Peplink Balance Firewall reliability


#1

How does Peplink’s firewall compare to other standalone firewall products? What security grade it offers compared against other products such as Sonicwall, Fortigate etc? Is it safe to use just the built in firewall avoiding third party external firewall? Are there any certifications?


#2

Hi @ReexNeex,

I think comparing Peplink’s built-in firewall to an actual firewall is an unfair comparison.
We have to keep in mind that the Peplink Balance family are high-end routers, not firewalls.

What are you trying to achieve?
What kind of security are you looking for?

I’m pretty sure we have some very knowledgeable people on this forum who can help you make the right choice.
But they will probably need some more information about your application. :smiley:


#3

Thanks Joey, we are a small school currently using Balance One as a multi WAN failover and balancing facility, however I wonder how strong is the firewall against tampering attempts from the outer Internet


#4

Hello @ReeXNeeX,
If you setup your Peplink Balance One so it is managed from InControl2 following this guide, and ensuring that you have 2FA enabled, then you will find the routers security to be fairly robust.

I highly recommend that you work through these guides from @Alan and let us know how you go.

Happy to Help,
Marcus :slight_smile:


#5

Thank you Marcus,
you mean that from a pure strength perspective the built in firewall is
sufficient manage external attacks? Are there any reports on security
breach, or some independent test on the built in firewall strength?


#6

Like many other commercial routing products out there, Peplink devices run Linux, and the principal firewall tool of Linux is IPtables (which I suspect is in use on Peplink’s devices). IPTables is a tried and tested firewall. It is stateful which is important, but otherwise just does what it says on the tin and does it well. It is super robust and relied on by just about every business out there in one form or another, on home and business routers, on smartphones and tablets etc. Peplink devices also come with Intrusion detection and DoS prevention capabilities (if you haven’t got them turned on go do that now in Netwok > Firewall | Access Rules) which add another layer of security.

I used to manage a 30+ site WAN infrastructure built on Peplink Devices for a company that did UK government contract work which included working with medical records on clients.

Naturally network and information security was of high importance in that kind of environment. We were penetration tested by an independent infosec company every 6 -12 months. In the 5 year period up to when I left the company the Peplink firewall element was never breached. You’ll notice that I said the ‘firewall element’ was never breached. On a number of occasions in the early days the penetration testers were able to bypass firewall security on the Peplinks because of configuration errors.

Apart from perhaps us humans - and the social engineering attacks we can all be susceptible to, device and system configuration errors are where the biggest network security flaws exist.
Leaving a router with the default Admin/admin username/password, or forgetting to restore a temporary firewall / routing change you made to give you elevated access to a server or system to fix a remote user issue - those errors are the chinks in your network armour that a malicious user can exploit to make changes to your infrastructure to give them access to areas they shouldn’t be able to get near.

A well and correctly configured Peplink firewall is just as ‘strong’ and secure as any other vendors firewall when it comes to the routing (or blocking of packets). That said, I know of many Peplink partners who will only ever deploy Peplink Balance and MAX routers behind an additional security device - why is that if the firewall on a Peplink is as good as any other?

Blocking packets maybe what a firewall does, but packet level blocking is only a small piece of threat management when it comes to network security. I might block all traffic on my Peplink firewall apart from that required to access an internal web server for example, but what if an attacker manages to find an exploit on that server, install their own code and then use it to to attack devices deeper within my network or as a bot to attack or send spam to others? A firewall alone will not protect my network, data or reputation in that case.

That’s why there are so many security device vendors out there, examples like Sonicwall, Watchguard, Fortinet all make some form of unified threat management appliance, which will include - as a tiny element of what it does, a stateful firewall component.

On top of that they offer things like network level antivirus, spam and phishing email filters, intrusion detection, web content filtering, deep packet inspection, layer 7 firewall capabilities, additional secure remote user access options with two factor authentication as well as a host of other capabilities all designed to be used to make your network safer, more secure, to keep a close eye on the activities of both users and devices on your network to spot anomalies and to mitigate network security risks for your business.

With that in mind @Joey_van_der_Gaag ’ s comment above about it being unfair to compare the firewall capabilities of a Peplink device against the raft of features in a dedicated or specialist security appliance is understandable.

Peplink devices are primarily load balancing, multi WAN bonding routers and they are world-class in that respect - I really wouldn’t use anything else for that job, but when I have a customer that needs to protect sensitive data, that needs to provide comprehensive large scale secure remote access capabilities, network level antivirus and deep packet inspection I don’t hesitate to put in a UTM applaince in circuit too.

Importantly, even when I’m using a UTM, I always have a Peplink at the edge of the network managing connectivity, as no matter how clever a security appliance might be, I don’t trust any of them as much as my Balance and Max routers to keep me and my customers reliably connected.