You’ve got things on your home network that perform many actions, such as opening the garage door, showing you who’s ringing your doorbell, and turning the lights on and off. Most of these smart home devices aren’t properly secured—their makers focus on function, not security. Why not add hardware to your network that ensures network security? The tiny Firewalla gives you total insight into what’s on your network, along with a raft of related features, including insight into what computers and mobile devices are doing, simple parental control, and even your own VPN server.
Unlike such competitors as Norton Core and F-Secure Sense, Firewalla doesn’t attempt to replace your router. It simply sits on the network, monitoring and managing traffic and devices and applying some simple rules to network traffic. In testing, the central monitoring and control features proved very effective, but some other operations ranged from complex to extremely complex.
Dimensions and Specifications
Firewalla is, to put it simply, crazy small, at 1.2 by 1.8 by 1.8 inches (HWD). For a little perspective, I calculated the volume of Firewalla and of several other network security devices. If Firewalla were liquid and Norton Core were hollow, you could pour 30 Firewallas into a Norton Core! With a hypothetical hollow Bitdefender Box or F-Secure Sense, you could fit almost 40 Firewallas. Like I said: It’s small. That’s not surprising, though, given that the prototype started life running on a Raspberry Pi.
Given the clearly minimalist design approach, having a USB port seems odd. Firewalla’s CEO explained that it’s for future expansion. “The box is fully hackable,” he said. “Many of our customers are pretty crazy about this.” He mentioned experimenters adding a USB Wi-Fi adapter, a programmable USB light, and mounting USB memory to create a Samba share drive. Sorry, my expertise doesn’t extend to explaining that last one.
The red Firewalla, reviewed here, is meant for consumers. It works with internet speeds below 100Mbps and fewer than 50 devices. Firewalla blue, which is just shipping to its crowdfunding backers, handles higher speeds and more connections.
You pay $ 109 for the diminutive Firewalla, sold through Amazon. Yes, Prime users can get it with one-day shipping. That’s quite a bit less than most similar products cost. Bitdefender Box, Norton Core, and F-Secure Sense all list for about $ 200, though you’ll often find them discounted.
That’s not the only difference in pricing, though. Your Firewalla purchase is a one-time affair. You bought it; it’s yours. The other three competitors I mentioned all come with security software, and keeping that protection active requires a subscription after the first year.
That’s not to say that Firewalla will replace your existing security suite. The company strongly recommends using it in conjunction with security software, and my hands-on testing agrees. But it does mean you’re free to choose the suite or antivirus that suits you best, rather than being locked into the one that matches your hardware.
Getting Started With Firewalla
In the box, you’ll find the tiny Firewalla box along with a power adapter, an Ethernet cable, and a micro USB cable. There’s no manual or startup guide, just a tiny instruction card with a URL pointing to installation instructions. Following the simple instructions, I downloaded the Firewalla app onto the iPad I use for testing and registered my email. I should point out that, as with other network security boxes, you must control Firewalla through an iOS or Android phone or tablet; PCs and Macs need not apply.
For the next step, I hooked up the box to power and connected it to the network with the Ethernet cable, just as I’d do with any other device. I didn’t have to connect it “upstream” from the router or make any other network changes. There was no interruption in my network connectivity.
After a few minutes it finished its initial boot sequence. A New Firewalla notification and icon appeared in the app. Per the instructions, I paired it with the app by scanning a QR code on the bottom of the box; clever! At that point it offered to learn the network, with an option for manual setup. Not having any idea what manual setup entails, I let it do its own exploration. In just a few minutes, it was ready to get to work.
Devices and Notifications
At the outset, I got a flood of notifications, as Firewalla detected everything connected to the network for the first time. Each new notification comes with the device’s name and manufacturer, if supplied, as well as the IP and MAC addresses. If you see something that clearly doesn’t belong, you can block its access with a single tap. And if you hear a scream of lost-connection anguish from elsewhere in your household, because you blocked the wrong thing, you can restore access just as easily.
Getting notifications that new devices have joined is just the start. By default, Firewalla alerts you when any thing it’s monitoring starts using gaming, video, or porn sites, or encounters a dangerous website. It also alerts on what it calls “abnormal uploads,” and when someone connects to the VPN server (more about VPN below). You can fine-tune this system for each category, telling Firewalla to give you a pop-up notification, an in-app alarm, both (the default), or neither. And if you see that your kid is playing games instead of doing research for a term paper, you can tap the notification to cut off gaming on that device for an hour, or until you turn it back on.
Some hardware reports a name or manufacturer name that makes it easy for you to recognize them. Others may show up as something unintelligible like a string of hex digits, or a bare-bones IP address. With a little sleuthing, you may be able to match the reported IP address or MAC address to a specific piece of hardware. If so, it’s easy to rename the device so it’s easy to find in Firewalla’s list.
Details and Actions
Software-based network scanners like Bitdefender Home Scanner and Avira Home Guard also let you give friendly names to hardware based on the reported IP address or MAC address. But Firewalla offers vastly more information about the activity of each, data that can aid in correctly matching an entry with its physical device.
Here’s an example. On my own network, one device came up with a name that I didn’t recognize at all. Tapping for details, I got a graph of its recent activity. More usefully, tapping the Network Flows link let me see just where it connected. Given that all the named URLs in the list were subdomains of ring.com, I deduced that this entry represented my Ring Video Doorbell Pro.
Firewalla lists four sets of stats for each device. The history list, the one I used to identify the doorbell, lists all connections. Separate lists report uploads and downloads, along with a size for each. And the Apps tab lists apps that made a network connection.
Additionally, each device includes blocking icons for internet, games, social media, and video. One tap of the icon blocks the specified category for an hour. A second tap blocks access until you lift the block.
Tapping Status, a little further down the page, lets you see whether the device is online, when it was last active, and when Firewalla first detected it. You can also configure Firewalla to notify you when it comes back online, or when it goes offline. The former can be handy to let you know when family members have returned to the fold. The latter can provide a warning if your NAS or something equally important goes down.
Network and device monitoring is the main function of Firewalla, but it has other tricks, too. In addition to monitoring, six other abilities show up as icons on the app’s main window. You can access a full list of features, including those six, by tapping More.
Four of these abilities are enabled by default, with the most significant being Cyber Attack Protection. This notifies you if Firewalla detects evidence of an attack on your network. By default, it actively blocks known dangerous sites. Don’t turn this one off.
The Open Ports scan looks for ports on your network that are accessible from the internet. It strongly warns about available Universal Plug and Play (UPnP) connections, which can open your system to attack. Firewalla also probes the network from the outside, which can take a little while. On my network it found ports 111 and 443 (HTTPS) visible. I happen to know that that makes sense for my configuration, but I’m not sure what the average user would do with that information.
Another not-for-the-masses feature is Firewalla’s Dynamic DNS (DDNS) capability. Briefly, this lets you host web server apps on your network without worrying about the possibility that your ISP might assign you a different internet-facing IP address. Don’t understand? Don’t worry! As the app says, “If you do not have such a need, please ignore.”
The Social Hour feature is an interesting one. With one tap, it disables social networks on all devices on the network, to encourage “your real social life.” I can’t guarantee that cutting off internet in your household would result in socializing, but it’s an interesting idea.
The four functions mentioned above are enabled out of the box. As such, they appear in the Enabled section of the Features page. Don’t worry; having Social Hour enabled just gives you the ability to impose a no-Facebook hour; it doesn’t require you to do so. Five other components provide a variety of services, some simple, some exceedingly complex.
Ad Block is easy to understand. Turn it on and Firewalla does its best to strip out ads for all devices. The app does point out that this will not necessarily remove all ads. For security and privacy reasons, Firewalla absolutely does not analyze the content of pages you view on the internet. The ad blocker works by preventing pages from connecting to known ad-spewing domains. In testing, I found it cleared up most ads on several ad-rich sites.
Turning on Family Protect enables a simple kind of parental control. Doing so runs all DNS (Domain Name System) requests through the Family Shield servers maintained by OpenDNS. This is the simple, non-configurable filtering system, not the commercial VIP version.
I thought it odd that Firewalla doesn’t support Internet Protocol Version 6 (IPv6) out of the box; you must actively enable it if you want that support. The FAQ explains “It is likely in the near future, we will automate this after we have tested this across the world.” It also points out that IPv6 deployment differs across different service providers.
One available feature is called Expert Mode. I turned it on, poked around the app, and didn’t see any real difference. My company contact confirmed that it doesn’t do much at present, and suggested leaving it alone.
That leaves the unusual VPN Server component. All of our VPN reviews refer to VPN clients, apps that make a secure connection to a VPN server to protect the privacy of your online activities. What Firewalla offers is the other end of that connection, a local VPN server just for you.
Getting it set up takes a certain amount of expertise. To start, you must know how to log in to the configuration system for your router. With that feat managed, you create a port-forwarding rule matching details supplied by Firewalla. Next, you install and enable the OpenVPN app, and tie it in to Firewalla using a supplied password. I needed some expert help to get this working. It turns out that on my unusual setup, with a commercial Wi-Fi router separate from the main router, I needed a port-forwarding rule on both devices.
Now you can take your mobile device to another location, log into the VPN, and connect with your home network. As with any VPN connection, this means all your traffic is now encrypted, though you don’t get the benefit of disguising your IP address. You can access hardware such as cameras and NAS systems just as if you were at home.
Most importantly, when you connect through the VPN your Firewalla app has full access to network activities. Now you can receive notifications, change blocking rules, and so on. Anything you can do at home, you can do sitting in the airport lounge, or the Wi-Fi enabled commuter train.
This may seem a roundabout way to get remote access to your Firewalla and your network, but it’s the secure way. Yes, other network security hardware makes remote management easier, but it also tends to be less secure.
Hands On With Firewalla
Naturally I had to put Firewalla’s components through their paces. With Family Protect turned on, my attempts to visit naughty websites were met with a bland denial from the OpenDNS system, which included the category that triggered the block and a link to report an incorrect block. The system does handle blocking HTTPS sites, but it’s awkward. I found that instead of displaying a clear warning, as it did for HTTP pages, the browser displayed a confusing error message. It stated, “Your connection is not private,” with an error message NET::ERR_CERT_AUTHORITY_INVALID. My Firewalla contact confirmed that’s how this feature works when HTTPS is involved.
As noted, the ad blocker removed some, but not all, ads. I brought up the same ad-infested sites on the laptop managed by Firewalla and on a virtual machine connected to the separate Ethernet network. On the laptop, most of the ads came up blank.
Digging into details for one test device, I tapped the button to block social media for an hour. I found that trying to connect with facebook.com just got an error message, this time stating, “This site can’t be reached.” Again, my contact confirmed that’s how blocking works. The same is true of trying to visit naughty sites with the Porn filter in place—you see just error messages, not the explainer from OpenDNS. If you’re going to use these features, you should probably discuss them with your household, to avoid confusion.
Finally, I gathered a collection of recent malware-hosting URLs supplied by MRG-Effitas, as I do when testing antivirus products. I launched each one on a laptop protected by Firewalla, and simultaneously on an unprotected virtual machine. That second machine served as a sanity check, to help me distinguish real error messages from errors due to Firewalla’s blocking.
I needn’t have bothered with the second machine. I got through 50 verified malware-hosting URLs without any interference from Firewalla. I usually go to 100, but I didn’t see a point. I tried again using URLs from the same feed, but 60 days old. Once again, I didn’t see any action from Firewalla.
My Firewalla contact explained that Firewalla doesn’t process URLs, just domains and IP addresses. He supplied a phishing domain for me to try, and indeed, when I visited that domain, I got a Firewalla notification, with the option to block access. Note that this warning popped up on my mobile device, not on the one that accessed the phishing domain.
Firewalla does totally block access to a built-in list of known bad addresses, which will just show up as an error message if you try to connect. It reacts to external hack attempts by blocking them and posting a Security Activity notification. But it doesn’t look at the pages you visit in the browser. As previously noted, for security and privacy reasons it doesn’t look at your web traffic, just at connections. That being the case, you definitely want to keep your local antivirus or security suite active and up to date.
Not a Router Replacement
As noted, Firewalla doesn’t attempt to replace your Wi-Fi router or your existing security suite. Rather, it works alongside both. Most other network security boxes we’ve examined both do more—and cost more.
Bitdefender Box 2 runs on a Dual Core Cortex A9 1.2GHz processor and comes with 1GB of DDR3 memory. That’s a little hard to compare with Firewalla’s quad-core processor and 512MB of DDR4 memory, but both seem to have all the firepower they need. While it can function as a wired and wireless router, the company recommends using it as a supplement to your existing router, not a replacement. You control it from the Bitdefender Central console online, meaning you can control it from anywhere, not just your phone or tablet.
Unlike Firewalla, Bitdefender Box does scan your (unencrypted) internet traffic. This lets it prevent transmission of user-defined personal information, block malicious web traffic, and impose a degree of parental control. Your subscription also lets you install Bitdefender Total Security and manage it alongside Bitdefender Box. This all comes at a price; the box itself costs $ 199.99, and after the first year you pay $ 99 per year for the associated software.
Norton Core, unlike Bitdefender Box, aims to fully replace your router. In testing, it proved serviceable, but not up to the best standalone routers such as Editors’ Choice Asus ROG Rapture GT-AC5300. Like Bitdefender Box, it uses a dual-core processor and 1GB of RAM. You can easily view all connected devices and, if necessary, pause the internet for one you select with a click. You can do that remotely, if necessary, without having to go through the VPN Server setup Firewalla requires.
Norton Core does let you know when something new connects, but it can also quarantine new ones pending your confirmation, allowing internet access without access to other . The included Symantec Norton Security Premium offers a wealth of local features, but costs $ 9.99 per month after the first year. That does let you install protection on unlimited devices.
While F-Secure Sense also functions as a router, it’s not as ambitious as Norton Core. We had some difficulty getting it set up, and it doesn’t include all expected router abilities. As with Firewalla, you control the box using a mobile app. It blocks access to dangerous websites for all devices, but doesn’t include secure DNS or detection of unusual traffic patterns the way Firewalla does.
After the first year with F-Secure Sense, you pay $ 69.99 per year to continue using the local security suite, F-Secure Safe. That’s less than the ongoing subscription for Bitdefender or Norton, but you also get less protection.
While these competitors are similar in some ways to Firewalla, there’s not really a direct comparison. Firewalla works strictly on the network, not relying on any local software. As a result, you don’t have to pay an ongoing subscription. In addition, for the network geeks out there, it’s amazingly programmable, unlike the rest.
High-Tech Network Protection
Once you add a Firewalla to your network, you can use the mobile app to monitor and manage all network devices, as well as their connections and other actions. You get notified when a new one connects, or when an existing one starts using video, gaming, or porn domains, with the option to block any of those types temporarily or permanently. A few of the remaining components, such as ad blocking and simple parental control, are fine for all users, but others require higher levels of technical expertise. Tech experts will love advanced features like the VPN server; über-techies can actually dig in to modify or program the device.
If your network is loaded with smart home hardware phones and tablets, and computers, adding a Firewalla will give you a bird’s-eye view of what’s going on, and this essential monitoring function doesn’t require network expertise. Best of all, it’s a one-time purchase, with no annual fee.