redstarrefugees
Technical User
I already have a software firewall. Do I need a hardware firewall as well?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
software versus hardware
- Thread starter redstarrefugees
- Start date
- Status
![[spin]](/data/assets/smilies/spin.gif "[spin] [spin]")
James P. Cottingham
ashleym
MIS
- Mar 30, 2001
- 375
Well in my opinion hardware firewalls are an all around better solution then software firewalls.
With hardware firewalls you get:
-No OS to crash or patch
-No hard drive or moving parts
-Stability, literally set and forget
-Flexible application proxies capable of stripping email attachments (Watchguard)
-Excellent support (in most cases)
With sofrware firewalls you get:
-A PC has to be dedicated for the firewall
-Rules can be a pain to configrure and contiunally configure
-Support?
-Runs on an OS "windows"?
My opinion.
AM
With hardware firewalls you get:
-No OS to crash or patch
-No hard drive or moving parts
-Stability, literally set and forget
-Flexible application proxies capable of stripping email attachments (Watchguard)
-Excellent support (in most cases)
With sofrware firewalls you get:
-A PC has to be dedicated for the firewall
-Rules can be a pain to configrure and contiunally configure
-Support?
-Runs on an OS "windows"?
My opinion.
AM
"-No OS to crash or patch"
And exactly what makes a hardware firewall run at all? In fact, most of the lower cost "hardware" firewalls don't even run a proprietary (and realtime) OS. They run either Linux or one of the *BSD's, such as OpenBSD, NetBSD, FreeBSD.
I say there are pros and cons either way. If you don't want to be "involved" in any real way with your security concerns, then of course just get a Cisco Pix and be done with it. But, one problem with these is that you have no way of knowing if there is a vulnerability in the system or not. Cisco might have discovered a vulnerability, but could easily choose not to release the information for months. Also, with these systems you can only do things the way the vendor wants you to do them. Actually, in the end there is less flexibility. I'm not saying this is necessarily a bad thing. It just depends on the level of awareness, involvement, and control you want to keep inside the company. A high-end hardware firewall is the best solution if you don't want to think about security. But beware, this lack of involvement can be your downfall. Anything is hackable, and if you choose not to keep a daily involvement with your system, you might be in for a surprise sooner or later.
"Software" firewalls are the same as "hardware" firewalls, except with software firewalls you get varying degrees of control over exactly what is going on in the system. I could easily configure a FreeBSD system to run a very tight firewall, using no hard disk. One way is to use a bootable "memory stick", of which there are many nowadays. But actually, it is possible to run your whole FreeBSD filesystem in a "read-only" state, so even if a hacker got in, there would be no way to save a virus or rootkit. Also, with ClosedBSD ( you can boot the whole thing from a floppy into live memory, then just pull out the floppy and let your firewall run.
Of course there is a whole range of "software" firewalls, ranging from standardized open source systems to an uneven mixture of proprietary ones, some of which are meant to simply run on your Windows desktop. These last ones I don't consider to be real firewalls.
I personally prefer using a BSD with one of the standard open source firewall packages, because control is what you get. You can know exactly what is on your system, down to every last detail. You can subscribe to or browse the publicly reported vulnerabilities for each of these daily, or even hourly. Thus, if a vulnerability comes out, you will be among the first to know, rather than at the tail end of a series of political decisions by the vendor. I'm not saying this approach is for everyone, but if I were the IT manager at a company, and we had a security budget, this would be my recommendation, along with keeping the best expert I can find on some sort of monthly retainer, ready to anser questions day or night. I would rather spend money a person than on the software/hardware.
In the end, most of the commercial firewall boxes use some form of this open source software anyway. Why re-invent the wheel? This stuff is proven and robust. The only decision to make is what level of involvement you personally want. I would never trust a system that tells me I can just "set and forget", though. That luxury does not exist in real IT security; there's always more to it than that. -------------------------------------------
"Calculus is just the meaningless manipulation of higher symbols"
-unknown F student
And exactly what makes a hardware firewall run at all? In fact, most of the lower cost "hardware" firewalls don't even run a proprietary (and realtime) OS. They run either Linux or one of the *BSD's, such as OpenBSD, NetBSD, FreeBSD.
I say there are pros and cons either way. If you don't want to be "involved" in any real way with your security concerns, then of course just get a Cisco Pix and be done with it. But, one problem with these is that you have no way of knowing if there is a vulnerability in the system or not. Cisco might have discovered a vulnerability, but could easily choose not to release the information for months. Also, with these systems you can only do things the way the vendor wants you to do them. Actually, in the end there is less flexibility. I'm not saying this is necessarily a bad thing. It just depends on the level of awareness, involvement, and control you want to keep inside the company. A high-end hardware firewall is the best solution if you don't want to think about security. But beware, this lack of involvement can be your downfall. Anything is hackable, and if you choose not to keep a daily involvement with your system, you might be in for a surprise sooner or later.
"Software" firewalls are the same as "hardware" firewalls, except with software firewalls you get varying degrees of control over exactly what is going on in the system. I could easily configure a FreeBSD system to run a very tight firewall, using no hard disk. One way is to use a bootable "memory stick", of which there are many nowadays. But actually, it is possible to run your whole FreeBSD filesystem in a "read-only" state, so even if a hacker got in, there would be no way to save a virus or rootkit. Also, with ClosedBSD ( you can boot the whole thing from a floppy into live memory, then just pull out the floppy and let your firewall run.
Of course there is a whole range of "software" firewalls, ranging from standardized open source systems to an uneven mixture of proprietary ones, some of which are meant to simply run on your Windows desktop. These last ones I don't consider to be real firewalls.
I personally prefer using a BSD with one of the standard open source firewall packages, because control is what you get. You can know exactly what is on your system, down to every last detail. You can subscribe to or browse the publicly reported vulnerabilities for each of these daily, or even hourly. Thus, if a vulnerability comes out, you will be among the first to know, rather than at the tail end of a series of political decisions by the vendor. I'm not saying this approach is for everyone, but if I were the IT manager at a company, and we had a security budget, this would be my recommendation, along with keeping the best expert I can find on some sort of monthly retainer, ready to anser questions day or night. I would rather spend money a person than on the software/hardware.
In the end, most of the commercial firewall boxes use some form of this open source software anyway. Why re-invent the wheel? This stuff is proven and robust. The only decision to make is what level of involvement you personally want. I would never trust a system that tells me I can just "set and forget", though. That luxury does not exist in real IT security; there's always more to it than that. -------------------------------------------
"Calculus is just the meaningless manipulation of higher symbols"
-unknown F student
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question