisco, which does a good job of blocking a lot of crap I want to be filtered on my network, plus you can white/black list sites on your own. Do you know if it is possible to use your pi-hole with OpenDNS or any other 3rd-party DNS servers? 

 

4 minutes ago, leadeater said:

I went with a FortiGate 60D but for most people I'd recommend Sophos XG Home Edition which is free, very good.

 

https://www.sophos.com/en-us/products/free-tools/sophos-xg-firewall-home-edition.aspx

1

@leadeater Thanks, I'll check both out. Why did you go with the 60D over Sophos? 

 

There has to be some hardware vendor out there who makes pre-built low-power computers that are designed with making your own firewall appliances in mind, especially with something like pfsense, vyos, sophos, etc. Do you know of any vendors you'd recommend? 

[Tsuki]

Just now, TheSaint said:

Thanks for the pointer. Just looked over their website. Very interesting. Don't have a pi device to install it on at the moment, but now seems like a good a time as any to buy one. I saw in the short youtube vide that they suggest you change your router's DNS to pi-hole's info. I'm currently using OpenDNS by Cisco, which does a good job of blocking a lot of crap I want to be filtered on my network, plus you can white/black list sites on your own. Do you know if it is possible to use your pi-hole with OpenDNS or any other 3rd-party DNS servers? 

when you set up pi-hole for the first time, you give it a DNS, which you can use OpenDNS, or googles, or any that you want. Then you set the raspberry pi's static ip as your routers dns.

it also lets you import lists of domains to block like the ever popular EasyList or anything else.

[TheSaint]

@Tsuki

 

Thanks, this sounds like an excellent low-cost solution that might be combined with something else. To date, I've been using Ad Block Plus in my desktop browser, but I'd imagine this would be even more secure, plus Ad Blockers don't always work well on mobile devices, so seeing this would block it prior to even hitting the client machine, that's even better. What's your experience with it so far? Pretty much set it and forget it, or have you found any shortcomings? 

[NZLaurence]

The issue with a lot of these devices is that the security problems that a home user encounters are often different then a business user.

 

Your advrage business that worries about this will have something like a Fortigate on the edge doing AV and IPS stuff inline. They will also have the workstations locked down so that anything that gets through will have a limited damage scope. Coupled with backups and they are pretty well covered.

 

A home user will likely be running with full admin rights, no backups and will be downloaded lots of attack vectors that a UTM device cannot scan (think torrents).

 

Having said that, I was running a Fortigate at home just because. I don't know if it ever stopped anything.

 

Best thing I can suggest, Offline(or Online) backups that are not accessible from your machine and don't be an idiot^TM.

[Tsuki]

Just now, TheSaint said:

@Tsuki

 

Thanks, this sounds like an excellent low-cost solution that might be combined with something else. To date, I've been using Ad Block Plus in my desktop browser, but I'd imagine this would be even more secure, plus Ad Blockers don't always work well on mobile devices, so seeing this would block it prior to even hitting the client machine, that's even better. What's your experience with it so far? Pretty much set it and forget it, or have you found any shortcomings? 

the thing about browser based ad-blockers is, the ads still come through to your computer, you just dont see them.

Pi-Hole prevents its from hitting your network entirely. the benefit to this is that it will reduce bandwidth and can increase the speed that pages load. and because its being set at the dns level, it not only affects your computer, but every other computer, and mobile phone on the network.

 

its not without its quirks though;

-where an ad would normally be, you get a 'could not connect' screen instead, as opposed to browser based ones, where it shows nothing.

-it does not block youtube ads very well.   it can get some, but not all, unless you manually blacklist every single dns they come from, which which there are thousands.

-google ads were the biggest issue for my roommates and my wife. when you search for a product on google, occasionally the first couple links are ads(they even say ad next to them). you wont be able to click on these anymore since it will get blocked.

-the only other thing i ever have issues with, is it occasionally blocking legit website. it doesnt happen very often though, and its easy to fix. you check the log to see which domain was blocked, then check too see which list its on, then go edit that list to remove it. problem solved.

 

as an example of the scale you can manage,  Im currently blocking 132,741 domains. i have 28,544 queries in the last 24 hours, and blocked 1,783 of them.  any not one has been an issue. the only major issue i had it when i pulled the wrong list and ended up blocking 1.3million domains and nothing worked lol  deleted the culprit list, problem solved.

[TheSaint]

2 minutes ago, NZLaurence said:

The issue with a lot of these devices is that the security problems that a home user encounters are often different then a business user.

 

Your advrage business that worries about this will have something like a Fortigate on the edge doing AV and IPS stuff inline. They will also have the workstations locked down so that anything that gets through will have a limited damage scope. Coupled with backups and they are pretty well covered.

 

A home user will likely be running with full admin rights, no backups and will be downloaded lots of attack vectors that a UTM device cannot scan (think torrents).

 

Having said that, I was running a Fortigate at home just because. I don't know if it ever stopped anything.

 

Best thing I can suggest, Offline(or Online) backups that are not accessible from your machine and don't be an idiot^TM.

@NZLaurence 

 

Thanks for the input. I'm admittedly ignorant about the various home options out there. Obviously, ease of use is great, but if there's an old enterprise piece of gear that has lots of features that can be repurposed for a home, that's fine too. I guess my concern with a commercial product is lack of updates for any new attack definitions, short of buying a recurring updates license, if it is even available. 

 

One of the things that have always bothered me is how anti-virus is supposed to stop your computer from getting attacked. When the malware is already on your machine, isn't that too late? Also, what about all the smart home IoT devices? They don't run anti-virus, so it seems that some type of edge hardware solution is the only way to have a fighting chance.

 

Regarding backups, I do nightly backups to an internal SSD connected inside of my desktop. Once weekly I do an additional external USB drive backup and then keep that drive offline until the next time a backup is needed. Additionally, I'm building a FreeNAS server where I will keep even more backups once complete. I also have my most mission critical personal information in a secured, locked up facility off-site in a fire-proof room. 

 

Any other best practices? I'm all ears.

[TheSaint]

4 minutes ago, Tsuki said:

the thing about browser based ad-blockers is, the ads still come through to your computer, you just dont see them.

Pi-Hole prevents its from hitting your network entirely. the benefit to this is that it will reduce bandwidth and can increase the speed that pages load. and because its being set at the dns level, it not only affects your computer, but every other computer, and mobile phone on the network.

 

its not without its quirks though;

-where an ad would normally be, you get a 'could not connect' screen instead, as opposed to browser based ones, where it shows nothing.

-it does not block youtube ads very well.   it can get some, but not all, unless you manually blacklist every single dns they come from, which which there are thousands.

-google ads were the biggest issue for my roommates and my wife. when you search for a product on google, occasionally the first couple links are ads(they even say ad next to them). you wont be able to click on these anymore since it will get blocked.

-the only other thing i ever have issues with, is it occasionally blocking legit website. it doesnt happen very often though, and its easy to fix. you check the log to see which domain was blocked, then check too see which list its on, then go edit that list to remove it. problem solved.

 

as an example of the scale you can manage,  Im currently blocking 132,741 domains. i have 28,544 queries in the last 24 hours, and blocked 1,783 of them.  any not one has been an issue. the only major issue i had it when i pulled the wrong list and ended up blocking 1.3million domains and nothing worked lol  deleted the culprit list, problem solved.

@Tsuki

 

Excellent write-up, thank you. When you step off your home wifi network, how do you cope with ads when you're out and about, using either public wifi or mobile data on your phone? Any particular solutions for overcoming that hurdle? 

[leadeater]

31 minutes ago, TheSaint said:

Thanks, I'll check both out. Why did you go with the 60D over Sophos? 

Fortinet/FortiGate is what we were installing for clients and was the trending thing, my home network is my lab for experimentation/learning. 60D was the smallest model that supported all features, lower models didn't.

 

There is no need for something like that at home unless you have a reason like mine.

[Tsuki]

7 minutes ago, TheSaint said:

@Tsuki

 

Excellent write-up, thank you. When you step off your home wifi network, how do you cope with ads when you're out and about, using either public wifi or mobile data on your phone? Any particular solutions for overcoming that hurdle? 

i refuse to connect to public wifi, and when im using mobile data, i just kinda live with it. although i dont typically do heavy browsing outside of reddit, so it doesnt bother me too much.

however, what you can do, is set pihole to have a public facing dns, that way you can set it on your laptop or something, so even when you arent on your home network, you can still use your pihole. there are some security concerns with this, and i know there are ways to combat them, however i dont have a laptop so it isnt something that i've looked into.

 

EDIT: just looked into it a little bit, even the developers suggest you dont setup an open resolver, and suggest using a vpn into your home network instead.

their guide on the topic https://github.com/pi-hole/pi-hole/wiki/Pi-hole---OpenVPN-server

[brwainer]

In the overall realm of network security appliances, especially geared towards home use, there is also the Bitdefender Box and Norton Core.