Network Protection ... What types are you using?


#1

Just curious as to who uses what.

  • Hardware only?
  • Software only?
  • Both Hardware and Software?

Currently I’ve only been using a Software Firewall.

Rob


#2

We use hardware.


#3

I’ve been considering a Zyxel Next Generation VPN Firewall with 1 WAN, 1 SFP, 4 LAN/DMZ Gigabit Ports … but I’d rather be closer to the $100 range.

MWS doesn’t seem to thrilled with my current choices concerning Network Security so I’m going to add another layer.


#4

I am very happy with SonicWall router/firewall (and their security subscription service and VPN).


#5

You could host your app on their AWS cloud computing :slight_smile: then if they have an issue refer them to Jeff Bezos?


#6

A lot of developers should be looking at upgrades this year with all the new rules.

I run a hardware firewall, a Cisco ASA. Software firewalls on WIndows, iptables on Unix, although the Mac runs free at the moment. Strict network segmentation by vlan, Wifi guest access and iot devices are kept separate, internet access blocked unless via standalone network proxy.

Just finished over the last year moving all stored data to the AWS cloud for the extra encryption, granular user controls, and the AWS waf. Any new software is fully AWS hosted, the older stuff is slowly getting rewritten and ported up. As buildcom alluded to, the new data protection rules seem to be extremely AWS oriented.

Cisco has a new lightweight line out (Meraki) that is much easier to configure, but they are still in the $500 range for the hardware and a 5 year subscription. SonicWall is also highly rated, but can be complicated to setup and will be in the same price range.


#7
  • Both software and hardware firewalls (the hardware firewall being a normal router)
  • VPN (PIA) although I typically don’t use it for Amazon unless I am away from home
  • a browser addon that forces https:
  • WiFi router set to not be publicly discoverable
  • PIA (android and Windows) when using any public WiFI, not just for access to Amazon.

A new hack is developing where hackers take control of phone sim cards. It’s called SIM Swapping. This makes Amazon’s OTC verification by text insecure (but better than nothing). There are alternatives. See several security articles about SIM Swapping in krebsonsecurity (.) com


#8

Good Google-able article:
Why Phone Numbers Stink as Identity Proof krebsonsecurity


#9

My problem is that I don’t fully understand why I need a hardware firewall. Umpteen years on the internet with the protections I do use and no issues . . . it’s not clear to me why I would put myself through the cost/hassle of setting this up. (I know . . . this paves the way for my next post, entitled “My Entire Network Was Compromised by Hackers”).

Yeah the cheapest one appears to be $595 for only 250 Mbps throughput, way slower than the gigabit router it would be connected to. To match the speeds I’d be looking at . . . $5-10K? Not sure I actually need gigabit throughput, of course, but I hate the idea of adding a device to solve a problem I’m not sure I have that would slow my WAN connection way down.

bunga bunga!


#10

If you have a router you already have a hardware firewall. Just turn it on if it isn’t already on.


#11

I cannot go into great detail for obvious reasons.

One is a hardware solution with deep packet inspection.

Our entire internal networking is layered.

  1. Most critical that will actually shut down the facility or leak extreme value data is air gapped from the internet.

  2. Activity that is moderately sensitive but is forced on to cloud based applications are ran on a physically isolated network.

  3. Our email comes in via a different internet provider to eliminate any possibly of a gateway breach and contaminating our moderately sensitive network. We use cheap laptops for email only so what ever does come is not getting much.

Absolutely NOTHING is safe when connected to the internet, all internet connections must be assumed hostile.


#12

Yeah, I took a look and it’s on, apparently operating in Reject of all inbound communications save for those overridden by port forwarding.

bunga bunga!


#13

I spotted this one on amazon

It has GigE connections, which is probably what the router claims are bounded by. The 250 Mbps throughput is actually quite a bit (ouch) for a business, consumer HD video streams are only about 5 Mbps. Individual users are bounded by internet and target latency more than local bandwidth, under normal circumstances it takes quite a few simultaneous users (I would think 20 or so) to make much of a dent in 250 Mbps of real traffic.

Most routers are not stateful firewalls, they usually just have NAT features on the outbound and some wifi security. Almost completely marketing, google up NAT security.


#14

Correct, the majority are easily breached. Especially those used by a cable TV internet provider. They open up a port, that is like leaving a $100 bill on the sidewalk in the eyes of a nefarious actor on the internet. Any one can break in with that open port.

Look on bing for open port tool sites to scan the gateway, many will get a very rude awakening.


#15

Stay clear of any device that is cloud managed, you might as well not have it at all. Find one that is local access via ethernet cable.


#16

You have very strong opinions. I’m afraid I don’t consider most of them very reasonable.


#17

I strongly disagree. NAT does provide a level of “stateful inspection”. Not as comprehensive as expensive corporate firewalls, but pretty darned good. It prevents unsolicited data from entering the LAN from attacks employing port scans or other port-based attacks. As you said, you can also set up outgoing restrictions to keep you computer from becoming a spambot, but that is hardly the only thing NAT firewalls do.


#18

Its not opinion that is fact.

For users just using social media site and streaming video it really does not matter if they even have a firewall.

My comments are for professionals that have to manage their high value information.


#19

It’s FiOS, so theoretically I am 1 Gbps all the way to Verizon, anyway. After that it’s internet slowness and target latency as you suggest.

I think I’ll just leave well enough alone.

bunga bunga!


#20

This is easily researched, and easily disproven. Search for NAT security, or NAT myth.
Some of the conclusions seem a little hyperbolic, but the points are there. Stateful firewalls do much more, and continue to protect after the connection is made, which is why they need to be rated for throughput. I am only arguing with you because I believe you are not opinion driven, and will change your mind if I can show you enough proof.

I’m not saying NAT routers are insufficient, this depends on what you have going on inside the network, number of users, etc. I am saying that real firewalls are really better.