PART 2: Control
After gaining visibility to your devices, the next important step is to control the access of your devices not only just to the internet, but also to each other. Firewalla provides many ways to block/allow and regulate traffic on your network.
By regulating and controlling network traffic, you are reducing the attack surface or risk exposure of your network. When the network is properly segmented, it can also reduce the cost in case of a breach.
- Block Unwanted Access with blocking rules
- Allow trusted networks with "allow" rules
- Block unwanted and unused ports
- Enable family mode for kids
- Isolate traffic with network segmentation
- Manage devices with groups
- Control traffics with routes
- Smart Queue to regulate traffic
- Privacy Control
- A quick example with visibility + control
1. Block Unwanted Access with Block Rules
Default Stateful Firewalls
If you are running your unit in router mode, Firewalla will by default insert a "stateful" firewall to block all ingress (from outside of your network to inside) traffic. Please do not delete or pause this rule.
Domain/IP/IP-Range Block Via the Rules Button
You can block targets by using the "Rules" button. You can find out more about blocking capabilities here.
- IP Address (and optional ports)
- IP Address range (and optional ports)
- Domain name (and optional ports)
- Remote port (applies to any IP or Domain)
- Local Network (Gold and Purple running in Router mode only)
- Internet (all internet sites)
- Target Lists
Block Via Alarms
Blocks can also be created from the alarm interface. For example, if you receive an alarm that one of your devices is accessing a malicious site, you can block the entire domain or IP from the alarm screen.
Block Via Network Flows
While you are looking at the device's network flows, you can tap on the flow entries to get into the detail screen, and in the details screen, you can block flows. (Please note that not all flows can be blocked and your device may still maintain its functionality.)
Activity Category Block
For smart devices that function closer to a general-purpose computer, you should implement similar controls to your computers or smartphones. For example, if your kids are using the smart TV, you can use category blocking to make sure they don't access sites they're not supposed to.
Region Block / Geo-IP Filtering
Firewalla allows you to create blocking rules to block connections from a geographic location. This feature is useful if you want to prevent your network from talking to IP addresses in specific countries. It can be an effective way to stop hackers from attacking your IoT devices. Learn more about Geo-IP filtering. Geo filtering is only available on the Firewalla Blue Plus and above.
You can also use it in the opposite fashion. If you create a rule which BLOCKs Traffic to the internet and a second rule ALLOWs traffic to a specific Region, you can limit a device's internet access. This is effectively a WhiteList.
TLD Blocks (Top Level Domain)
In addition to blocking full domains like firewalla.com and *.firewalla.com, Firewalla also supports block top-level domains, such as *.country *.stream *.download *...
2. Only Allow Trusted Access with "Allow" Rules
For devices that are very purpose-specific, and only need access to specific services, you can configure rules to only allow trusted connections to come through. For example, on your Nest Thermostat or Ring devices, you can block all internet access, but only allow access to ports required by Ring's services (IP addresses and ports). Learn more about allow/whitelist rules.
3. Block Unrecognized/Unused Open Ports
In part 1, we talked about open ports and how they can be a security risk. Make sure that you check open ports on your network (Home -> Open Ports). If you don't recognize any port, or if any port was opened intentionally but should not be open anymore, you should block them.
4. Enable Family Mode
Family Mode contains services that automatically filter out inappropriate content for families (porn and violent materials). It includes Family Protect that blocks access to websites that serve such content, Safe Search, and Social Hour which filters out offensive content from search results. If you have kids at home, enable Family Mode on all computers and smart devices(like Apple TV) that your kids might have access to.
5. Isolate Traffic with Network Segmentation (Gold and Purple only)
Firewalla Gold and Purple are a combination of a router and a firewall. Both support network segmentation through VLANs and Gold supports up to 3 port-based LANs as well. You can use network segmentation to create multiple local networks in your home, and dedicate one for IoT devices. This way you can isolate IoT device traffic from the rest of the network, to reduce the risk exposure in case IoT devices get compromised.
Here is an example where you can:
- Create a VLAN to segment your IoT devices
- Create a rule on the VLAN to block all outgoing traffic to other parts of your network
Network segmentation is very powerful. While it is not possible to separate traffic between devices on the same network segment, both VLAN and port-based networks allow you to secure and separate devices that are less critical and possibly less rigorously tested.
See Building Network Segments for a detailed article on this.
6. Manage Devices with Device Group
A device Group is a software-based segmentation. It is available on all products including Firewalla Blue Plus and Red. You can use Device Group to manage devices that share the same rules and policies. This will greatly simplify the daily management of devices and policies.
Here is an example where you can:
- Create a device group for streaming devices
- Add all your smart TVs, speakers or set-top boxes to the group
- Manage the group with consistent rules and policies across the whole network.
7. Control with "Routes"
In case you have multiple traffic terminations such as
- VPN Client (or many VPN clients)
- Secondary WAN
- Site to Site VPN
By using smart routing policies, you can now send any IoT device's network traffic to any of the destinations from above.
8. Rate limit device traffic using Smart Queues
If you worry about your IoT devices consuming too much bandwidth, you can easily apply policies to limit the bandwidth used either per device or per destination.
9. Data Privacy Protection
9.1. Avoid Being Tracked with Ad Block
Ad Block is Firewalla's built-in ad-blocker. It does more than just blocking ads as an annoying type of content. It protects your privacy by preventing ads from tracking your online behaviors. This is especially useful for smart devices that have general access to the internet but do not provide users with privacy settings or controls. Ad Block now also has a Default and Strict mode which blocks ads more aggressively. Turn on Ad Block on All Devices so your whole network is ad-free. Find out more about Ad Block.
9.2. Tunnel IoT Traffic over VPN with VPN Client
Firewalla has a built-in VPN client that makes it easy and free to tunnel all your home network traffic, including IoT traffic, through a VPN.
Site to Site VPN:
If you have multiple homes, you can use Site to site VPN to connect the networks together over encrypted links. You can securely access shared devices such as file servers, printers, video cameras bi-directionally between the sites.
3rd Party VPN:
If you are using a third-party VPN server to shield your data from ISP or government, you can enable the Firewalla VPN Client and connect to the VPN Server. This will allow all your IoT devices to easily utilize the same VPN service.
9.3. Access IoT Devices Remotely with VPN Server
Firewalla has a built-in VPN Server as well. When you are traveling or using public Wi-Fi, you can connect back to the VPN Server at home and securely access your home devices, such as security cameras, home automation controllers, etc.
This method is far more secure than using simple port forwarding on your router. The extra encryption both hides your traffic and provides authentication at the network layer at the same time.
9.4. Protect Data Privacy with DNS over HTTPS
DNS over HTTPS (DoH) sends DNS requests encrypted over HTTPS, as opposed to the traditional DNS that sends the request in plain text over HTTP. It prevents third parties from spying on what websites/domains/services your devices are accessing. By turning on DoH in Firewalla, all devices in your network will be protected, especially IoT devices that otherwise have no ability to configure such service.
Firewalla supports several of the biggest DoH providers out of the box, and you can configure any DoH provider you like with custom settings. You can put all requests through a single provider or select several to randomize which provider is used for an extra level of protection.
10. Visibility + Control
Here is an example of how to bring together network visibility and control to manage a popular app TikTok.