Should I buy a Hardware Firewall for my Time Capsule 4th Gen Router?

For my home network, I am still using the Time Capsule 4th Generation Router, from 2011.

I realized that I may have overestimated the security of this device, as it apparently does not have a Firewall – it only has NAT.

I am concerned about the security aspect, since my Time Capsule is connected immediately to my apartment building's fiber optic network, which provides Internet access.

Behind the Time Capsule, I have several computers with software firewalls, and iOS devices which I assume also have software firewalls. I have recently added some Philips Hue IoT devices.

I am not proficient enough in networks, to know how good protection the Time Capsule and NAT offers.

Question

Is it advisable for me to buy a Hardware Firewall to complement the Time Capsule for security reasons – especially when having some IoT devices?

About getting a new router

I haven't been planning to buy a new Wi-Fi router with better security features or integrated firewall, just yet, because I've been holding out in anticipation of getting a new MacBook Pro with Wi-Fi 6 probably within the next 2–3 years.

So I would ideally keep my Time Capsule for a while longer.

However, if Hardware Firewalls are hardly worth it for home users, I would perhaps consider getting a Wi-Fi 6 Router solution already – even though I can't use Wi-Fi 6 yet – if there are any ones available that also provide good security features or at least a basic firewall.


Solution 1:

Is it advisable for me to buy a Hardware Firewall to complement the Time Capsule for security reasons – especially when having some IOT devices?

Yes. Absolutely. Unequivocally Yes.

Threats have evolved significantly since 2011 when that Time Capsule came out and quite frankly, are woefully ill-equipped to deal with the current threats.

I don't use "retail/consumer grade" routers that you get at your local big box house. I use pfSense running on a USFF Dell machine (Core 2 Duo, 8GB RAM and 32GB SSD) configured with an Intel Quad Gig interface. The total cost was under $150 (the quad gig adapter was the most expensive part).

  • I can drop traffic from certain global regions (i.e. China, Russia, India, etc.). Any traffic that originates in a particular area is literally dropped.

  • I can add on any number of enhancements to my router

    • Run my own VPN
    • Add my on SSL certificates
    • Add DNS whitelists/blacklists (pfBlockerNG)
    • Install a Squid caching Proxy
    • Configure High Availability with cellular fail over

There's a cornucopia of features you can add to this type of router to customize the level of protection you need.

Such overkill!

Yes, there's a ton of features, many of which you'd probably never need unless you were setting this up for a corporate entity. However, what's important about having a hardware firewall is that

  1. being hardware, it's performance is that much greater. The more hardware you throw at it, the better it works
  2. Stateful Packet Inspection. This is a technology that analyses the "context" of each packet and whether to allow it or to block it. Your TC is stateless meaning it will either allow or disallow based on a simple rule. This also requires CPU cycles

Is it really overkill?

IMO, no, it's not. You can start with a cheap PC you pick up on eBay, Craigslist, Gumtree, etc. For home, it doesn't need to be fancy. 2GB RAM is more than enough but the more RAM, the more "states" the router can handle. You'll need a NIC since the computer will come with one, you just need another (one for WAN the other for LAN). I found (on eBay) SSDs used in thin clients and bought 5 for under $40 (good to have extras on hand). Spend about an hour putting it together and going through the setup and you'll have an enterprise grade hardware based firewall protecting your network.

TL;DR

Yes. You absolutley need one. Whether you build it yourself (I like pfSense or you purchase one (go for a "business class" not fancy "consumer grade") put something capable of handling today's ever evolving threats between the Internet and your network.

Solution 2:

Most ordinary home users would see no real benefit from a hardware firewall. They would need no more than what is already provided by the Time Capsule in terms of network separation using NAT.