Announcement

Collapse
No announcement yet.

Firewall / Anti-virus

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Firewall / Anti-virus

    Well, we've been using Avast for quite a long time, but I think the time for change has some. Avast is aware of the fact that they broke their software some weeks ago, but haven't been responsive to their community.... no update, no warm fuzzies, nothing. So, many folks with the paid Avast are screwed, when trying to run programs with web access.....

    So, my question.... what is the consensus regarding the most practical and effective firewall and anti-virus that doesn't make remote access a chore?
    HomeSeer Version: HS4 Pro Edition 4.2.19.0 (Windows - Running as a Service)
    Home Assistant 2024.3
    Operating System: Microsoft Windows 11 Pro - Desktop
    Z-Wave Devices via two Z-Net G3s
    Zigbee Devices via RaspBee on RPi 3b+
    WiFi Devices via Internal Router.

    Enabled Plug-Ins
    AK GoogleCalendar 4.0.4.16,AK HomeAssistant 4.0.1.23,AK SmartDevice 4.0.5.1,AK Weather 4.0.5.181,AmbientWeather 3.0.1.9,Big6 3.44.0.0,BLBackup 2.0.64.0,BLGData 3.0.55.0,BLLock 3.0.39.0,BLUPS 2.0.26.0,Device History 4.5.1.1,EasyTrigger 3.0.0.76,Harmony Hub 4.0.14.0,HSBuddy 4.51.303.0,JowiHue 4.1.4.0,LG ThinQ 4.0.26.0,ONVIF Events 1.0.0.5,SDJ-Health 3.1.1.9,TPLinkSmartHome4 2022.12.30.0,UltraCID3 3.0.6681.34300,Z-Wave 4.1.3.0

    #2
    Firewall / Anti-virus

    In my opinion firewall management is better done on your network equipment than it is from a software on your personal computer.
    I run webroot spysweeper antivirus on all my windows clients. To be honest, I don't run a 3rd party software firewall aside from windows built in as they are not so friendly with configuration and if you run a good firewall/router appliance you can protect your network from a single management interface rather than from each client's firewall individually.

    As far as home network security is concerned, I don't see much I really like in the home/SOHO router/firewall market. The next generation enterprise network infrastructure will be better suited to tie network and software service together, and the home market is barely keeping up with current tech. There are a bunch of really good small business (check out Ubiquiti, untangle, fortinet) and GNU solutions (DD-WRT, Tomato, PFSENSE) I have seen that could be leveraged to really help to keep home networks more secure. Don't get me wrong though there is a good amount of tinkering required to get them up fully. With the state of Internet security in the home being what it is today,
    1. Many IOT devices are built it seems to be simply hacked.
    2. Home network connected equipment being one of the major contributors to the last few major DDOS attacks.
    3. Home network routers/firewalls being so simple to bypass for these devices people put in their networks.
    Enhancing network security in the home is necessary for every household. That said I work in the IT field, so, I see and read about it daily.

    I would look into a good network router/firewall that had some type of DPI (deep packet inspection - lets you see what web applications are being used) and support with IDS (intrusion detection system - lets you manage what type of traffic is allowed). Then if you can block traffic by world region I would expect that you will have limited a large swath of the risk to your network.

    Here I further limit my network attack surface area by only allowing systems I need web/SSL access to the Internet on. This includes my desktop, laptop, HTPCs, smart phones, and tablets. On my infrastructure equipment (firewall, switches, servers, wireless access points, wireless controllers, network storage, etc) I either don't allow Internet access or only allow specific destination/sources and ports for things like updates and licensing. House guests are pushed to a separate network that cannot access my internal network (except my printer on port 9100). I already have the configuration in place to further segregate network attached cameras on my network and create a local only VLAN that does not have Internet access and is only allowed communicate with my network video recorder.

    I would round off minimizing your attack surface area by subscribing to a good patch management service for all of your services and applications ManageEngine Desktop Central, Ninite, Comodo are good free for home use services. It is important to note that patch management is more than just operating system updates, you have to cover the software you have installed as well.

    Aside from that I would look into a web content filter and spam filter service you can tie into your personal email to protect from compromised sites and email inbound phishing and malware.

    Sent from my iPhone using Tapatalk
    Last edited by Kerat; April 21, 2017, 03:29 PM.

    Comment


      #3
      Much to ponder and improve upon

      Devoir

      Comment


        #4
        To add to what Kerat listed, I have been using Sophos UTM 9 which they have available for free for home use and will do much of what was listed. It also includes virus software for up to 10 computers, and the virus software can be installed on Server 2008/2012 also without having to buy an expensive package meant to be used on servers.

        I had also looked at using PFsense which is very good, but used Sophos because of the virus software. I did not go as far as a separate VLAN for my networked cameras, but I put them in a group in Sophos and made a Deny All firewall rule for that group to keep them off the Internet.

        Comment


          #5
          I concur with what Kerat mentions above.

          Over the years here have added many devices to the home network and shifted the work of protecting these devices to the PFSense firewall.

          Using an Intel based CPU / Gb's of RAM for a firewall (a regular PC) allow for use of multiple means of protection of everything coming in to the home network. There are only Gb NICs on it today. The current Motorola SB series modem that I have connected also has a Gb interface on it.

          While you do a lot today with your typical SOHO router. It isn't enough with a single threaded CPU / little RAM. I can though do a lot today with a simple and tiny microrouter with an OpenWRT base on it.

          Your typical SOHO router really doesn't have the horsepower required to be able to do this these days. Playing here with an embedded TOR router and pushing it to the brink with it's use (typically sized single threaded CPU and less than 1 Gb of RAM).

          One simple and often passed up mechanism is moving the use of DNS from the clients to the firewall such that each client on the network can only get it's DNS from the firewall.

          PFSense only job here is to protect the home network.

          The home network here now is close to 100 devices. While I mention that I am going mostly towards Linux there is a base of wintel products on the network. Today's Windows 10 product is gravitating towards the always on and connected to the internet terminal rather than a home based not connected to the internet product. (very tablet like). For a bit with Windows 8 there was no on and off switch.

          IE: testing and using some 20 plus Homeseer touch clients here running on embedded Wintel. They are simple and have no direct use or connectivity to the internet and run no AV today. (IE PFSense runs ClamAV today). They are single purpose devices.

          IE: my very old Leviton OmniPro Omnitouch 5.7's connected to the main panel serially and utilize a simple embedded (with no internet connectivity) GUI. The newer (but old) Omnitouch 5.7e's POE connected devices only talk to the panel via embedded (and old) Windows CE.

          Over the years have cooked up some Android tablets and never could get rid of basic Internet pieces which are required for these to function. Same today with embedded Windows 8 and new Windows 10 or any cellular mobile OS these days.

          I tinker with multiple internet automation hubs here. I see right away how easy they connect to the internet with little or no configuration on the users part. That said they also inventory / audit whatever network they are on automatically. On the other side envision a GUI looking at multiple Internet connected hubs and focusing on one hub and looking at all of the devices that hub sees on the home network. IE: my son can manage his companies network today via a remote connected to the cloud tablet or his cellular phone. (> 100 desktop clients).

          You can too today install simple software on a RPI to do the same thing such that you can manage your network virtually in the cloud.

          What I am writing about is that we are way past the old days of one PC on the home network connectivity to the internet these days.

          What you do not see today is multiple channels of transport communications what of your new PC / Tablet / firmware device / cellular phone / internet automation hub saids to the internet today on purpose.

          What you do not see provides a warm and fuzzy; always has.
          Last edited by Pete; April 22, 2017, 08:51 AM.
          - Pete

          Auto mator
          Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
          Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
          HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

          HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
          HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

          X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

          Comment

          Working...
          X