According to Parks Associates, “79 percent of consumers are concerned about the possibility of data security or privacy related issues.” These concerns are not unwarranted. Again, according to an article on the Parks Associates Blog, “40 percent of broadband households experience security/privacy-related problems with their connected devices annually. Among all IoT-related security breaches, malware tops the list. Other top breaches include man-in-the-middle attacks and brute force attacks.”
Securing a smart home begins with securing the home’s network, including its Wi-Fi. According to an article published by ZDNet, today’s consumer-grade routers have numerous security flaws that leave consumers open to attacks by hackers. Given this, adding additional hardware security devices to a network that can detect issues makes sense. In this article I’m going to focus on two of these devices: Fingbox and Firewalla.
There are a number of other network security devices available, of course, but I chose to focus on the Fingbox and Firewalla because, unlike many others, they don’t require a yearly subscription that, over time, will add significantly to the cost of ownership.
Securing Your Network with Fingbox
The Fingbox is a small white puck with a blue silicone cover that plugs into your network with an Ethernet cable connected to your router or an Ethernet switch. There are iOS and Android apps for interacting with the Fingbox.
The first thing to understand is that the Fingbox is not a firewall. It doesn’t monitor every data packet coming into or out of the network looking for potential hazards and filtering them. Instead, the Fingbox provides users with additional tools to help secure a network. In addition, because the Fingbox isn’t intercepting every packet, analyzing it, and then passing it along to its destination, it doesn’t have any impact on your network’s performance.
Fingbox Device Management
First, the Fingbox allows you to manage all the devices connected to your network, including automatically blocking all intruders and unknown devices that attempt to connect to it. When the Fingbox detects someone or something attempting to connect to your network, it will automatically block it and send you a notification. If, for example, you are adding a new IoT device to your smart home or you just gave a guest your Wi-Fi network password so they can connect their laptop to it, you can easily use the Fing app to unblock the device. On the other hand, you can also immediately investigate who is trying to break into your network with the knowledge that the Fingbox is blocking their access.
For legitimate devices that are part of your network, the app allows you to enter:
- A descriptive name for the device that will help you easily identify it
- Where the device is located in your home
- Any additional notes you may want to save about the device
Based on the information that the Fingbox has on this device, it will provide links to the manual, FAQ, support website, and other resources.
You can also block the devices’ access to your network at any time. This can be very useful if, for example, you misplaced your phone and are worried that someone might have stolen it and could use it to gain access to your network.
Here are additional protections and features offered by the Fingbox.
Attack detection includes the ability to:
- Block unknown devices that attempt to connect to your Wi-Fi network
- Detect an evil twin Wi-Fi access point that attempts to clone your Wi-Fi network’s signal
- Detect of Deauth Attacks and Wi-Fi jamming
- Detect a new gateway (potentially a rogue router) being added to your network
Internet Outage Monitoring
Monitors for internet outages and sends notifications to devices where you’ve installed the Fing app should your internet go down.
The Fingbox includes a useful parental control feature: the ability to pause access to the internet. You can:
- Set up a schedule to pause internet access for an individual on specific days at specific times
- Pause an individual’s ability to access the internet on demand
- Pause a device’s ability to access the Internet on demand so you could turn off a game console’s ability to connect with an online game service
- Create family time by pausing internet access for all family members
The Fingbox includes three performance tools:
- Bandwidth Analysis
- Wi-Fi Performance Test
- Internet Speed Test
Bandwidth Analysis function is somewhat limited by design. Under ideal circumstances it would continuously monitor the bandwidth used by your devices and provide you with the details of this analysis at any time. However, this would require constant monitoring of all of your network traffic. Without high-performance hardware, this could significantly slow down the network.
Instead, you get to choose just a few of your devices that you believe are the performance hogs on your network. Then, a short analysis takes place that looks at download speed. There are additional options for analyzing upload speed, download size, and upload size.
The Wi-Fi performance test allows you to walk around your home and watch how your position impacts your Wi-Fi speed. This allows you to find areas that suffer from connectivity issues that impact the speed of the connection to your device. This could lead you to adding Wi-Fi extenders or even moving to a multi-node mesh Wi-Fi system.
Finally, the Internet Speed Test simply provides you with a measure of the speed of your internet connection. This includes download speed, upload speed, and latency.
Once you have completed the test, you can use the results to compare your ISP with other local providers.
Smart Home Integration
A very useful feature in a smart home is to be able to detect when people are home. The Fingbox could do this through monitoring whether a person’s smart phone is connected to the home’s network. IFTTT triggers could then be used to tell a smart home processor/hub when someone leaves or arrives home to trigger automations within the home. For example, the smart home processor/hub could track each family member’s smart phone’s connection to the network and when the home isn’t occupied it can turn off all the lights, et back the thermostat, or make sure all audio/video gear is turned off, just as a few examples.
Conversely, when someone arrives home, their smart phone will connect to the network, and the Fingbox would generate an IFTTT trigger that could turn on pathway lights at night so the person can more safely enter the house and/or restore the home’s thermostat to its normal temperature setting.
In addition, because the Fingbox knows whose smart phone is connected to the network, a smart home processor/hub could even be programmed to start playing the person’s favorite music.
Unfortunately, IFTTT integration was recently “suspended” by Fing. The reason for this isn’t clear but it is a real loss because the Fingbox provided a very valuable way of detecting presence in a smart home.
The Fingbox includes the ability to scan any device for open ports. Normally, a router rejects all traffic it doesn’t recognize that is addressed to it from the internet. A port forward opens a hole in the router’s security to allow traffic that is addressed to the open port to enter. This can be useful if you, for example, want to remotely view an IP security camera from outside of your network when you aren’t home. However, hackers can use open ports to gain access to resources inside your network. Understanding what ports are open allows you to make educated decisions on whether you need to close them or not.
The Fingbox will perform a weekly vulnerability test to look for open ports that could give a hacker access to your network. In addition, using the app, you can perform this test manually or even scan for open ports on any device connected to your network.
The Fingbox’s web interface doesn’t provide all the functionality offered by the Fing app. Instead you simply are provided with a list of all your devices and the ability to dive in and see the detailed reporting provided on each device, such as its IP address, MAC address, manufacturer information, whether the device is online, most recent events that the Fingbox has recorded for the device, and more. You can also edit the name of the device, its location, add additional notes, mark the device as a favorite, and flag the device as important.
Hands on with the Fingbox
The Fingbox was released through Indiegogo in 2017. My personal experience is that I’ve found that some of the functions built into the Fingbox are very useful while other features are rarely, if ever, used. I’ve also found no noticeable impact to the performance of my network using the Fingbox.
Fingbox is very easy to setup. You simply connect it to your network using the supplied Ethernet cable and plug it in using the supplied power supply. After the Fingbox has booted up, you can connect to it with the Fing app. Finally, you go through a short procedure to provide the Fingbox with your location. The Fingbox will scan your network for all the connected devices, and it is ready to use.
The biggest hassle at this stage is working through the list of devices that the Fingbox discovered on your network and figuring out exactly what they are. For example, you may have a variety of Amazon Echoes scattered around your house, or multiple Wi-Fi smart switches from a variety of manufacturers. If you want the Fingbox to be a useful tool, you will need to enter a descriptive name for each device and its location. In other words, you want to know that the device with the IP address of 192.168.0.50 is really your kitchen smart switch, so if an issue arises with connectivity to that device the Fingbox can help you diagnose and solve the problem.
Needless to say, this can be a challenging process. Many devices will get reported based on the underlying manufacturer’s name that you won’t recognize. It takes some time and detective work to figure it all out. Once you work through the process, it is reasonably easy to maintain the device list because you typically only add new devices to your network one-at-a-time. So, when a new device shows up in the Fing app it is easy to identify and correctly name.
The most useful feature I’ve found has been the Fingbox’s ability to track all the devices connected to the network and block devices/people who attempt to connect to the network without permission. Any time a new device attempts to connect to the network, you immediately receive a notification and the device is blocked. This provides peace of mind that even if someone gets past your Wi-Fi password, there is a second layer of protection.
This feature isn’t without its downside. When you are working through the process of adding a new smart IoT device to your own home, it is initially going to be blocked. Then you have to unblock it using the app on your smart phone or tablet. However, by this time the setup procedure has usually gone into an error state that you have to work your way through. I could avoid this issue if I turned off the Fingbox auto block feature while I’m setting up a new device. Unfortunately, I’m usually too busy working with the new device to remember to do this.
A second feature I’ve found very useful is vulnerability scanning, which helps you figure out what ports may be open on your router and what ports each device on your network has open. It provides you with the information you need to plug these important security holes in your network’s security.
The Wi-Fi performance test helps you identify weak areas in your home’s Wi-Fi coverage. This can help you to move around the nodes of your mesh Wi-Fi system to provide better coverage or the knowledge that you need to purchase a Wi-Fi extender. Providing full Wi-Fi coverage in, and around, your home helps you in a number of ways:
- Family members can use their smart devices wherever they want without problems. For example, if you find you need to help a child with a school project and the biggest table to lay everything out on is in the dining room you don’t have any worries that this spot doesn’t provide the Wi-Fi coverage you need.
- When you add a new IoT device for your smart home, you can be assured that it will easily connect to your Wi-Fi network, and you aren’t trying to troubleshoot whether the network is at fault or your new device is defective.
I guess it is informative to receive a monthly email from Fing that tells me about my internet throughput and compares my data to my neighbors. But, if I really wanted to know my internet speed I could always go to Speedtest.net and easily find it out for myself.
It is very disappointing that Fing has suspended IFTTT integration. The smart home integration through IFTTT that allowed you to track occupancy was another nice feature. Most presence-sensing uses a geo-fence around your home in combination with the GPS in your smart phone. My personal experience with geo-fences is that they don’t create a tight enough border around your home. For example, going to a neighbor’s house for a party probably won’t be detected as your being away from your home. On the other hand, using Wi-Fi connectivity can provide too tight a border. For example, just working out in your yard might disconnect you from your home’s Wi-Fi and signal your smart home processor that you are away. I personally created a “debounce” feature in my smart home processor where the processor won’t assume that I’m away unless I’ve been continuously disconnected from Wi-Fi for a few minutes. I’m hoping that Fing brings back IFTTT integration in the future.
Overall, I’ve found the Fingbox to be a useful tool for a reasonable price. It is easy to use, doesn’t impact your network’s performance, and provides additional peace of mind.
Securing Your Network with Firewalla
Unlike the Fingbox, Firewalla is a true firewall. According to Cisco, “A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. Firewalls have been a first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the internet. A firewall can be hardware, software, or both.”
Firewall Red was first introduced on both Kickstarter and Indiegogo back in 2017. Since then Firewalla has introduced two additional models, the Firewalla Blue and Firewalla Gold.
Other than the color of the case, Firewalla Red and Blue models look identical. Firewalla recommends that those people with internet speeds of less than 100 Megabits and fewer than 50 devices choose Firewalla Red. They recommend Firewalla Blue for those with internet speeds greater than 100 Megabits and “lots of devices.” Firewalla Gold is an emerging product. It has four Gigabit ports and the processing power of six Firewalla Blue models or 30 Firewalla Red models. For the writing of this article, I purchased a Firewalla Blue.
Don’t be surprised if you purchase a Firewalla Blue when you open the box, it is a tiny device. In fact, it is only 1.8 x 1.8 x 1.2 inches. It has a network port, micro USB power port, and a MicroSD storage port. The tiny size means that it will be able to fit almost anywhere.
Traditionally, Firewalls had two Ethernet ports and were placed in your network so that all traffic had to go through them. Firewalla has only a single Ethernet port and instead uses ARP (Address Resolution Protocol) spoofing to tell each device on your network that it is the router. All these devices will then send all the network traffic to the Firewalla. The Firewalla will then examine all the data packets for issues before passing them along to the router. Alternatively, Firewalla can create a second network with a different addressing scheme than the one used by your router and use this to force all traffic through it. Firewalla includes a compatibility list on their web site that will help guide you through these options along with other settings that need to be done based on which router you own.
Viewing Data Usage
The Firewalla app displays a graphical view of the data uploaded and downloaded to/from the internet over time. You can also look at each device and similarly see the data uploaded and downloaded. If you feel that there is something wrong, you can easily block a device’s ability to access the internet.
This is a good time to point out that a big difference between the Fingbox and Firewalla is that diving into the Firewalla requires much more depth of knowledge than the Fingbox. It is a good example of the statement “with great power comes great responsibility.” For example, you might not think a smart device needs to upload data to the internet but blocking it could lead to the device not being able to work properly.
Firewalla can block some ads from appearing when you are browsing web sites. Firewalla admits that because of their commitment to user privacy their blocking technology will not be as effective as some of the browser add-on ad blockers. Also, like other ad blockers, web sites may detect what Firewalla is doing and limit your access to their site.
Firewalla includes various alarms for conditions it detects in the network. These include:
- New device found
- Device online/offline
- Cyber attack
- Abnormal upload of data
- Connecting to a Virtual Private Network (VPN) server
- Malware download
- Open port
- User activity including access to porn sites, gaming, and watching video.
- Bandwidth Usage including an alert when a device is consuming a large amount of available bandwidth and the ability to track bandwidth usage against your monthly Internet plan
Alarms provide different options depending what the alarm is for. For example, an alarm for a new device provides the ability to block the device and eliminate its ability to access the internet. If you no longer want to view an alarm every time one of your family members is watching YouTube, you can mute that alarm.
Because Firewalla is examining all the IP traffic on a network, rules can be created to block specific network traffic. For example, a rule can be created to block all network traffic to a specific domain name to/from all devices or even a specific device. The rule can either be in effect all the time or on a schedule. Similarly, network traffic can also be blocked to/from a specific IP address. Finally, network traffic can be blocked to/from a category of domains. For example, a rule could be created to block access to social media sites from 9pm to 8am on weeknights. Gambling sites, porn sites, video sites, and other common categories of web sites can also be blocked. Firewalla keeps these categories updated with lists of web sites that fit within each category.
In “early access” is the ability to create exceptions to blocking rules called “Allow Rules.” For example, a rule could block access to all social media sites with the exception of allowing access to Twitter.
Dynamic DNS (DDNS)
A router allocates IP addresses to devices on a network using a built in Dynamic Host Configuration Protocol (DHCP) server. To manage the pool of address it has for devices the router may change a devices IP address over time. Your router also has a public IP address that is given to it by your ISP. If you want to access your network from the Internet you could do it using your router’s public IP address. But, just like your router, your ISP manages the pool of IP addresses it has and might change your router’s public IP address at any time. Firewalla will track your router’s IP address and provide you with a friendly name (similar to a web site address) that can be used to access your system from the Internet.
Firewalla creates a list of all the devices on your network. To manage the list there are various ways to sort the list or you can quickly search the list for a specific device.
Once you’ve located the device you are interested in you can:
- View the devices information including its IP Address, MAC address, and more
- View the amount of data the device has uploaded and downloaded to/from the Internet
- View any alarms that Firewalla has generated about the device’s behavior
- Block the device’s Internet access
- Block the device from gaming sites, social media sites, video sites, or porn sites
- Disable monitoring of the device by Firewalla. For example, Firewalla requires that you disable monitoring of mesh networking satellites of most mesh networking routers
- You can enable, or disable, Safe Search for that device
- Create a local domain name for the device so you can access the device without having to remember its IP address
- View any rules you’ve created for the specific device
- You can enable, or disable, a device’s ability to participate in a client VPN network connection
- You can enable, or disable, Ad Block
- You can enable, or disable, DNS over HTTPS to have all your network name resolution calls be encrypted
- Device Groups – This feature is currently in “early access”. It allows for devices to be placed into groups and the rules can be easily applied to all devices in a group. For example, a computer group that includes all the laptop and desktop computers in a home could universally have ad block turned on/off.
DNS over HTTPS
Whenever you, for example, access a web site on the internet through a browser, the first thing that happens is that the name you entered for the web site (www.firewalla.com) is translated into its IP address by a domain name server on the Internet. The call from your computer to the domain name server is unencrypted and can be monitored by your ISP. Firewalla offers to encrypt this data for you by using the secure HTTPS protocol for these name lookups. If you enable this feature you should check that it isn’t slowing down your Internet access.
Family protect mode filters out violent and porn material.
Firewalla provides two lists of ports that are open on your router. First, it provides a list of ports that are open by scanning your public IP address by a Firewalla server. Second it provides a list of ports that have been opened by devices on your network using Universal Plug and Play (UPnP) protocol. A device may open a port for very legitimate reasons. For example, it could be required for an IoT devices server to contact it and perform a firmware update. On the other hand, a device could open a port to enable remote user access and you have no plans on ever using that feature. In that case Firewalla gives you the ability to block that port.
As part of its parental control features, Firewalla will work with the Safe Search feature supported by major search engines. Safe Search automatically filters out pornographic, offensive and inappropriate content from search results.
The Firewalla includes the ability to connect your home network to another network through a secure tunnel across the internet. This is similar to your smart phone on a public Wi-Fi network using a VPN service to connect securely to other resources on the Internet. For example, your home network could be connected to your work network so you could seamlessly browse resources on both networks from either location.
Most people are familiar with using a VPN client while on a public Wi-Fi network to create a secure connection to the internet so your activity can’t be monitored. The Firewalla includes the ability to turn your home into a VPN server. You can then connect securely to your home network from a public Wi-Fi network and use your home’s internet connection to access the internet from the device you are using. It is important to understand that surfing will now count against any data caps that your ISP enforces but it saves you the cost of subscribing to a separate VPN service.
Firewalla has a web interface that is currently in beta testing phase. However, I found it to be stable and full featured. The interface is found at my.firewalla.com and accessed by scanning the displayed QR code with the Firewalla app on your smart device.
The web interface offers you:
- A dashboard that gives you insight into data uploads and downloads taking place to/from your network and the devices performing them
- Alarms that have been generated by your Firewalla
- A list of all the devices on your network with the ability, just like the app, to dive into all the details and perform actions on each device
- Information about your network
- There is a reports tab that isn’t implemented yet.
Hands On with the Firewalla
Once you get over the shock of how small the Firewalla is when you open the box for the first time, the next thing you’ll notice is that there aren’t any instructions included. Instead there is just a small printed card that points you to the installation guide on the Firewalla web site. First the guide will instruct you to download the app. Next it includes a number of wiring examples for connecting the Firewalla to your network depending on whether you have a combined modem/router, separate modem/router, mesh Wi-Fi system, etc. Next the guide walks you through pairing the app with your Firewalla using the QR Code sticker on the bottom of the Firewalla. Finally, the guide takes you through the automated setup as the Firewalla explores your network.
The installation also includes links to additional information, such as the online user manual and troubleshooting guide. It also includes some additional information for users of mesh Wi-Fi systems including a recommendation to disable monitoring of mesh satellites.
Just like the Fingbox, the biggest challenge when you first install the Firewalla is that it creates a list of all your network connected devices and you have to work through it adding your own descriptive names. Once that process is complete the notifications that the Firewalla starts sending you are ones that can help you understand potential issues on your network. For example, Firewalla immediately started warning me about the potentially abnormal data uploads that my Sense energy monitor was making along with the destination of those uploads. I happen to know that those uploads were legitimate but if a different IoT device started uploading large amounts of data to an unknown web server I would suspect it was up to no good and stealing data from me.
Unfortunately, Firewalla only gives me two choices if I want to mute this alarm:
- I could mute the specific server that the data was being uploaded to for all devices on my network
- I could mute the entire domain that the data was being uploaded to for all devices on my network
I can’t directly mute uploads to this server or domain for just my Sense energy monitor. In this case the data was going to the Amazon web services cloud and a wide range of devices might upload data to Amazon.
Firewalla does provide a method of muting uploads to a specific destination for a specific device. But, it is hidden four tiers deep in the Firewalla app’s menus. Instead of being so difficult to find this should be the easiest option to choose when muting an abnormal upload alarm.
In spite of this, I found that the traffic monitoring alarms were one of the most valuable capabilities of Firewalla for me. Like the Fingbox’s ability to instantly block devices that attach to your network it offers peace of mind that your network is secure.
Families with children living at home may also find all the parental controls very useful. The ability to turn on safe search for any devices that children are using to automatically filter out pornographic, offensive and inappropriate content from search results would be very useful for parents.
Using your own home network as a VPN server for secure internet access when using a public network can definitely save people from purchasing this service from a VPN provider. However, you just need to be aware that your data usage is going to be calculated against your ISP’s data cap so watching hours of video may cost you extra when you receive your monthly bill depending on your internet plan.
Finally, DNS over HTTPS provides an added layer of privacy that keeps your ISP from knowing what web sites you have been frequenting.
Many features of the Firewalla are easy to use, such as parental controls. However, configuring VPN server settings, blocking rules (other than those built in such as social media blocking, gaming, and porn), and other advanced features are more complex. Firewalla tries to make these features as easy as possible to use but they do require a more advanced level of networking knowledge.
Using Fingbox and Firewalla Together
Fingbox and Firewalla are complementary in many ways and can coexist on a network for added security, but there are limitations. My Fingbox was installed first, so this is from the point of adding a Firewalla to a network that already includes a Fingbox. When the Firewalla was installed and setup the first thing that is needed is to find a device in the device list called “IEEE Registration Authority.” This is the Fingbox. In the device’s settings in the Firewalla app you will just need to turn off monitoring of the Fingbox.
In posts, I found online other people received alerts from their Fingbox about the Firewalla and you would simply need to set the Firewalla to “Trusted.” However, I never received any alerts and didn’t need to do this. This was somewhat concerning because the Firewalla’s use of ARP to monitor network traffic should have triggered the Fingbox’s detection of a potentially rogue gateway being added to my network.
With both boxes operating on the same network, I didn’t notice any issues with the Firewalla. However, the Fingbox lost its ability to identify or block new devices being added to the network. While I preferred the Fingbox’s feature of automatically blocking new devices as they tried to connect to the network, I found myself forced to use the Firewalla’s manual device blocking implementation. And, since I wasn’t seeing new devices appear in the Fingbox’s devices list, performing an open port scan on a device isn’t possible either.
While there is still some value in installing both devices on your network, my recommendation is to choose the one that will best meet your needs.
As I outlined above, I have my favorite features on both devices that makes them both valuable tools. If you have to choose just one, for those with limited knowledge of networking the Fingbox will probably work better for you. For those with more advanced skills you will enjoy the added abilities that the Firewalla offers.