Firewalls

There are a lot of inner workings of a firewall and setting one up takes time to do properly. You'll also need to tailor it to suit your needs. If you were to just copy and paste what someone else already uses for their network, you'd likely run into issues with stuff not working as it should for your use case. I'll break some of the different aspects down, but to do a full write up on firewalls would be way more content than I could reasonably fit here, so I'll keep it as simple and relevant as possible.

As far as firewalls go, there's multiple types of them, and a person can use one or multiple. This depends on what they are looking to do. There are things like hardware and software firewalls, next-gen firewalls, and then things like stateful and stateless firewalls, etc. Some of them are simple to use and are free and some are complicated and expensive.

What I suggest an average home user to do is use something that is straightforward, like Portmaster or a firewall built into a security suite. As you build on your security knowledge, you can increase your skill by using something more advanced like OPNsense, which has a lot of firewall features found in an enterprise solution.

Now, let's start talking about the important stuff that you should be paying attention to with firewalls. Again, this isn't an all inclusive list, though this will get you way farther ahead than many. Here's what I think you should know as a base level about firewalls: intrusion prevention (IPS & IDS), geo-blocking and IP blocking, deep packet inspection (DPI), logging, and common ports.

First, I'll cover IPS and IDS. This is something you typically see on high end hardware, like an enterprise grade router, or with something more advanced such as pfSense with an IPS provider like Snort. Your typical off the shelf router isn't going to have this. If you don't have this feature, you don't need to run out and buy a router that does, though you could certainly do so if you've got some money burning a hole in your pocket.

IPS and IDS are built to detect any malicious behavior or anything odd going on in your network. This could be in the form of using a signature from a threat intelligence provider with info about a known threat. It could also be something odd, but not necessarily malicious, going on in your network. If you're getting a signature based alert, that's cause for alarm and deserves a close look at what's going on. If you get an alert for odd behavior, that will take more time and effort to figure out if it's something that needs to be addressed. If you decide to run these systems, it's important to get more information from your specific IPS provider on how to handle these issues.

As far as if you should use IPS or IDS, in a home use case, I think IPS is the better option to choose. IDS only logs detections and won't do anything about it. This would be fine for an enterprise or government environment where there are IT teams working 24/7 and monitoring what's going on, but it's not good for home use. You would have to be neurotic about checking IDS to try to catch something happening.

IPS will actively block anything that it sees as a threat. In a home environment, I've never had this cause an issue and I've been doing it for years. This is something that should be considered as it could cause a false positive and block a legitimate connection. If this happens, there's usually a way that you can allow it. The other issue is that it can slow down the connection. This isn't common as long as the hardware running the IPS is good.

Now, I'm going to cover geo-blocking and IP blocking. These are also not features that are going to be on a typical home router, but you can get them on something like pfSense. You can also do this from the software level as well, depending on the firewall being used. This might take some tweaking to get it to work well for your use case. If you just apply IP blocks carte blanche without considering your daily usage, you can run into a lot of issues, like apps and websites not working.

Geo-blocking in the context of a home user would be to block out countries that you don't want to have a connection to. An example would be a U.S. user probably wouldn't need or even want to allow connections with North Korean IP addresses. There are more use cases for geo-blocking in an enterprise environment, but they don't apply for home users. Whatever you decide to block is going to be up to you.

IP blocking is a similar premise, in that you can block out what you don't want connections with, but these are more focused. The IPs that end up on these lists are usually there for being associated with malware, botnets, DDOS attacks, etc. You can find IP blocklists on places like GitHub. In regards to routers with this feature built in, the lists may get pulled from threat intelligence partners that the router manufacturer works with.

Next, we'll discuss deep packet inspection (DPI). This is not something every home user should run even if they have an option to do so, which I'll cover soon. DPI is useful in the sense that it can scan traffic for things like network intrusions, malware, and spam. This is something that's useful for an enterprise environment, but not as much for a home user.

In order for this to work, it has to look at everything going in and out of the network. If you're concerned about privacy and security, this might not be the best option for you if you can't fully trust your hardware. This can become complicated, because some DPI systems can scan HTTPS traffic and some can't. This depends on the hardware you're using. This can open you up to man-in-the-middle (MITM) attacks if there's an issue with the certificate the DPI uses, as the DPI has to essentially do a MITM attack to inspect the traffic.

The other issue with DPI is that it needs good hardware to work well. If you're using IPS, DPI, geo-blocking, and so on, you'll need to make sure your hardware can handle the workload, or you'll notice your internet speeds start to drop.

The next thing you'll want to spend some time learning about is logging. The logs you get will vary depending on the router you use, but there should be some similar crossover between the different brands. You don't need to be neurotic about checking logs. Once a week would work fine, or even once a day if you have a threat model that would call for it.

There's going to be some important stuff to pay attention to when you're reading a log. This info should be about the same across every firewall provider as well.

First, take a look at what is being allowed and blocked. This can be in the form of IP addresses, domain names, and applications. Analyze where traffic is going to and where it's coming from. Take a look at the ports being used. Usually this will be 443 or 80. More on those later. There should also be the connection protocol. This will usually be TCP or UDP. Timestamps are also important.

The other important thing to look for is a pattern. If you keep seeing unusual traffic from a single IP, that could be someone trying to break into your network or a piece of malware could be phoning home. If you keep getting a bunch of odd traffic coming in during your sleeping hours, that could be an indication that someone infected a device on your network and is waiting until you're away to do whatever it is they're doing.

There's going to be a lot of info on a network log, so if you haven't used one before, it'll take some time to get used to understanding what it is that you're looking at. Try not to freak out if you see a bunch of stuff going on, because it's normal to have a lot of incoming and outgoing connections. You will want to make sure you're paying attention to anything that gets blocked. That could be a sign that something is wrong and needs further action.

Last thing I'll cover is ports. I'll give you the number of some specific ports that are important to know so you have an idea of what you're seeing on logs and what each does so you don't block something important. To give you a quick analogy of why these are so important, think of it this way. Internet is car traffic going down a street (IP address). A house is the place that car needs to get to (Port).

There are a ton of ports that are used, but only a handful that you really need to know about to help secure your network. Here's the breakdown of what they are and what they are used for:

22: Secure Shell (SSH) - This is used to establish a secure remote connection between computers. Usually this is used in a business environment and not seen on a typical home network. Unless you have a use for this, you should keep SSH disabled, as it increases the attack surface to have it open.

53: Domain Name System (DNS) - As the name implies, this port is used for DNS traffic to resolve to IP addresses. Check out the DNS page to learn more if you haven't already.

80: HTTP - This is plain text web communication. This is not encrypted and you could assume anything going over HTTP can or already has been compromised. Do not do anything sensitive using an HTTP connection. Don't block this on your firewall, as a lot of legitimate traffic uses port 80.

443: HTTPS - This is encrypted web communication. This is the standard across most of the web now and all sensitive traffic needs to be using this. In regards to DPI, you likely won't be able to inspect this traffic unless you have the hardware capable of doing it.

3389: Windows Remote Desktop - This should be closed unless you need to remote into your PC. This increases your attack surface otherwise.

25, 26, 110, 143, 465, 587, 993, and 995: Email - I lumped all these together as these are all used for email clients. If you block these, your email clients aren't going to work properly.

UPnP - I mentioned this in the router section but wanted to mention it again here since we're talking about ports. If you have no need for this, it should be disabled. This is a big security risk to use.