US$478 (AU$695.52 with taxes applied - shipping is extra) at Firewalla
The Firewalla Gold offers home users a network filter, router, and security engine in a compact hardware case, guarding their high-speed internet connection against attacks from both outside the network as well as compromised devices inside the network. It also offers ad blocking, parental controls, and a Social Hour that disables social-network access for 60 minutes, to, say, spend time away from the screens.
We reviewed the Firewalla Gold, which costs US$499 (AU$664) when it isn't on sale, but the Firewalla Blue Plus offers all necessary features for most households for just US$189 (AU$251).
It's not a new idea to insert a hardware gateway between an internal network and the rest of the internet to inspect data and connections in real time, and make decisions about what should pass and what shouldn't, and trigger alerts about dangerous activity. But most devices with enough power to be useful require a network IT-tech level of knowledge or the willingness to fumble around in a hard-to-understand web-based administrative interface.
The Firewalla, by contrast, is a compact, modern option appropriate for homes and a user with just average network knowledge. Its smartphone app interface is crisp, easy to use, and, most importantly, comprehensible.
Some of its features can be found in advanced home routers or in broadband modem/router combinations offered by ISPs. But those hardware options can't meet the breadth of Firewalla's, nor—in most cases—the simplicity and depth. Having a dedicated device focuses utility.
The Firewalla dashboard reveals its breadth and user-friendliness.
Detecting, deterring, and shaping internet traffic
Plug in the Firewalla, perform a few setup operations via a smartphone app (including validating physical possession by scanning a QR Code), and let it quietly churn away for a few minutes scanning network traffic and completing its setup. The app then reveals a number of choices you can make for alerts, monitoring, prioritization, and blocking, among other available features.
The Firewalla Gold has a four-port internal Ethernet switch and a separate WAN port for a connection to either the rest of a network or to a broadband modem. The best value for a device of this kind is to sit between your modem or your main router or gateway. The Gold model can also perform all routing functions. (The less-expensive Blue Plus can sit as a bridge between a router and the rest of a network.)
During the initial setup, the Firewalla can scan the internal network for devices known to have compromises, a bigger concern than having your computers, phones, or tablets attacked directly from the internet. Now, attempts to hijack machines come from devices within your network that have been remotely and automatically hijacked by malware. These local devices are typically ignored by Wi-Fi gateways and ISP routers, even though their trusted status lets them more easily attempt to infect local devices or launch attacks as part of a coordinated army of zombies to take down other networks.
The Firewalla interface has a cleanly presented dashboard that shows some network statistics and then offers settings categories like Ad Block, Family, Open Ports, and Network, as well as substantially more advanced ones. You can tap one of these items and drill down into viewing and analyzing information or configuring options. You can also tap a link showing the count of networked devices and then set policies individually by device, or create groups to apply polices to sets of devices.
Ad Block and Family let you enable filters to block well-known ad-serving sites and violent and pornographic content. For the former, Firewalla provides no information about how it has assembled its ad-blocking list and offers just Default and Strict labels as options. Ad blocking can be restricted to specific devices. The Family section offers choices to block sites and search results, relying entirely on the free consumer flavor of OpenDNS, a service that can be used without Firewalla simply by changing a device or router's DNS servers.
I tested its malware awareness by visiting research sites that list malware specifically to test detection, and the Firewalla provided the appropriate blocking and alerts.
Firewalla Gold includes two different kinds of VPN servers, both open-source projects, and a VPN client. The servers let you connect securely to your home network and its internet connection via a standard VPN from wherever you are in the world. The client can pass traffic from an individual device to a commercial VPN (Firewalla suggests an Apple TV, which would be a way to let you bypass country-locked restrictions), create a secure VPN tunnel between two Firewallas, and other possibilities.
Configure your LAN ports. Image: Firewalla
Users with more sophisticated network needs or interests might like the professional-level features for creating separate physical networks from each of the router's LAN ports, so you can conduct network security as separate Ethernet chains. You can also create VLANs (virtual networks) for creating a logical separation across physical networks. There are also options to prioritize and control network flows to downgrade video over more work-related purposes—or vice versa!
Firewalla offers iPhone and Android apps, required for initial setup. However, it also provides access via a web app that relies on a clever use of end-point encryption. On loading the web app, you have to authenticate access via a smartphone app by scanning a QR Code displayed in the browser. This passes an encryption key securely into the web app that's only stored locally. This approach prevents other parties, including Firewalla, from accessing the data.
The Gold model of Firewalla, the model we reviewed, contains every feature the company offers in any router, but has the hefty price of $499. The firm says it can handle data flows of over 3Gbps, making it appropriate for a home with gigabit internet. However, if you don't need advanced physical or logical LAN configuration features and have a network connection of 500Mbps or less, the much less expensive Blue Plus, at $199, will fit the bill.
The smartphone app is required for Firewalla setup, but a web interface is also available. Image: Firewalla
The bottom line
The Firewalla Gold performed as expected operating off a leg of a home network: It blocked malware, tracked behavior, discovered devices, reported internet-accessible ports, prevented ads from loading, and provided a treasure trove of insight into what the devices on my network were up to. The company needs to provide more transparency about how it assembles its ad-blocking list, and should consider licensing safe-site lists to integrate directly instead of using OpenDNS indirectly.
The Firewalla Gold or Blue Plus should be configurable enough and provide enough feedback about its actions to suit anyone who wants the degree of control provided, plus extras like a built-in VPN connection. Particularly nice? No recurring fees.