Hey guys, i wanted to get a post out regarding a hardware firewall i have been working on for the last 4.5 months. as of today, it is about 95% complete. Here is a little bit about it. The intended market is standard consumer and small business. It is entirely plug and play with default security features, with only needed to change default user/pass if not tech savvy.
Its primary security feature is a DNS proxy. All signatures are maintained by myself and can be updated from my servers along with system updates, through the updating feature.
The DNS proxy includes some standard categories like social media, p2p, drugs, etc as well as malicious, crypto miner(browser hijacks), advertisements, and telemetry.
Along with standard categories is a keyword search function that i will maintain and will look for keywords in domains, this will only be active if enabled and only for enabled categories.
Lastly, TLD blocking is including which is a list of top known TLDs related with high amounts of malicious traffic/domains.
There is also a feature to allow up to 5 user created categories.
Of course with all this is the ability to whitelist/blacklist any domain, or bypass most filters based off of ip address. The intended use case for ip whitelist is to apply parental filters and then whitelist parents ip addresses in conjunction with a dhcp reservation. when an ip whitelist is used, all of the malicious related categories will still be filtered.
I am still working on the ability to apply internet cut off times to be used with curfews.
i don't want to make this too long so i will just list out a few things of interest to close. The DHCP and DNS server are custom developed for this system, it is all programmed in python3.7+, the hardware will be an esspressobin (also used by pfsense) which, based on my test, handles about 650 mbps throughput while the inspection engines are running. standard stateful firewall rules can be made as well as port forwarding. the targeted price is $100 for initial release and $130 thereafter. a subscription will not be required for the updates.
Lastly the back end is entirely open source and free for download/use from my github. If you are a power user the repo version would be all that is needed. The only difference is no front end, and i do not provide lists other than that 3 malicious lists, which are also open source and maintained by a 3rd party. It has currently been tested at 10G traffic rates, with about 250 users, and 160k daily dns requests (CMD version on beefy hardware).
link: https://github.com/dowrighttv/DNX-FWALL-CMD
Let me know what you guys think, and if there is anything else that you might like to see before i wrap this up.
tech demo can be seen here: https://youtu.be/6NvRXlNjpOc
No comments:
Post a Comment