Many of us are working from home (WFH) now, and home network security is more important than ever. There are longstanding best practices around remote access, such as the telework security guidelines published by the NIST, but how do those principles work in practice? Firewalla can help you easily secure your home network by:
- Protecting your home network from your employer's security checks, which might feel intrusive in your home.
- Protecting your employer's network from threats that might unknowingly be on your home network.
- Protecting kids from mature or age-inappropriate content.
The idea is to create as much separation between your work, home, and other devices as possible while sharing the same internet connection.
We can only briefly touch on each of these areas in a short article. Please send feedback to firstname.lastname@example.org if you want more detailed articles about these or other topics.
The features we'll cover in this article are:
- Network Segmentation
- Smart Queue
- Virtual Private Network (VPN)
- Policy-Based Routing
- Target Lists
- Access Controls
- Multiple WANs
1. Network Segmentation
Firewalla Gold has up to three ports that you can use for LAN (Local Area Network) connections. These are often bridged to create one simple network, for example:
- Port 1: a laptop
- Port 2: an AP for IoT devices
- Port 3: a switch with ethernet to a couple of Kids' computers
- Port 4: WAN (Internet)
This is how simple home networks are often designed: one flat network where every device can see every other device.
Firewalla Gold supports several powerful network segmentation scenarios, giving you much greater flexibility and security.
For example, w can make each of the three Firewalla ports a separate LAN network. One for work, one for IoT devices like smart assistants, and one for personal devices like kids' iPads or laptops. Now you can limit communication between devices on each of these separate networks to one direction only (e.g., A → B but not B → A) or block access between networks completely (e.g., C below cannot see A or B).
What does this get you? Let's say you have a smart assistant or smart smoke alarms. The app that controls these devices might need to talk to them, but they do not need to see all your network traffic. This is an excellent opportunity to secure them on a separate network where your app can talk to them, but they can't listen in on the rest of your network.
You can define the level of access you want to allow between different networks and between networks to the Internet. Port-based networks are powerful, easy to understand, and easy to set up, even for those who are relatively new to networking. So this tends to be a great way to begin setting up a more secure network.
Another option for Firewalla Gold and Purple is to use VLANs (Virtual Local Area Networks). These are more complex to set up but popular with network pros. So what is the difference between a port-based LAN like the above and a VLAN? A VLAN allows you to create functionally separate networks over common physical network connections like ethernet or Wi-Fi APs.
Imagine your Firewalla is in an office and you run an ethernet cable to another bedroom. In that room, you have a smart assistant to play music and get the weather, a kids' computer, and a game console. You might want to separate these devices onto different networks, but you don't want to have to run multiple ethernet cables. A VLAN lets you share the physical ethernet connection but keep the devices on separate networks, virtually. VLANs also allow you to create more than three networks by using VLANs and managed switches or AP/Wi-Fi units that are VLAN aware.
For example, you can make VLANs for:
- Trusted computers and laptops
- IoT devices
- A Voice Over IP (VOIP) telephone
- Security cameras
- A separate guest Wi-Fi network
Each connection to Firewalla can carry traffic to and from any or all VLANs at the same time without any risk that the devices on one VLAN can see the other VLANs unless you allow them to. To learn more about VLANs, see this article.
2. Smart Queue
Nothing is worse than buffering or other technical issues during a video conference. It can ruin a presentation or waste time when people have to ask each other to repeat what they just said. We have all been there.
Firewalla's Smart Queue feature can help manage the chaos. Smart Queue allows you to set an app (e.g., MS Teams, Zoom, or Google Meet) as a high priority while setting video games or streaming sites as a low priority. You can even set these Smart Queue Rules to activate on a schedule (e.g., during work or school hours) and have different rules that apply when you want to enjoy video games or streaming. You can further limit these rules to particular devices or network segments. All of this allows you to tell Firewalla how to allocate the network resources you have, based on what is most important and when. You can even decide which devices these rules apply to. Learn more about Smart Queue.
3. Virtual Private Network (VPN)
A VPN is essential in securing remote access to business assets. Many small businesses don't have a VPN solution in place due to the setup and maintenance complexity. Firewalla's VPN client and VPN server offer a straightforward yet complete VPN solution that is ideal for small businesses and people working from home.
For example, suppose your company does not have a VPN server but has confidential data hosted on a local business network. In that case, you are at risk of compromising business assets from unencrypted communications from home. You can easily deploy a VPN solution by installing a Firewalla box on the business network as a VPN server and a Firewalla box on the employee's home network as a VPN client. Any Firewalla box can serve either as a VPN server or client.
Firewalla supports other VPN configurations, including Site-to-Site (Bidirectional) (e.g., between two branch offices). Learn more about how VPN can help you work from home.
4. Policy-Based Routing
A VPN between home and work is excellent for securing work connections. But people multitask (maybe you need to make a medical appointment online between work meetings), and the whole family shouldn't have access to your office network. Policy-Based Routing (PBR) allows access to a specific domain, list of domains, or IPs to be automatically routed through a network interface of your choice. Because routes can be device-specific, you can limit access to your VPN connections and work assets to just the devices that should be allowed to access them.
5. Target Lists
Target lists allow you to create a list of IP or domain addresses. These lists can then be blocked, allowed, or prioritized. For example, suppose you have several rules to limit access to certain domains for some Nest Protects. In that case, you could substantially reduce the number of rules by using a Target list to group domains together. You can also share Target lists with people with similar devices and use and reuse lists across Rules, Routes, and Smart Queues.
6. Access Controls
7. Multiple WANs
Firewalla's Multi-WAN feature allows you to simultaneously have two separate ISP (Internet Service Provider) connections to your network. This ensures a working internet connection nearly 100% of the time, even if one ISP has maintenance or a service outage. You can set this up in one of two ways:
- Load balancing allows you to divide your traffic between two different ISPs. Load balancing differs from PBR in that you choose a percentage of all traffic to be sent over one internet provider and the rest goes to the other. If either connection goes down, Firewalla will automatically shift all traffic to the working connection. Load balancing distributes the bandwidth load across both ISP connections.
- Failover allows you to route all traffic to a selected ISP unless Firewalla detects that the connection is not functioning correctly. In that case, it will shift all internet traffic to the backup ISP. Failover might be preferable if, for example, you have an LTE modem with a limited data plan and only want to use it when your primary internet connection is down to avoid maxing out your data plan.
Either configuration ensures that your video conference or gaming continues uninterrupted even if the Internet goes down. When the problem with your connection is fixed, Firewalla will restore traffic to the default configuration like nothing ever happened.