This is an older article about Firewalla's visibility features. For the latest information about what Firewalla can show you about your network, please read our article focused on Visibility.
Your network is growing, both in the number of devices and the complexity of connecting them. The first step to securing these devices is to understand and get insight into what "they" are doing.
Firewalla can closely observe all the traffic entering your network (or "ingress"), exiting your network (or "egress") as well as the traffic between your network segments. This article highlights specific areas of insight that Firewalla provides to you and explains how to leverage this data to strengthen your network security and performance.
With the Firewalla Deep Insight, you will know in detail:
- Which devices are connecting to your network
- What exactly they are transferring to and how much data they are sending out.
Here is how the app can help you to gain "deep insight" into your home network.
Firewalla keeps track of the devices on your network and how they are organized.
You can see device lists filtered by Network, Group, ungrouped devices, or scroll through your entire device list and you can use a handy search feature to locate devices by name, IP or MAC address.
Firewalla will also notify you of any new devices that appear and you can optionally automatically limit the access you give new devices as much or as little as you like. For example, if a neighbor jumps on your Wi-Fi without permission, you can block all internet access if you choose.
While it isn't possible for a router to look at the content of secured data connections between a device on your network and some outside resources (a webpage, image, or some content a mobile app needs), Firewalla can determine quite a lot about network traffic including:
- Where data goes (e.g. country, domain)
- How much data is going
- What kind of traffic it is
- Whether it is egress or ingress
- Whether it was allowed or blocked
- Why it was allowed or blocked
All of this is available by device, device Group, and network segment giving a very clear and specific picture of what's going on at all times.
1. Network Flows
Network Flows are a history of all inbound and outbound network traffic on your network. The crossed-out items in All Flows show what has been blocked. There is a separate, filtered view showing only the blocked flows, which has more detail (see Blocked Flows below for more detail.)
This data helps you answer critical questions such as:
- What servers are your devices connecting to?
- Where are these servers located?
- Do these servers have a shady reputation?
- Is there data collection that I'd like to block (e.g. logging and data mining)?
- Is there Ingress port scanning happening?
- What Ingress attacks are coming my way?
In addition, the web interface shows traffic by region utilizing the additional real-estate of a web app:
The Web interface also lets you do some filtering for more complex analysis. In this example, "blocked" flows from "Russia".
2. Blocked Flows
Blocked flows can provide tremendously helpful information and insights. They can tell you if Ad Block is working as expected. They can help you fine-tune Rules that you set up previously or create new rules to allow or block access to meet your needs.
By tapping on the right column (where the pink highlight is in the images below), you can cycle through the following data:
- Block Counts: How many times was a particular domain or IP blocked.
- Inbound vs Outbound: Was this connection going from your network out (egress) when blocked, or from outside your network in (ingress)?
- Block Reason: Why did Firewalla block the connection?
- Port: What port number was being accessed? Sometimes this is very helpful. For example, port 123 is usually NTP (Network Time Protocol), so if you see a block on that, it might mean a device can't synchronize its clock and you might want to make sure that is not blocked.
You can also click on any of the block entries and learn more about the location of the server that was the origin or destination of the traffic, which WAN connection used, the ports used, and find out why it was blocked.
You can also dig in even further to learn about a particular IP address or domain.
This gives you a better understanding of the relative risk of connections with that server. Keep in mind that sometimes perfectly innocent companies share web hosting or cloud services with less reputable companies so take this information as guidance, not gospel.
3. Data Consumption
Firewalla shows total upload and download data consumption for 30 days, 24 hours, and 60 minutes. This allows you to observe the most active days of the month, hours in a day, or minutes in an hour. This may help find an unusual activity or help you decide if you have network bottlenecks, etc.
If you have a data cap on your Internet connection, Firewalla can monitor how much data you have consumed and how many days are left in your billing cycle. You can also set alarms to notify you when you get close to reaching your data cap so you don't face penalties from your ISP.
You can use the Apps view to see approximately how much time a Network, Group, or Device is spending by app/domain; use Upload and Download to see top data usage.
The web interface has a very nice display of top devices and destinations for upload and download.
4. Live Throughput
As the name implies, Live Throughput measures upload and download activity in real-time. If your App is connected to Firewalla's local network, you can see both to see how your bandwidth is being taxed at the global level.
Note: If you are using iOS, make sure your Firewalla app has the access to local networks. (In Settings, go to Privacy > Local Network and grand Firewalla App the access. )
If you have a Multi-WAN configuration, each WAN connection will be broken out separately so you can see how traffic is divided between your connections.
Aggregated Live throughput is also available by Network and for individual devices, as well.
Firewalla can alert you about potentially risky activity on your network. Alerts include things such as:
- Porn activity
- Gaming activity
- Security activity
- WAN connection issues so you don't have to guess if you have a Wi-Fi issue or your ISP is down.
- VPN connections and connectivity losses
- Devices going on/offline
- Network Events, ISP downtime, and its connectivity test results.
- Large Bandwidth usage
- New devices
- Open Ports
These alarms are configurable so if something is going off too often you can silence alarms.
The web interface lets you filter alarm searches. In this example, security activity for a heartbeat attack.
Trust but Verify
When you bring a new device into your home it can be difficult to know if it is trustworthy. Nice packaging does not guarantee trustworthiness. Many of us love the convenience of cameras, home assistants, and other IoT devices because they can make our lives a lot easier. These devices have unparalleled access to our personal data, so it is important to use them safely. Without being a programmer and having access to the code in every app we use, we can only use observation to determine how cautious to be about an app or IoT device. We can think of devices in the following categories:
Devices are more likely to be "Nice" or trustworthy if they send data to secure servers like Amazon's AWS because they have strong data security features. Often IoT devices require very little internet access. They may only talk to just one or two domains when operating as designed. One strategy let them run for a while and use Firewalla to observe what their normal behaviors are; then secure the devices by creating rules that only allow access to those servers so that if they are ever compromised by malware or ransomware, they can't send data where it shouldn't be going.
Many devices that we find irresistible lack the architecture and quality control to ensure secure data handling. Often they are built by the cheapest contractor available and security is not a priority. This can simply mean the design is unintentionally flawed leaving the device open to being compromised by someone else. In other cases, devices may be harvesting your data without disclosing that. Either way, caution is the best policy.
Separating these devices from the rest of your network mitigates your risk.
How do I know?
Instead of thinking about these devices in a binary way ("yes, I will use them because I know they are absolutely safe" or "no, I can't be positive they are absolutely safe so I will not use them," Firewalla allows you to keep tabs on them and limit their access so that the risk profile is small.
Firewalla can help you understand what is normal access that you intended (e.g. maybe you open a port to access a camera when you are away from home) from unexpected activity that may mean a device on your network is up to no good.