Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Hardware firewall necessary?


  • Please log in to reply
13 replies to this topic

#1 tfb22

tfb22

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 01 July 2022 - 11:31 AM

I just had my small business Interent service upgraded to fiber - much faster than previous service. Our current firewall/switch is a Fast Ethernet Netgear FVS-318, which is now a real speed bottleneck for our 500Mbs service.

 

Our new modem is an Arris NVG448B, and it's user interface has firewall settings, so obviously there is some kind of firewall function in this modem itself.

 

We run NOD32 on all of our workstations, and use our wired network for everything except the occasional laptop or iPad logging in via WiFi.

 

I'm looking around at upgrades for our old Firewall/switch, and I'm wondering if a separate hardware firewall is really overkill for my needs now. Would it make sense to just get a Gigabit unmanaged switch to handle multiple ports? Or do I need something like a Firewalla Purple or Gold?

 

The wired network has 3 workstations, a printer, and a NAS at this point.

 

TIA for your suggestions!



BC AdBot (Login to Remove)

 


#2 EndangeredPootisBird

EndangeredPootisBird

  •  Avatar image
  • Members
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 AM

Posted 01 July 2022 - 12:02 PM

Its more important that you use strong credentials for your RDP and VPN software so that they arent easily bruteforced, and keep all devices and applications up to date.


Edited by EndangeredPootisBird, 01 July 2022 - 12:03 PM.


#3 tfb22

tfb22
  • Topic Starter

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 01 July 2022 - 12:17 PM

Thanks for your note. No remote desktop usage, and for now anyhow, no VPN. This is a one-person business (me!) and over the many years I have run it, I've never had any connectivity or security problems. All devices and software is relentlessly updated out of long-standing habit. 

 

The old FVS firewall/switch seemed like the path of least resistance to securing what I had at the time.

 

My studio is in a 100+ -year-old converted factory building. When they rebuilt the nearby municipal artery last year, all the utility companies were sort of compelled to up their games - thus the fairly painless and unexpectedly rapid arrival of FIOS.



#4 EndangeredPootisBird

EndangeredPootisBird

  •  Avatar image
  • Members
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 AM

Posted 01 July 2022 - 12:28 PM

Then I see little reason to invest more resources into anything else.

 

You can follow this guide to get hardened protection against sophisticated threats, its for the business version, luckily all ESET versions, home and for business, use the same user interface for the settings.

 

https://support.eset.com/en/kb6119-configure-hips-rules-for-eset-business-products-to-protect-against-ransomware


Edited by EndangeredPootisBird, 01 July 2022 - 12:28 PM.


#5 Shplad

Shplad

  •  Avatar image
  • Members
  • 6,473 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:09 AM

Posted 12 August 2022 - 04:50 PM

If this is your business, can you afford to lose some or all of it?

Can you afford to pay ransomware, if you get hit?

 

Many people seem to believe that the only reason to buy a hardware

firewall is for speed-when you have quite a lot of network traffic

and/or many devices on the network. That is not the only reason.

 

Layering and thoroughness also matter.

 

One of the the first principles of security is to layer things.

Right now, you have mostly two layers: Your Windows firewall

and the Netgear router. The FVS-318 has pretty basic firewalling functionality:

 

From the manual:

 

https://www.downloads.netgear.com/files/FVS318v3_RM_11Jan2012.pdf
 

 

Unlike simple Internet sharing NAT firewalls, the FVS318v3 is a true firewall, using stateful
packet inspection to defend against hacker attacks. Its firewall features include:
DoS protection.
Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND
Attack, and IP Spoofing.
Blocks unwanted traffic from the Internet to your LAN.
Blocks access from your LAN to Internet locations or services that you specify as off-limits.
Logs security incidents.
The FVS318v3 logs security events such as blocked incoming traffic, port scans, attacks, and
administrator logins. You can configure the firewall to email the log to you at specified
intervals. You can also configure the firewall to send immediate alert messages to your e-mail
address or email pager whenever a significant event occurs.
With its content filtering feature, the FVS318v3 prevents objectionable content from reaching
your PCs. The firewall allows you to control access to Internet content by screening for
keywords within Web addresses. You can configure the firewall to log and report attempts to
access objectionable Internet sites

 

 

Stateful packet inspection is good, and it's important. That means it

examines each packet individually for potentially malicious content.

 

However, the v. 5 of this manual (not v.1) is dated 2012. How many firmware

updates have you received for it since then? Based on that manual version,

I'm guessing this box became unsupported years ago. I'm I'm wrong,

please let me know. Unsupported means isn't providing updates for critical

vulnerabilities/hacking methods.

 

Generally, only more expensive gear gets updates for many years. Is this one

still getting regular updates?

 

Speaking of which, do you make backups of your existing configuratiin for it?

That generally only takes a few seconds, and can save a world of pain after an attack,

breach or questionable event. If not, I urge you to start doing so. The files are tiny,

so need for much storage space.

 

Also, do you check the logs once in a while? Maybe you don't know how to

interpret them, but it is a good idea to learn a few basics so you can at

least make some educated guesses as to how safe you are.

 

I'll add one more thing: A newer device, depending on price, may also be able

to scan for malware and viruses, though that costs more (usually as a

subscription). But it's another layer of protection. When possible, you want to

have multiple layers of protection to rely on. It could be compromised.

 

True hardware firewalls also usually do much more sophisticated packet

inspection than software firewalls do. So, in short, there are a few advantages

to an up-to-date hardware firewall.

 

BTW, depending on how technical you want to get, a third option is to use

something like PFSense, which is available as a free download. It's very

powerful, and is used in many business environments. It runs on a lot of

typical Intel/AMD hardware as it's based on FreeBSD (similar to Linux)

under the hood.

 

That may be a level of complexity you don't want, but I just though I'd give

you the option.

 

See bottom third of this page for free version:

https://www.pfsense.org/products/#requirements


Edited by Shplad, 12 August 2022 - 05:05 PM.

- Use this to collect and post information about your PC hardware, software and configuration (Whether or not you have crashing).

 

Blue Screen of Death (BSOD) Posting Instructions - Windows 10, 8.1, 8, 7 & Vista

https://www.bleepingcomputer.com/forums/t/576314/blue-screen-of-death-bsod-posting-instructions-windows-10-81-8-7-vista/

 

 


#6 tfb22

tfb22
  • Topic Starter

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 15 August 2022 - 04:17 PM

Thanks for your thoughtful reply. I guess the level of complexity has a consideration here, as well. 

 

Now that we're on the FIOS connection, we have a hardware firewall provided in the router itself, but there doesn't seem to be much data out there on exactly what this might mean. It's your garden-variety router, provided by the FIOS provider, an Arris NVG68MQ. The spec sheet I have seen lists under Security, "Stateful packet inspection firewall, Virtual DMZ/IP pass-through, Denial of service (DoS) protection, VPN pass-through (PPTP, L2TP, IPSec)"

 

We've also got the software firewall provided by NOD32.

 

After 2 years, the FIOS company probably will try to charge rent for this thing, at which time we will replace it with something better. Discussions with the Firewalla folks have proven to be fruitful in that respect.

 

Everything here is backed up to our secure NAS as well, and to a portable HD connected to the NAS, and physically removed every night when we shut down.



#7 Shplad

Shplad

  •  Avatar image
  • Members
  • 6,473 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:09 AM

Posted 15 August 2022 - 06:06 PM

Yes, all those features are standard on most average modern routers.

 

How is your NAS "Secure"?


- Use this to collect and post information about your PC hardware, software and configuration (Whether or not you have crashing).

 

Blue Screen of Death (BSOD) Posting Instructions - Windows 10, 8.1, 8, 7 & Vista

https://www.bleepingcomputer.com/forums/t/576314/blue-screen-of-death-bsod-posting-instructions-windows-10-81-8-7-vista/

 

 


#8 tfb22

tfb22
  • Topic Starter

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 17 August 2022 - 04:01 PM

Synology firewall. Set to only allow access to NAS from our workstations.



#9 Shplad

Shplad

  •  Avatar image
  • Members
  • 6,473 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:09 AM

Posted 17 August 2022 - 04:04 PM

Okay. I'm not sure I'd consider that a full layer of protection, but in either case,

I assume you're well aware of this:

 

https://www.synology.com/en-us/company/news/article/2019JulyRansomware

 

TAIPEI, Taiwan—July 23, 2019—Synology® recently found that several users were under a ransomware attack, where admins' credentials were stolen by brute-force login attacks, and their data was encrypted as a result. We investigated and found that the causes of these attacks were due to dictionary attacks instead of specific system vulnerabilities.

 

 

And from what I remember, "several users" was more like several thousand users.


- Use this to collect and post information about your PC hardware, software and configuration (Whether or not you have crashing).

 

Blue Screen of Death (BSOD) Posting Instructions - Windows 10, 8.1, 8, 7 & Vista

https://www.bleepingcomputer.com/forums/t/576314/blue-screen-of-death-bsod-posting-instructions-windows-10-81-8-7-vista/

 

 


#10 tfb22

tfb22
  • Topic Starter

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 17 August 2022 - 04:38 PM

I did see that. I think it mentioned that most of this consisted of  brute force attacks using a dictionary. Our logins are random combinations of letters,numbers and symbols, and the block setting is set to 4 tries. Good enough for us, I think. 



#11 Shplad

Shplad

  •  Avatar image
  • Members
  • 6,473 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:09 AM

Posted 17 August 2022 - 04:55 PM

Yes, exactly. If a serious person/group is really intent on getting in,

they'll find a way. The best we can do is create plenty of significant

barriers.


- Use this to collect and post information about your PC hardware, software and configuration (Whether or not you have crashing).

 

Blue Screen of Death (BSOD) Posting Instructions - Windows 10, 8.1, 8, 7 & Vista

https://www.bleepingcomputer.com/forums/t/576314/blue-screen-of-death-bsod-posting-instructions-windows-10-81-8-7-vista/

 

 


#12 tfb22

tfb22
  • Topic Starter

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 18 August 2022 - 10:45 AM

I agree completely. 



#13 Shplad

Shplad

  •  Avatar image
  • Members
  • 6,473 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:09 AM

Posted 18 August 2022 - 12:41 PM

Okay, then I guess that's all you need?


- Use this to collect and post information about your PC hardware, software and configuration (Whether or not you have crashing).

 

Blue Screen of Death (BSOD) Posting Instructions - Windows 10, 8.1, 8, 7 & Vista

https://www.bleepingcomputer.com/forums/t/576314/blue-screen-of-death-bsod-posting-instructions-windows-10-81-8-7-vista/

 

 


#14 tfb22

tfb22
  • Topic Starter

  •  Avatar image
  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 18 August 2022 - 05:00 PM

I think so; thank you for your assistance!






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users