Choosing a Home-Office or Small Office Firewall
When I was a full-time computer technician, home-office and small-business users often asked why I recommended firewalls that they thought were "too expensive."
In fairness, I could understand their suspicions. After all, I was recommending firewalls that cost at least a few hundred dollars when cheap, consumer-grade firewall / routers were available for less than $30.00 at retail chains. What was the point of spending more money on what was, to them, essentially the same device?
The answer, of course, was that you get what you pay for. Bottom-shelf firewall / routers almost never have adequate hardware, software, and ongoing support to do very much more than act as glorified switches. They'll let you share your Internet connection, but that's about it. Even high-end "gaming routers" are more optimized for high speed and low latency than for security.
Where consumer-grade firewalls and routers tend to be most inadequate is in ongoing support. A router is actually a computer, with an actual operating system, running actual software; and as with all computers, bugs and vulnerabilities are constantly being discovered and exploited. Keeping the firewall healthy and able to defend your network against attacks requires updates to its firmware (its embedded operating system and software), and developing those updates costs money. A company that may be making two or three dollars profit on a $30.00 router (if they're lucky) simply isn't going to invest too much time and money keeping the device's firmware up-to-date.
Another reason to reach higher than the bottom shelf when choosing a firewall for a home office or small office is that higher-end devices can also perform duties like spam-filtering and malware-scanning using dynamically-updated definition files. This can dramatically reduce the amount of garbage that winds up in your inbox. It also helps reduce the risk of your data (or your customers' data) being stolen by hackers for identity theft or held hostage by ransomware.
Questions to Ask Yourself When Choosing a Firewall Router
Almost all SoHo firewalls are embedded into routers and provide both security and routing services. You can also purchase these appliances separately; but for most small and medium-sized businesses, a single appliance that does both jobs is fine. The following discussion, therefore, assumes that you'll be purchasing a single router firewall rather than separate appliances. That being said, here are some questions to ask yourself when making your purchase decision.
What Do Your Financial Services Providers Require or Recommend?
Many banks and merchant credit card servicing providers have requirements or recommendations for firewalls, expressed as either a list of requirements (ICSA certification, malware scanning, and a support and update subscription with the firewall manufacturer are frequent ones) or a list of specific makes and models. If your provider requires that you use a particular router or one that meets their requirements, that narrows your search considerably.
One brand of firewall routers that are frequently required or recommended by financial services providers is SonicWall, and for good reasons. Aside from running on quality hardware, most SonicWall routers come with managed, ongoing support and dynamic updates to protect your network from intrusion, malware, spyware, ransomware, and other threats. Whether your provider requires it, or you just want great security and peace of mind, SonicWall firewalls and routers are hard to beat.
Are You a Health Care Provider?
Health care privacy in the United States is regulated by a ponderous set of rules and regulations based on HIPAA, the Health Insurance Portability and Accountability Act of 1996. Although the government doesn't specify specific routers, health care providers can be held liable if their patients' medical records are breached; so it behooves you to purchase a high-quality firewall like a SonicWall.
Your medical records software provider may also have specific firewall requirements or recommendations, so check with them, as well.
Do You Need WiFi?
Note that I used the word need, not want. If you don't actually need WiFi, then you're frankly better off without it. Although the risk is slight if you use WPA2 or better and a strong key, it's still an additional vulnerability. Some financial institutions may also prohibit the use of WiFi if you process credit cards on-site.
If you do need WiFi, I suggest that you choose a router that supports the latest WiFi standards (802.11ac or WiFi 5 as of this writing) on both the 2.4 GHz and 5 GHz bands. Although 5 GHz is faster, 2.4 GHz is better at penetrating walls and may be required for older devices. USE WPA2 encryption, choose a strong key, and keep it private.
If you want to offer WiFi to your customers, be sure that the router supports guest access. That allows you to set up separate WiFi access to allow your customers to connect to the Internet, but not to access your local network.
What Advanced Features Do You Need?
Most business-grade routers support special features that you may or may not need. Here are just a few examples.
- Port forwarding. This allows packets intended for a specific device (generally a server) to be routed to that device. Remotely-accessible security camera systems, for example, may need port forwarding.
- Dual-WAN Capability. Dual-WAN firewall routers allow you to use two Internet connections for load-balancing or failover. Most commonly both Internet connections use wired Ethernet ports; but some routers also allow the use of a WiFi 4G hotspot as one of the Internet sources. This is a common arrangement when a wired Internet connection is used for primary Internet, and a 4G hotspot is used as failover when the wired connection goes down.
- VPN (Virtual Private Network). This allows you or your employees to access your office remotely over a secure, encrypted "tunnel."
- QoS (Quality of Service). In a nutshell, QoS is a way to assure that devices and services have the bandwidth they need by either reserving or prioritizing traffic to those devices or services. This is important if you use a VoIP telephone system, video conferencing, or other services that absolutely must have a certain amount of available throughput to function properly. This doesn't mean only those devices or services that need a lot of throughput, by the way. It also includes services like VoIP whose bandwidth needs are relatively modest, but which really need that modest amount of bandwidth to work well.
- Bandwidth Restriction. Allows you to selectively limit, or "throttle," the speed of users or devices. This could be useful in a home office situation, for example, to prevent your kids from hogging all the bandwidth by video chatting while you're trying to get work done.
- Malware Scanning. Some routers offer virus, spyware, and ransomware scanning. This almost always requires a subscription to the manufacturer's supporting services to keep the definition files updated.
- Content Filtering. Many firewall routers offer the option to filter content such as known-malicious Web sites, spam, scams, and so forth, as well as Web sites that you simply don't want your employees accessing when they're supposed to be doing actual work.
- User Access Restrictions. This feature is useful if only some of your users need Internet access, if you want to prevent users from accessing non work-related sites, if you want to limit which users have access to servers, or in any other way restrict network and Internet access on a per-user or per-device basis.
- Advanced Logging. Keeps detailed records of network activity for a longer period of time than consumer-grade routers allow.
- Peripherals Support. Many routers have built-in servers that allow them to serve as hosts for external hard drives, printers, security camera systems, and other devices.
What is Your Budget?
This really should be the last question you ask when choosing something as important as a firewall. It's the thing you should consider only after you've narrowed your search down to those devices that will satisfy your needs and those of any providers who have a say in the matter. At a minimum, make sure that the router you choose is ICSA-certified. It at least shows an attempt at doing your due diligence to protect your customers' or patients' data. Saving a few dollars isn't worth your company's becoming the victim of ransomware, a data breach, or other cybercrime.