Jump to content
Sadikhov IT Certification forums
Sign in to follow this  
accelstudent

Hardware Firewalls Vs. Software Firewalls

Recommended Posts

hardware firewall is much much better for the job.......well his primary job is only filtering the network and not the other job like windows for example......any software firewall has to be on some sort of the OS and thats one point of failure more for network security.......

 

so my choice is hardware firewall.....

 

see you around... ;)

Share this post


Link to post
Share on other sites

A hardware firewall in a typical broadband router employs a technique called packet filtering, which examines the header of a packet to determine its source and destination addresses. This information is compared to a set of predefined and/or user-created rules that determine whether the packet is to be forwarded or dropped. A more advanced technique called Stateful Packet Inspection (SPI), looks at additional characteristics such as a packet's actual origin (i.e. did it come from the Internet or from the local network) and whether incoming traffic is a response to existing outgoing connections, like a request for a Web page.

 

But most hardware residential firewalls have an Achilles' heel in that they typically treat any kind of traffic traveling from the local network out to the Internet as safe, which can sometimes be a problem.

 

Consider this scenario: What would happen if you received an e-mail message or visited a website that contained a concealed program? Let's say this program was designed to install itself on your machine and then surreptitiously communicate with someone via the Internet — a distributed denial of service (DDoS) attack zombie or a keystroke logger, for example? And trust me, this is by no means an unlikely scenario.

 

To most broadband hardware firewalls, the traffic generated by such programs would appear legitimate since it originated inside your network and would most likely be let through. This malevolent traffic might be blocked if the hardware firewall was configured to block outgoing traffic on the specific Transmission Control Protocol/Internet Protocol (TCP/IP) port(s) the program was using, but given that there are over 65,000 possible ports and there's no way to know which ports a program of this nature might use, the odds of the right ones being blocked are slim.

 

Moreover, blocking too many ports would almost certainly adversely affect your ability to use some programs (many games, for instance). Also, some broadband router firewalls don't even provide the ability to restrict outgoing traffic, only incoming traffic.

Share this post


Link to post
Share on other sites

hey accelstudnet ,

 

have u ever heard of the cisco pix firewall? it has ASA adaptive security algorithm amongst other features. check cisco webstie..

Share this post


Link to post
Share on other sites

I Think hardware firewall is more effective but still they are times that people can go through the Hdr firewall but it depends upon how you implement the security on it.

 

Cheers

Share this post


Link to post
Share on other sites

I work on the concept that several layers of firewalls that work in different ways is the way to go. (Combination of hardware and software firewalls!)

Share this post


Link to post
Share on other sites

What firewall you need depends on what your business needs. Does the business need a cheap solution? Does your business require 6 layers of firewalls with several different DMZs? Does your business plan on growing in the next year to such an extent that you're going to need to load balance where you don't at the moment?

 

Every firewall purchase/implementation must be properly examined for what your requirements are. Then you can look and see which H/W and S/W fit the bill for you.

Share this post


Link to post
Share on other sites

Hi there,

 

This question is already answered, just want to tell my experience.

 

In my home i have DSL connection and i used ZoneAlarm as Firewall, i had a lot of warnings and logs from several sources. I've decided to buy a router now i've tha router and Zonealarm, none undesired traffic passes trough the router, very very good, i think in all cases Hardware firewall is much better than Software firewall.

 

You can use a Linux box as firewall, if you have a old box and don't want to spend money, it's a good solution too ;)

 

Regards,

Goodspeed

Share this post


Link to post
Share on other sites

I say use both. The hardware variety is more secure, but the software variety, even the XP SP2 one, is more informative. Its nice to be able to easily identify what app is trying to talk.

Share this post


Link to post
Share on other sites

My opinion is that ISA 2004 is better than hardware firewall, if you can configure it properly. One thing that hardware firewall lacks is SSL-to-SSL bridging, and that is the main reason why I am favoring the ISA server.

 

Regards.

Share this post


Link to post
Share on other sites

I think that Hardware Based Firewall is better ...

if u can combine both firewall and make the correct configuration ...

You network Security will be better than use one only ....

 

remember always update software based firewall ....

So can defeat most of attack !!

Of course ... if got latest flash image for hardware based firewall .. upgrade too !!

 

good luck ...

Share this post


Link to post
Share on other sites
what do you think.....is hardware firewall better than the software ones....?? There are instances here in india where people dumped up cisco pix and used the iptable firewall in Gnu/Linux

Dear Friend,

 

 

Hardware Firewall is the best thing....For handling this, you must be aware of configuring the things.....so that most home users don't go for it.....The combination of hardware and software firewals is too expensive....When it is for an enterprise....The combination is enough...For home users..Software based firewall is enough....If you mind security, not cost, then go for the combination....

Share this post


Link to post
Share on other sites

For the record ISA Server 2004 Standard Edition can be purchased for 1.400 $, per CPU.

 

Regards.

Share this post


Link to post
Share on other sites

hardware, is better but i like having a hardware one and a software one set up, right now at home i have a netscreen insg 5.0 and checkpoint. all the items just happen to fall in my lap ;)

Share this post


Link to post
Share on other sites

My opinion is that software firewalls are more vunerable than hardware versions because they have additional vulerablities exposed via the OS. Of course the hardware versions all have an OS also, but it can be completely stripped down and hardened because it is not expected to do anything but be a firewall (there are, however, well known cases where hardware-based firewalls were penatrated due to vulnerablities in the OS, so do your homework). If you install your software firewall on a bastion host (one with an OS that has been specifically hardened) you may be able to get the best of both worlds (I still would never use Windows for anything, though, too many hackers are up to the wee hours trying to find holes). Since the OS's of the hardware firewalls have not got the hacker scrutiny as Linux and Windows has, they are quite likely to have unknown (to security professionals, hackers always seem to know) vunerablities. But if you are going to install the software firewall on a standard Linux or Windows install, I think you are making a big mistake

Share this post


Link to post
Share on other sites

I like hardware firewalls because the are designed to do one thing and one thing only. Keep it simple. With a software solution you have to rely on the OS and other apps that could potentially casue more downtime.

Share this post


Link to post
Share on other sites

hardware firwwall is better but cost of having one is high so my choice is a Linux based software firewall running on a old 100mhz P1 computer.

 

It does the job just great.

 

but i would like to have a hardware one probably from cisco.

Share this post


Link to post
Share on other sites

Hello,

 

Imho, MS ISA server don't worth a bit, it's not very scalable software, and it can't be customized well for every network.

 

If you're worried about your security, I would advice you Cisco PIX Firewall and some IDS (Intrusion Detection System) on your Network.

If you have some stronger router, you can implement CBAC on router for firewall-ing and IPS (Intrusion Protection System) that has currently most recent 740 signatures of malicious attacks.

 

Regards,

H.

Share this post


Link to post
Share on other sites

Hello guy,

 

In truth software firewall is more robust, cheaper, flexible and easy to configure. With the advent of iptables in linux it has increase the level of security. Many Adminitrators have embraced it. personally, I prefer software firewall to hardware

Share this post


Link to post
Share on other sites

Ok guys here is the deal.

 

In most cases Hardware and Software firewalls complement each other. In the majority of deployments I have done, there was a Hardware based firewall and software based firewall.

 

Basically a hardware firewall has the advantage of being able to cope with the high bandwidth when connected edge network (internet) and do stateful packet filtering at high speeds.. Whereas it's lacking in the sense of User Authentication, hence, ISA server 2004. Hacking happens, in most cases, either by someone inside the organization or by someone who worked for the organization. ISA server can provide user authentication which hardware firewalls don't.

 

If you want my opinion, the best approach would be to use a hardware based firewall on the outer network, ie. internet, ISA server to protect the servers internally and a personal firewall ie. (WinXP's built in firewall is fine or any other personal firewall for that matter) to protect individual pcs.

 

But that's just my opinion. :P

Share this post


Link to post
Share on other sites

ZingoBrelli comments above are very good just wanted to add in this thread people seem to be compairing enterprise products with home use products when you do that you will never get a clear comparison. You cannot comapire ISA (software based) with a home DSL router firewall (Hardware) as ISA will win every time because its a enterprise solution so is more capable, beter performing and has greater functionality simmilarly you cannot compaire zonealarm (very good software based personal firewall) with a Cisco PIX or Nokia hardware (harware) as they again are enterprise solutions so should win hands down.

 

If you compaire like for like

Personal use

Software based is very good but does put load on host PC and will leave you with loads (and loads) of actions taken in the reports so its dificult to interpret

Hardware based most of these are not really firewalls but router running NAT so making your true IP which has the benefit of making things harder, but not imposible for the black hats of the world

 

Used together the DSL NAT router will get rid of 95% of the potentially malicouse traffic without adding to the load on you PC. The software based firewall could protect you from what is being blocked but would do so at a cost to performance so let it only handle the 5% thats left and everone is happy

 

Enterprise Use

Software based

Can be costly to scale up for top levels of performance but has many functions imposible on most hardware based solutions, when configured correclty is very secure. Do require regular software updating

Hardware based

Can be initially costly but offer good performance, again when configured correcty they are very secure but still require regualar software updating. Hardware based solutions still run software when weeknesses in this are found they can be exploited exactly like the software based systems only issue is its not always as easy to update a hardware based solution.

 

Used together

You get the best of both worlds and your paremiter defences cannot be breached each time a weekness is exposed in the manufacuters code

Share this post


Link to post
Share on other sites

i have experience in both hardware and software

and i prefer hardware because of the reliability it just work better.

 

and in a case of fail you can always can go back and reset the machine

unlike software that you depend on the OS

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

×