Firewalls: Hardware vs Software

[SpaceC0wb0y]

I was wondering what everyones experiences with firewalls was. I was recently using a linksys cable/dsl router to act as my firewall but I have moved and no longer have the router. Are software firewalls as dependable as hardware. I have not done too much research into software firewalls yet. Any recommendations for either software or hardware?

 

[Poontos]

Hardware is best.

Software is second best.

Hardware is much more robust.

 

[Louie1961a]

I disagree. I don't think you can say that hardware firewalls are any better or worse than software ones. A hardware firewall is in actuallity a software firewall loaded onto an eeprom or some other non-volatile memory device, and a router is nothing more than a special purpose computer with its own memory and cpu. Given those facts, it is possible to create software based firewalls with the exact same rulesets, etc. What a router does for you that a software firewall loaded on your PC cant, is to segregrate your internel network from the outside world through NAT (network address translation), thereby making it harder to break into individual PC's on your internal network. You could accomplish the same thing by dedicating a PC to this task using linux and IPTABLES, or windows and ICS.

To answer your question, using a router AND firewall software on each individual machine is the best level of protection I think you can hope for. That being said, I think that if you install a software firewall, disable file and print sharing, disable netbios, make yourself really stealthy, and use a good antivirus program, you will get a reasonable level of protection. This assumes that you use some good judgement in what you download, so that you don't get infected with a trojan virus, update your virus anf firewall software frequently, and agressively manage your system. Two of the most highly regarded personal firewall packages can be had for free. they are tiny firewall and zone alarm. I have read reviews where each is touted as the best and the other is touted as second best, but in any event they are both always in the top two. Symantec personal firewall is very robust, but only if you have a well thought out set of rules. Otherwise it could be weak.

 

[JackMDS]

Due to the way computer technology works, hardware execution is always faster then Software. That means that in similar operation hardware is always faster then software.

In general, security issue involves:

1. Unauthorized Internet traffic coming in (from the Internet to your computer).
2. Unauthorized Information going out (from your Hard Drive to some one else Web Server).

The latter is done mainly by programs that are ?calling home?. Unfortunately, the amount of programs that are calling home is growing by the day.

Hardware Firewall is working faster and much smoother then Software Firewall.

However, Router?s Firewall secures mainly the Incoming traffic.

To secure the Outgoing aspect you need Software Firewall.

 

[Poontos]

"I disagree. I don't think you can say that hardware firewalls are any better or worse than software ones. "

Having both is ideal, but not always the case. Especially for personal desktop computers.

Therefore, if either one had to be chosen, the most robust and logical choice would be a hardware based
firewall solution.

"You could accomplish the same thing by dedicating a PC to this task using linux and IPTABLES, or windows and ICS."

Sure, you can accomplish a lot with numerous options, quite a few of them being free. Depending on how
secure Spacecowboy wants his network or PC, then his decision should obviously be based on that. The
most secure solution, as I said, would be personal (Zone Alarm) firewall software running on all PC's and
a hardware firewall/router filter all the traffic that is comes into the network, as well as using NAT.

Recommendations, you ask?

Software: ZoneAlarm
Hardware: Netgear RT314+, Linksys Cable/DSL Routers, just stay away from D-Link.

Have fun!

 

[JERR]

Hardware is considered better than software. It is also considerably more expensive. Ideally you want the firewall to block traffic before it gets to your computer, which means that even in a software solution you want a stand alone box between your computers you want to protect and the internet.

 

[RagManX]

Neither is better. First, what are your requirements. Second, what is your budget? To determine your requirements, you have to have a security plan. Blah, blah, blah. Even for a home network, you have to decide what you are trying to protect, and how much you want to spend.

Hardware firewalls have a performance advantage, but tend to be harder to upgrade when problems are found with the firewall. Software firewalls have a flexibility and cost advantage (for minimal requirements), but tend to ramp up in cost for higher performance.

Of course, there seems to be some confusion in this thread as to what a hardware or software firewall is, so I'll tell you what *I* think of when people use the terms. To me, a hardware firewall is a firewall built with specific performance, design, quality, etc. goals in mind. The firewall code can be hardwired, programmed into PROM, or loaded off a hard drive (in the case of a special purpose, black box system, which many also call a hardwire firewall). In other words, you buy a complete system or hardware and software, and to upgrade it, you typically replace it.

Software firewalls, on the other hand, are firewalls that can be run on general purpose computers. You buy whatever computer has sufficient processing power to handle the expected network load, and then pay some company tons of money for an install CD and license key for their software.

Strictly speaking, all firewalls are software firewalls, in my eyes. Just some run on specialized hardware, while others run on general purpose hardware.

The other class of firewalls I refer to are personal firewalls. They are software based, but are designed to only protect a single host. Ultimately, I believe you are actually asking if it is better to have a personal firewall or a dedicated firewall box (hardware or software). The thing is, most cable/dsl routers are not actually firewalls, but are just NAT (Network Address Translation) devices. This *CAN* provide some security, but don't assume you are secure just because you are behind a NAT box.

If you are indeed asking whether it is better to used a personal firewall or a NAT capable cable/dsl router, I'd say use both. In fact, I recommend ZoneAlarm (free or pro) plus Black Ice. ZoneAlarm is a host based personal firewall, so it can catch incoming attacks/probes. Black Ice is a host based intrusion detection system, so it can catch outgoing connections. Both together do a good job of protecting your system, although either can be a hassle at times (ZA for generating excessive logs, BI for prompting for outgoing traffic all the time).

If you really want to know if a special purpose computing environment based firewall (hardware) is better than a general purpose computing environment firewall (software), the answer is it depends. You have to know what you want to defend, how much time and money you are willing to put into defending it, and what capabilities you have to make sure your protection is working.

So, did that help?

RagManX