Security features
How seriously do these firewalls take your safety?
We’ve touched on IPFire’s segmentation of your network into Green and Red zones for trusted and untrusted devices. It also supports creating a blue DMZ to isolate internet servers from the rest of your network. It uses Suricata IDS to prevent attacks, replacing the previous tool Snort.
Alpine Linux claims that all userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection, making the OS less vulnerable to buffer overflow or zero-day attacks. It also uses the musl libc library, which is a leaner (and arguably more secure) version of glibc.
VyOS uses Minisign as well as PGP to verify the integrity of its downloads. The developers regularly issue new security releases. VyOS is also the only distro we reviewed that supports MACsec, which encrypts traffic between LAN endpoints.
Endian’s developers’ motto is “Secure everyThing”. This reflects the number of supported appliances including IoT devices. They claim the firewall follows a “Zero Trust” model and uses “microsegmentation” to make sure the minimum amount of network resources are shared when necessary. It supports up to 32 internal network zones. It can also use DPI (deep packet inspection) and DNS Proxy filters to screen for malware. You can even use geo-blocking to block traffic by country.
ClearOS’s app marketplace offers a figurative Swiss army knife of security features including Antimalware, which is updated daily with new signatures, and Content Filter Blacklist to prevent cyberloafing. Unfortunately, most of the more powerful apps require a subscription. It does, however, have its own builtin antivirus and antiphishing tools, as well as a content filter.