Commercial firewalls have a disadvantage – that is, it is never known if the vendor has introduced (willingly or unwillingly) a backdoor or intentional security weakness to allow access for unknown parties.
It is generally a good rule of thumb to remember that if a vendor is known to have used a backdoor once, they will place a backdoor a second time – just trying to hide it better the next time.
That is why for smaller organizations it is a good idea to evaluate other options, such as PfSense or OpnSense – https://www.pfsense.org/ and https://opnsense.org/. Another vendor, who also offers commercial versions and support, is https://www.untangle.com
It is only logical that for large organizations small, open source firewall will simply not be enough – or at least not as their main firewall. But for small environments the aforementioned are more than enough.
Port Knocking – NSA is using this for the past 10 years, are you?
The concept of port knocking is: the firewall presents all ports as closed, unless a specific port sequence is ‘knocked’ with a special packet.
For example, if you want to keep port 22 for remote administration purposes, but want to close it for everyone but a list of authorized people/devices, you could set the firewall up in such a way that if your authorized person sends a specially crafted packet to ports 1888, 25678 and 3456, their IP address is temporarily whitelisted and can open a connection to port 22.
NSA has been known to use port knocking for all remote access connections for many years – even for access to their internal systems, not just remote administration and / or VPN.
A good tutorial on setting up port knocking on open source operating systems can be found at DigitalOcean: https://www.digitalocean.com/community/tutorials/how-to-use-port-knocking-to-hide-your-ssh-daemon-from-attackers-on-ubuntu
Ask your Firewall Appliance vendor if they support port knocking. If not, you can certainly place an open source screen in front of your appliance anyway, just for that purpose.
