Any suggestions for a firewall?

Messages
1,863
Name
Paul
Edit My Images
Yes
Hi,

I am looking to install a decent firewall/web filter at home.
The built in firewall on the virginmedia superhub and my belkin router does not seem to be configurable enough for my liking.

One of the reasons I require this is to filter/monitor web traffic as my son is now at high school so homework research is fine but I don't want any unwanted results in google showing nor any dodgy popups! plus I would like to restrict the amount of time he's on social network sites to a reasonable amount!

My plan is to put the firewall between the cable modem and my router running something like Sophos UTM Home using a pc or getting a purpose made firewall device.

If I was to go for the pc option I would require a low spec but virtually silent pc (it'd be on 24/7), could anyone recommend one?
Or could anyone recommend a standalone box?

Cheers
Paul
 
Hi Neil,

You may be right there. I do need it to be positioned to monitor all incoming traffic though and on constantly.

For monitoring only I could just stick a simple hub between modem and router then connect a laptop/pc to the hub running wireshark but that would not give me any control to block anything.

I do also have a decent managed switch on the network that can be configured using vlans and port (physical) mirroring so I maybe able to connect the modem to that direct and monitor via port mirroring but again no control.

Paul.
 
Too many pc's/laptops/phones/ps3's (you get the picture :)) in the house for that, it would be a right pain. Far easier to filter/block at point of entry to the network. The Sophos is configurable to user/ip/mac so seems good.
 
How much do you want to spend and how quiet do you want it to be? Also, how technically competent are you?

I have a completely silent i5-3470s based system that I use as a firewall (amongst other things) here. I have also built a silent firewall based on an Atom processor, but it might not be powerful enough if you are sat on one of the high bandwidth Virgin connections. Proxy/content filtering can be quite a CPU intensive task....
 
To spend - as little as possible but upto a couple of hundred I guess.
How quiet - not silent but close to it, no massive fans but the spec would not need to be that high as long as linux drivers are available!
My connection is only 10-20mb so not superfast yet!

Technically competent - HP accredited on desktop/laptop, proliant and network essentials, working towards Cisco CCNA. Work on Sun, DEC, IBM and storageworks kit too as well as other bit's and pieces. (sounds like a CV that lot :D)

I'm quite happy to build from scratch but would prefer a ready built/bare bones system for ease.
 
At that price, I'd be looking at a mini-ITX with Atom (which can be passive) or something like the AMD Fusion processors. Most of the firewall systems come on some form of *nix. I run pfsense here which uses Dansguardian and SquidGuard as an HTTP filters. Other firewalls do similar things.

I have mine set up attached bridging between my network switch and modem, so it acts as the main system gateway and firewall. Although I don't run any HTTP content filtering, I do run a proper SPI firewall and use snort for intrusion prevention. That can keep the CPU of even the i5 quite high if I have lots of filters and I'm downoading at 60Mbps...

The alternative is something like the Zyxel Zywalls (http://www.zyxel.com/uk/en/products_services/zywall_usg_200_100_50_20w_20.shtml?t=p). I was offered one of these by my ISP, but decided building my own was far more interesting ;)
 
Have a look at the bottom end sonicwall, you pay an annual subscription, but will do what you want and will be the simplest and most flexible.
 
At that price, I'd be looking at a mini-ITX with Atom (which can be passive) or something like the AMD Fusion processors. Most of the firewall systems come on some form of *nix. I run pfsense here which uses Dansguardian and SquidGuard as an HTTP filters. Other firewalls do similar things.

I have mine set up attached bridging between my network switch and modem, so it acts as the main system gateway and firewall. Although I don't run any HTTP content filtering, I do run a proper SPI firewall and use snort for intrusion prevention. That can keep the CPU of even the i5 quite high if I have lots of filters and I'm downoading at 60Mbps...

The alternative is something like the Zyxel Zywalls (http://www.zyxel.com/uk/en/products_services/zywall_usg_200_100_50_20w_20.shtml?t=p). I was offered one of these by my ISP, but decided building my own was far more interesting ;)

Thanks for the pointer, the mini-ITX looks interesting and could suit my needs. The Zyxel kit looks to require an additional yearly license for web filtering so would prove quite expensive compared to the mini-ITX

Have a look at the bottom end sonicwall, you pay an annual subscription, but will do what you want and will be the simplest and most flexible.

Thanks, but too expensive with the subscription for what I want to do.
 
I would also like to point out education is better than prevention.


What devices does he have access to? It wouldn't be hard to access neighbours wifi to dl what he doesn't want you to know about, tether to his phone. This will get around your firewall.

Then he could use offsite proxies, use a VPN to access a proxy or more.

The Sonicwall and anything else with a subscription will block offsite proxies and keep up to date with the latest threats. £300 for the device and £80 a year for the subscription.

None of these will stop him from piggybacking off someone else's network though.
 
Hi Dale,

You are right, education is far better.

He has access to his own laptop (provided by the school so well locked down), his phone, PS3 and a home laptop.

We do supervise him, he's only 12, but I have already seen when searching google while researching for his Art homework an inappropriate image. Now I know google safe search can block some but some things get through.
It's not just the web filtering I want it's also the ability to see what has been accessed.

The linux firewall distributions seem to fit the bill without going to the length of a small business solution.

There are no open wireless points in our area so we're ok there at the moment, not to say none will become available but I'll monitor that.

Paul.
 
Hi,I am also looking at a new firewall with UTM.

The options I have looked at are Cisco, Fortigate, Juniper and palo alto. I am still researching but those names maybe of some use.

I have also recently bought a synology NAS which has an inbuilt firewall. I haven't used this yet but if you are looking at a storage option as well I would consider one of these.
 
Last edited:
Paul, the wireless doesn't need to be open, it is quite easy to hack wireless networks.
 
Paul_Westhead said:
Hi,I am also looking at a new firewall with UTM.

The options I have looked at are Cisco, Fortigate, Juniper and palo alto. I am still researching but those names maybe of some use.

I have also recently bought a synology NAS which has an inbuilt firewall. I haven't used this yet but if you are looking at a storage option as well I would consider one of these.

Is this for home or business, keep an eye on throughput as they start low, we paid about £1400 for one with 80Mbps throughput
 
This is what I ended up with: http://www.intel.co.uk/content/www/...ktop-motherboards/desktop-board-dn2800mt.html together with 2G memory, a 30G m-SATA disk and a second Intel NIC in the PCI-e slot. Totally passive and works fine (as long as you are OK with a lowish powered CPU) :)

Thanks Andy, that one looks ok. I have been looking at Jetway JNC9KDL-2700-LF Dual Core 2.13GHz Cedar Trail Intel Atom D2700, has
Intel chipset and dual LAN built in.

Hi,I am also looking at a new firewall with UTM.

The options I have looked at are Cisco, Fortigate, Juniper and palo alto. I am still researching but those names maybe of some use.

I have also recently bought a synology NAS which has an inbuilt firewall. I haven't used this yet but if you are looking at a storage option as well I would consider one of these.

Hi Paul,
I already have storage sorted with a Unap unit. The Cisco kit aint cheap!

Paul, the wireless doesn't need to be open, it is quite easy to hack wireless networks.

Hi Dale,
I'm aware of that ;) but my 12yr old son it's yet. The ones I find locally I make the neighbours aware (y)

Just to clear anything up, it's not a case of me wanting to prevent my son seeing stuff online it's more protecting him while he is online. He's a well behaved lad, plus he knows what I do for a living and knows he won't get away with anything :D
Limiting access time to Facebook etc is also a requirement......

Cheers
Paul.
 
He sounds like a bright kid - anyone like him will regard "forbidden fruit" as more exciting, and he'll find a way to get at it - we had medical books (how sad was that?) - the underwear section of "pay weekly catalogues", and shared and well-thumbed copies of "Health and Efficiency" - I'm firmly in the "education" rather than censorship camp - if he thinks you're restricting him he'll find a way round it......:D
 
dale is right really, imposing too much restriction could just send him around his mates etc

It's not the case of imposing too much restriction, more protection.
We're happy for him to use Facebook etc (his account is friends only etc) to a reasonable level as long as his homework is done and he is active, he's in Scouts and a karate cadet black belt so no couch potato :)

As I mentioned in an earlier post, I have already seen an image a 12yr old should not be seeing while researching his art homework. Completely innocent search threw up an image of a naked bloke in an african tribe mask!
 
Last edited:
I agree with the others with regards to education versus blocking.

That said, there is a place for filtering and this is the first time I've heard of the Sophos UTM product and was very curious. one of the glaring omissions of parental controls on the PC is it won't cover tablets and smartphones.

With regards to hardware, I'd totally recommend the HP Microserver. You can pick them up for around £200ish with the £100 cashback offer which HP have run since the dawn of time. I have one and whacked 8GB RAM in along with some bigger disks. It draws around 40w according to my power meter which is fine for me. The only downside is it won't go to sleep but you can program the PC to hibernate and wake automatically. So I used to have it come on at 7am, run a backup to my time capsule and then hibernate at midnight.

I don't have a managed switch at home so I cannot create multiple VLAN's. So just for education and interest I set up a VM with 2 NIC's on my homeserver using Hyper V. Installed the Sophos UTM home software. First NIC I assigned an IP in my current subnet. The second NIC I assigned a /30 IP and then changed my router IP to the new subnet to using the remaining /30 IP.

Seems to be working quite well. I'll give it a test drive over the next week or so.

Thanks a lot for pointing this software out to me. Even if I do not end up using it myself full time, it's always useful to know this sort of stuff.
 
PaulF said:
As I mentioned in an earlier post, I have already seen an image a 12yr old should not be seeing while researching his art homework. Completely innocent search threw up an image of a naked bloke in an african tribe mask!

I think you should have a go at indignant porn to realise how easy it is. Flickr, google, various sites, search for beavers on google and see what comes up. You will not believe what you can find for free on the Internet in terms of quality, quantity or down rights shocking/perverse nature (anything anyone imagines exists)

Does in private browsing turn off safe search? Doesn't using a different browser?

Educate in him in digital images and webcams. That is far more dangerous than watching porn. The number of kids bullied due to showing themselves on a webcam, then screenshoted and emailed around the school.

Educate him on cyber bullying (school should also do this)

He will be able to outsmart you quickly and you need to accept this, you will not find a trace but he will be doing it.
 
I think you should have a go at indignant porn to realise how easy it is. Flickr, google, various sites, search for beavers on google and see what comes up. You will not believe what you can find for free on the Internet in terms of quality, quantity or down rights shocking/perverse nature (anything anyone imagines exists)

Does in private browsing turn off safe search? Doesn't using a different browser?

Educate in him in digital images and webcams. That is far more dangerous than watching porn. The number of kids bullied due to showing themselves on a webcam, then screenshoted and emailed around the school.

Educate him on cyber bullying (school should also do this)

He will be able to outsmart you quickly and you need to accept this, you will not find a trace but he will be doing it.

Hi Dale,

Sorry for the delay in replying, we've been away for the night.

You seem to be misunderstanding a few things.
I am well aware of what is available to view/download on the internet and also how easy it is to find, even if not looking for it - that's kind of the point of wanting the more configurable firewall/web filter. Ie, to protect my 12 year old son from coming across the unsuitable.

Turning of Google 'safe search' or using 'private browsing' would make available stuff in google search and remove history/temp files on exit if he was looking for it but that's not really the issue I'm looking at here, but, having a web filter at the point of entry to our network kind of takes care that too doesn't it.

The Sophos os has the ability to filter out by category, Criminal Activities for instance. If you have not looked into it you really should.

As I have already stated, education is far better than prevention and all that is in order here.
 
With regards to hardware, I'd totally recommend the HP Microserver.

I don't have a managed switch at home so I cannot create multiple VLAN's. So just for education and interest I set up a VM with 2 NIC's on my homeserver using Hyper V. Installed the Sophos UTM home software. First NIC I assigned an IP in my current subnet. The second NIC I assigned a /30 IP and then changed my router IP to the new subnet to using the remaining /30 IP.

Seems to be working quite well. I'll give it a test drive over the next week or so.

Thanks a lot for pointing this software out to me. Even if I do not end up using it myself full time, it's always useful to know this sort of stuff.

Hi,

The Microserver, although a decent bit of kit, would be too noisy and overkill for what I need.
Your welcome regarding the software, take a search at Distrowatch for other options.
 
But off site proxies and vpns would bypass any security you have. You would see him access site A, he would be using site A to access any site he wants without your knowledge.

This is where subscriptions come in as there will be an updated list of these sites and block them.
 
Sorry Dale, you seem to be having trouble understanding or deliberately not reading properly, not sure which and don't care that much.

Either way, as previously stated, the objective here is to protect not restrict......with the exception of how much time per day/week on facebook etc
So, once again, I am not looking for a solution to catch my son out or prevent him searching for unsuitable stuff at this point as that is not what he is doing. I don't know what experience you have with children but whatever that may be please do not presume to project that experience on everyone else as the only one possible.

I don't think he'll be able to 'outsmart' me any time soon, take a look at one of the early posts in this thread, I'm quite IT savvy!
If the need or suspicion arises that he is trying to do things that he shouldn't then I'll deal with that at the time but for the moment we educate him well in cyber safety (for a child of his age) and supervise him, as all parents should - by that I mean when he is on the internet he is in the same room as one of us.

As for proxies and VPN's, take a look at the Sophos software it kind of has that covered too (y)
 
PaulF said:
Sorry Dale, you seem to be having trouble understanding or deliberately not reading properly, not sure which and don't care that much.

I am reading your posts clearly. You want to monitor his internet usage, restrict times social media sites can be accessed.

They are easy to work around.

You either spend the money and do it right, do a half thought out plan which will be simple to get round and have unrestricted Internet access in monitored or do nothing.

A 14 year old kid up the road got suspended from school for accessing porn through an offsite proxy. What was impressive about this is he was in a school which are one of the most locked down Internet connections in the UK. Trust me I know as I work with various education authorities and know about the restrictions.

He may not outsmart you, but someone he knows will be able to and then what you are going to spend time putting in place will be useless.

That is the point I am trying to make, you either do it properly or don't do it, anything in between wont do a lot.

This will be my last comment
 
Dale_d3100 said:
I am reading your posts clearly. You want to monitor his internet usage, restrict times social media sites can be accessed.

They are easy to work around.

You either spend the money and do it right, do a half thought out plan which will be simple to get round and have unrestricted Internet access in monitored or do nothing.

A 14 year old kid up the road got suspended from school for accessing porn through an offsite proxy. What was impressive about this is he was in a school which are one of the most locked down Internet connections in the UK. Trust me I know as I work with various education authorities and know about the restrictions.

He may not outsmart you, but someone he knows will be able to and then what you are going to spend time putting in place will be useless.

That is the point I am trying to make, you either do it properly or don't do it, anything in between wont do a lot.

This will be my last comment

This is disappointing, the person responsible for the security for this school should have been put in a room with this child, the child commended for being able to bypass the security and learn from how he got out.

Lessons learnt are far more effective than penalising these people. I have worked in multiple schools, financial, retail and public sector IT departments and the amount of bad practice I have seen in my career scares me half to death.

Education is the best method of prevention in more areas than just security, however nothing can be said for the human nature of doing something more enjoyable than work. I would agree that if a job is worth doing, it's worth doing properly. However you have to also consider cost and suitability of the solution and any potential expansion required in the future and cost of potential upgrades in the future.

I produce and implement network and security designs for projects covering varying budgets, requirements and clients and know only to we'll it's not an easy thing to do, but you can't account for all possible outcomes. But you need to protect where possible and accept that if people want to get to something they will.
 
Last edited:
Paul_Westhead said:
This is disappointing, the person responsible for the security for this school should have been put in a room with this child, the child commended for being able to bypass the security and learn from how he got out.

I'm afraid this is like nailing jelly to a wall and no amount of security (baring turning off the Internet) is going to stop the determined and cunning.

Any good school tech' will be doing exactly as you say and feed off the information students like this will readily offer up as an alternative to showing mum or dad exactly what they have been looking at!

As a side note, I think the OP's strategy of balancing education, with monitoring and filtering seems sensible.
 
Use opendns to lock down outbound traffic to what you want, then your routers firewall can be set to block ALL incoming with no issues at all.
 
Last edited:
I'm afraid this is like nailing jelly to a wall and no amount of security (baring turning off the Internet) is going to stop the determined and cunning.

Any good school tech' will be doing exactly as you say and feed off the information students like this will readily offer up as an alternative to showing mum or dad exactly what they have been looking at!

As a side note, I think the OP's strategy of balancing education, with monitoring and filtering seems sensible.
.

There are ways to stop anyone, we use watch guard firewalls, your not getting past that security.
 
Watchguard tends to be firewall, which the op dosnt really want, it's designed to protect you from external issues, not really relevant thinking about it. OpenDNS is great for outbound d control.
 
Studi0488 said:
Watchguard tends to be firewall, which the op dosnt really want, it's designed to protect you from external issues, not really relevant thinking about it. OpenDNS is great for outbound d control.

Yup I know we have one which is why I was interested :) so how do you cope with something like a proxy site? Within the dns? We have a separate web filter appliance which the watchguard will only process port 80/443 traffic from.
 
Studi0488 said:
.

There are ways to stop anyone, we use watch guard firewalls, your not getting past that security.

Have you ever worked on school ICT systems?

Watchgaurd
Websence
SurfControl
Squid
<<enter your own web filter here>>

However effective, no web filtration system is foolproof. I've been privileged to have worked on some of the biggest education ICT projects, effecting some 100,000+ users and have also worked with countless individual schools. Unlike in a commercial environment, where you have on the whole a largely compliant user base, your security can get stretched to lengths you can only imagine when you have 1500 keen hackers on the *inside* of your LAN!

This is not an exact science and in a school environment, lockdown too much, you compromise teachers ability to teach and students ability to learn, lock down too little and you let nasties through. There is a fine balance and if you put in a near 100% locked down system, you will be at least as unpopular as if you have weak security.
 
Last edited:
I currently have the 220 sitting on my desk waiting to be setup. Will be done mid feb when we get back from BETT and sort ourselves out.


Is there anything you want to know? I've had a play with their online demos and watched videos etc.
 
Aren't social network users supposed to be over 13 and have ticked a box saying they are?
 
I currently have the 220 sitting on my desk waiting to be setup. Will be done mid feb when we get back from BETT and sort ourselves out.


Is there anything you want to know? I've had a play with their online demos and watched videos etc.

ah right, i was going to ask how it was working out for you. how many users do you have/going to have on the 220?

Aren't social network users supposed to be over 13 and have ticked a box saying they are?

yup.
 
Not a huge amount of users (10), we went for the 220 due to the throughput we need (dual fibre lines).
 
Back
Top