7 things to look for in a hardware firewall

The threat environment for cybersecurity has changed drastically over time, and home broadband use has skyrocketed. When remote jobs and hybrid working arrangements are added, the security features in many consumer routers might not be enough. Adding a hardware firewall appliance to your home network adds another layer of security to your network, while giving you advanced features to manage network traffic and connect to corporate networks.

Whether you want to keep your family safer online or work as if you’re physically in the office, a good hardware firewall adds stronger security measures while affording some level of preventive threat analysis before it becomes an issue. Some employers might even require them to be installed so you can take advantage of WFH arrangements, but how do you know what you need in terms of features? Whatever hardware firewall you go for, there are some basic features that you should aim for, as well as some more advanced nice-to-haves that make your home network that much safer.

7

Throughput and ports

You want high throughput numbers, especially once you turn on filtering and inspection

Before looking deeper into the functionality of a hardware firewall, you want to know two things. The first is how many ports it has and the speed of those ports, because that determines both current and future setup needs. As hardware firewalls, when used in home networks, are usually set up as edge devices, they go between the internet and your internal hardware. That means you might only need two ports, but it’s important to match the speed of these to your existing hardware so they can all sync up together. They could also be used for internal segmentation, but that’s less likely at home. It’s still important to match port speeds with existing hardware, but you might want more ports so that future expansion can be planned.

You’ll also want to check the throughput of the firewall, which is the volume of traffic that can pass through at any one time. Most firewalls will support 1Gbps+ throughput, so it’s not as important to check, but if you’re buying ex-enterprise or other used hardware, check the specs because older devices can drop the throughput drastically once you put filtering, intrusion prevention, and other security features on.

6

Basic functionality

Stateful inspection, packet filtering, and access control lists

Hardware firewalls have some features that are generally thought of as table stakes, like access control lists to allow or deny web traffic based on predetermined rules. This list of rules filters traffic before it hits the network, making it easier for the other security features to do their jobs while hopefully stopping unauthorized traffic. For example, you can set them up to only let video call data go to certain devices on your network, so other attempts will bounce off the firewall.

While they’re also part of the software firewall in your operating system, having them on a dedicated network appliance means the rules get applied to all traffic, not just that aimed at your computer. They’re best when used in conjunction with a stateful firewall that can monitor every packet in a session and detect and reject any unauthorized traffic.

5

Virtual Private Networks(VPNs)

Keep your data private and access your home network from outside

Whether you need to access your home network from outside, or use a computer to connect to a corporate computing environment at your workplace, having VPN support on your hardware firewall is important. It’s not just that it will encrypt your data going both ways, but it also acts as another layer of access control, ensuring that devices that aren’t supposed to be on your network aren’t able to connect. It’s also important to have multi-factor authentication for any VPN connections, as it’s the best way to ensure that only authorized users can connect through your firewall.

Related

How I made a home VPN with dynamic DNS for secure remote access

Never fret about IP changes again by combining your own self-hosted VPN with DDNS

4

Advanced security features

Application control, deep packet inspection, and other nice-to-haves

Source: Unsplash

Hardware firewalls can also have multiple advanced security features that might slow down throughput on your network but make it much safer as a result of them running. This could include deep packet inspection to inspect the contents of data packets as they go through the firewall, with a much wider range of metadata inspected than a simple stateful firewall. Even malicious encrypted data can still be guarded against, as the metadata and routing information can’t be encrypted. This works in both directions, so it’s a good way to guard against data exfiltration and malware or other issues spreading around your internal network.

Some hardware firewalls have threat intelligence, which gets real-time updates for malware and other threats found in the wild, so they can better protect against emerging threats without waiting for larger updates. Or you can set up access lists based on the applications that are supposed to be allowed through the firewall so that even if malware makes it through unless it infects one of those programs, it can’t dial back home.

Related

How to easily replace your ISP router with a custom OPNsense firewall

Easily create your own router with this free open-source software

3

Quality-of-Service

Make sure your security features don’t grind the network to a halt

While all the active monitoring and inspecting of packets is good for security, it slows down the throughput of the network as a result. Having Quality-of-Service rules running on the network appliance is an important way to ensure that every computing device that needs bandwidth gets its fair share while the security tools get enough to do their job as well. Security features that slow your users down too far will have them going to other means for internet access, which limits your overall security.

Related

5 reasons why you should set up QoS prioritization on your router for better internet

How to get better internet with no new hardware

2

Intrusion Prevention Systems (IPS)

And an intrusion detection system as well

Firewalls are very rule-based and can only be as good as the network admin who sets them up. However, better hardware firewalls nowadays can also run other systems, like intrusion prevention or detection systems. These all work in synergy to keep the network free from issues or shut down issues as they arise.

• Intrusion Prevention System: Actively blocks threats on the network
• Intrusion Detection System: Monitors and alerts for potential security issues and breaches without affecting data flow

When all three systems are running, they make up a comprehensive security framework to keep your network secure. The triple layer of the firewall, IDS and IPS, first reduces the amount of traffic going onto the network, then filters it for potential threats and blocks any actual threats. Next-generation hardware firewalls do all three, making them a single point of security enforcement.

1

Advanced malware detection

Sandbox threats before they spread

Source: AV-Atlas

One important feature of the best firewalls is sandboxing. While antivirus and malware prevention tools have plenty of knowledge about existing threats that cybersecurity researchers have studied, not every threat has been seen in the wild. When a hardware firewall with sandboxing functionality sees an unknown file, instead of routing it to the computer that requested it, it’ll put it into a sandbox environment to study for a short while.

It’ll also run the file’s hash value through a cloud-based database of known files, which can significantly speed up the process of deciding to allow the download of that file or not. If it’s not found in the database, that file will stay to be studied a little longer, and added to the database once the system or a system admin decides it’s safe or not. This protects against zero-day attacks, and also makes every firewall that uses these cloud-based databases a little bit safer as a result.

Related

7 ways to tell if your Windows laptop has malware

Red flags your laptop is compromised

Hardware firewalls are more complex to tackle the ever-changing face of threat intelligence

Using a hardware firewall on your network increases security while teaching you advanced networking techniques. While you could make your own firewall out of an old PC, hardware firewalls come preconfigured with handy packages, have all the ports you need already, and are backed by some level of technical support for a period after purchase. It might be that last point that makes buying a dedicated hardware firewall more attractive to many network admins, and it should be the same for home network hobbyists.