Hardware or Software Firewalls that is the question

[unclex]

Food for thought

As I have always been a lover of full on hardware firewalls due to little programs being able to switch software ones off....

Maybe we should bring back this topic.

[tef89]

I think I remember a thread last time I was here 4 years ago UncleX lol. I use both, hardware at the frontline and software so I can control what's on my Pc trying to talk to the world

[destro404]

Conceptually hardwares are always a combination of hardware and software, there is no difference between the two.

A Cisco PIX is Cisco's software running on hardware.
Sygate is software running on Windows hardware.
iptables is software running on Linux hardware.
pf is software running on BSD hardware.

The security is a combination of both how good the firewall software is and also how secure the base OS and hardware are. From a security standpoint there should be 1 firewall per machine. A NAT gateway may protect from the outside but does not protect the machines within from each other.

My best way of defining things in your term Unclex would be to differentiate a hardware firewall as a dedicated box for firewall only and a software firewall as firewall software that runs on a box whose main purpose is for other things.

In that scenario I say you need the dedicated hardware firewall to provide a secure gateway running on a secure platform to protect against general badness from the outside. In addition you also need a software firewall(in conjunction with AV) on each client machine to protect against user stupidity that the hardware firewall will not.


EDIT: Just realised, the short answer was "both".

[oE]

I use a linksys router with a hardened config and behind that run ISA2004 with AV scanning etc on that. I use a 2nd NIC to my WiFi / Internal network and use the ISA to route / control all the traffic.

Might sound overkill but I had a spare server that I run VMware on - it hosts my ISA / Mail / FTP servers on :-)

oE.

[chubblies]

Hardware all the way for me. Got a sonicwall enhanced firewall between me and tint, aint no fucker getting through that

[marcode]

Hardware all the way for me. Got a sonicwall enhanced firewall between me and tint, aint no fucker getting through that

what model do you have? whats else do you have in your setup?

and how much did it set u back?

out of interest..

[chubblies]

what model do you have? whats else do you have in your setup?

and how much did it set u back?

out of interest..

TZ170 with enhanced os, free courtesy of an ex-customer, who might now have a dlink in place of the nice shiny sonicwall.
They are the muts nuts, but beware if you are thinking of getting one for vpn's, as a lot of isp's are now blocking ipsec traffic on standard home broadband connections, they have realised that a lot of people now work from home and they can make money from secure protocols by changing your home bb for business bb, and putting a tick in a box and charging you twice as much
You can also set content filtering, deep packet filtering, av and antispam at firewall level etc etc, and they are very reliable, only the power supplies ever fail, never the unit.
If you want a free one, go for a training course on their pro range and you get a TZ170 standard free if you pass.
My system is more for self-learning, I just have server 2003 sbe and also use citrix and vm ware

[unclex]

Conceptually hardwares are always a combination of hardware and software - I agree

It is funny how many have moved on in four years

When i say software - I am talking about our windows users...

now were is that old link from four years ago...

[nitelife]

I prefer hardware ones as well. The one in my router does the job well enough, while Xp's software firewall is turned off.

Its got to be better surely, and safer. I agree with UncleX, dont want the risk of something turning it off somehow.

[destro404]

You would be best to get a software firewall on your PC too as it can alert you to trojans and dialers try to contact the outside world. Something your hardware firewall will not do.

The best solution is not one or the other, but both. Windows XP firewall is a piece of crap too, don't ever use when there are free alternatives like Sygate.

[DJAd]

My machines just sit behind my routers built in Firewall. I did used to use Zone alarm and various others but they pissed me off. I just have anti-virus when i'm online. It's like going bare back, I like the thrill.

[Freddy]

It's like going bare back, I like the thrill.

Well I have only ever used software but have intended to get a hard one (been saying that for years).

Other than the sonicwall review, any other good buys out there (winblows xp)?

Cheers.