Firewalla: on Recent FCC Regulatory Developments

Hi everyone,

Over the past few days, many of you have reached out asking how the FCC's March 23rd update regarding foreign-manufactured consumer-grade routers might affect us. We want to be completely transparent with our community about where we stand and where we are going.

First, we actually think it is fantastic that the FCC is shining a spotlight on the importance of network cybersecurity! We have existed since 2016 specifically to protect networks.

We may be a small fish in the massive networking industry, but our agility is our superpower. Our CEO and co-founders are still in the trenches every day—designing, coding, inventing new features like the DAP, and answering your questions on Reddit, with the single most important goal: to secure the world.

Firewalla’s software is open source (https://github.com/firewalla) and is being contributed to, tested, inspected, and watched by many around the world. Our platform is also open; you can always see what’s going on inside.

While Firewalla devices route traffic in "router mode" (Firewalla can also run in bridge mode without any routing functions), we don't consider ourselves a "consumer-grade router." We build comprehensive, kick-ass security devices. These integrate advanced firewalls, IDS, IPS, Radius, complex VPN, DNS, and Zero Trust Architecture. They are specifically tailored for prosumers, small businesses, professional installers, and commercial networks. Our focus has always been, and always will be, defending your networks against cyber attacks.

Firewalla has a reasonable basis to argue that it falls outside NIST IR 8425A’s consumer-grade router category; That framework applies to routers whose primary use case is residential and for which the manufacturer cannot assume the user has cybersecurity expertise or the ability to take significant action to secure the product. By contrast, Firewalla’s ordinary secure operation depends on exactly that kind of informed administrator participation. Users are expected to interpret security events, make mitigation judgments, design and maintain segmentation and policy controls, and perform non-trivial network-administration actions as part of routine deployment and security management; accordingly, Firewalla is more properly classified as an actively managed network security appliance rather than a passive consumer-grade router.

We are incredibly grateful to serve such a wonderful, engaged customer base all over the world. Thank you for continuing to trust us with your network security.

Cheers,

Firewalla Team

Reference

https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8425A.pdf

Appendix C. Consumer-Grade Router Acquisition Scenarios Discussion

Routers are network devices that forward data packets, most commonly Internet Protocol (IP) packets, between networked systems. Their physical interfaces may be a combination of wired (e.g., Ethernet) and wireless (e.g., Wi-Fi, long term evolution (LTE), 5G). Consumer-grade identifies those routers that may appear in an individual’s residence such that their primary use case is residential rather than enterprise, industrial, etc. However, some small businesses may choose to use consumer-grade equipment given the limited performance needs of those businesses. The presumption for consumer equipment or small businesses that use consumergrade equipment is that the manufacturer cannot assume the user has cybersecurity expertise or the ability to take significant action to secure the product.