|AlphaShield Hardware Firewall|
|Summary||Hardware SPI-based firewall that even your mother could install. Cannot open ports or change any firewall settings.|
|Pros||• Plug and go setup
• “Stealth” level protection from Internet probes on ports 1 – 65535
• No user adjustments required
|Cons||• No user adjustments possible
• Expensive compared to more flexible alternatives
• Firewall only – no Internet connection sharing
AlphaShield’s email review pitch for its product of the same name described it as “the only hardware firewall on the market that doesn’t need any configuration. Installation takes only one minute. No maintenance. 100% Unhackable Guarantee or your money back”.
It sure sounded like snake oil, but a quick check of AlphaShield’s website showed the company to be legit. So I fired back an email to the AlphaShield rep. and a sample appeared at my door about a week later.
One thing I need to make clear up front is that the AlphaShield is not a NAT router. The key consequence of this is that it does not provide Internet sharing. Instead, think of it as providing, for all intents and purposes, the same protection as provided by a NAT – or more accurately NAT + SPI (Stateful Packet Inspection) router – but without requiring, or allowing, any sort of configuration of that protection.
AlphaShield’s marketing material refers to three technologies that the product uses to work its Internet security magic – AlphaGAP, IP Stealth and RPA (Real-time Packet Authorization). The first just refers to the box’s ability to completely stop data flow between its Internet and host computer ports, just as if you physically disconnected your computer from your broadband modem.
IP Stealth means that AlphaShield will discard any ICMP messages it receives from pings or traceroutes, just as routers do when you enable “block WAN ping response” or similarly-named capabilities. Either way, scans directed at your IP address assigned by your ISP won’t receive any response and just continue looking for their next victim.
The RPA explanation in the white paper provided as part of my review material (but not available for download from the AlphaShield website) is the fuzziest of the three and appears to be the AlphaShield’s real “secret sauce”. But though the exact mechanics of RPA may be different, the bottom line is that it provides essentially the same level of “firewall” protection as provided by a NAT router.
The AlphaShield’s packaging makes a good first impression with an informative product box and compact and nicely finished silver and charcoal plastic enclosure. Figure 1 shows that Outbound, Connection and Inbound LEDs grace the font panel – and provide the only indication of the AlphaShield’s operating state. There is no software interface to view or configure, heck, the AlphaShield doesn’t even have a MAC address, let alone an IP address!
Figure 1: AlphaShield front view
The Product, Continued
Figure 2 shows the back panel with the network and power connectors and a single mode switch. The Cable/DSL and PC RJ45 connectors are self-explanatory, while the AUX connector is where you can plug a computer or device that will bypass the protection afforded by the AlphaShield. Think of the AUX port as the equivalent of putting the attached device in DMZ on a typical NAT-based router.
The Mode switch’s Lock and 15 positions both disconnect (via AlphaGAP) the attached device after 15 minutes of inactivity, with the difference between them being that the 15 position will retain the IP address leased from your ISP’s DHCP server while the Lock position may release it.
If this is too much for you to figure out, just leave the switch at its default Auto setting, which has no idle timeout, or experiment with the Lock and 15 positions if you like the idea of the automatic 15 minute disconnect.
Figure 2: AlphaShield rear view
In all modes, you’ll have to press the blue Connect button that forms the left side of the “S” to get the AlphaShield to let you connect to the Internet and the grey Disconnect button should you want to immediately terminate your Internet connection or at the end of your Internet session in the Auto mode. The middle Connection LED glows red when you’re not connected, but since I’m red / green color challenged, I’d would have preferred it to also slowly blink when the AlphaShield takes you offline.
In the end, I think the AlphaShield should be simple enough for its target non-technical user to install, either with or without help from the nicely illustrated and clearly written printed User Guide that comes with it. Although the typical installation will be between a cable or DSL modem and a single PC, AlphaShield also has a document (PDF) that shows the AlphaShield connected into other networking scenarios, including some with routers!
But all NAT-based routers provide simple, but effective blocking of unrequested inbound traffic, and virtually all current-generation routers add some level of Stateful Packet Inspection (SPI) on top of the NAT firewall. So I can’t think of a scenario in which you’d need both an AlphaShield and NAT router, one right behind the other, protecting your LAN.
Portscanning the AlphaShield resulted in no response to any probes on the full range of ports from 1 to 65535. I was also able to verify that the Inbound light flashed red instead of green, indicating that it was blocking the unrequested packets from the port scan.
I checked Response (ping) Time and Throughput using Qcheck from the computer connected to the PC port to the machine connected to the Cable/DSL port and measured results of 1ms and 6.7Mbps respectively. So users with typical cable or DSL connections shouldn’t see any performance hit due to the AlphaShield’s firewalling.
The AlphaShield definitely does provide an effective firewall and, as AlphaShield’s product pitch asserts, is certainly more robust than Windows’ built-in firewall – SP2 notwithstanding. But although I think it serves its target audience well – the non-technical broadband user with a single computer – I also think that AlphaShield is counting on its target customers’ networking naivete a bit too much.
With consumer routers easily available at $50 or less, which include 4 port 10/100 switches, and that provide essentially the same level of protection, I think AlphaShield’s $100 pricing is twice what it should be. (Shame on those on-line retailers selling it for as much as $169!) And although AlphaShield’s FAQ make it clear that the device does not provide Internet sharing, the FAQ don’t make it as clear that using an AlphaShield and a NAT router isn’t necessary, or is at least redundant.
That said, the AlphaShield could be the perfect solution for protecting a far-away parent or loved one that is foolish (or uninformed) enough to have their computer tied directly to their broadband modem. And think how proud they’ll be when they install it themself!