Hardware Firewall VS Software firewall

[CCS-IT]

Hi friends,

Now we are using shared hardware firewall for our Web Server, actually we want to know can we switch to software firewall on our web server. If you advice it is good to switch shared hardware firewall to Software firewall then please give me the software firewall details which is the best??

We are using Windows 2008 WEB Edition 32 bit with 4 GB RAM?

[garethevans1986]

I go for hardware firewall over software firewall all the time.

[bruNo_]

I go for hardware firewall over software firewall all the time.

+1.

[sc302 Veteran]

Why would you go to a software firewall? Do you like introducing more issues to your server? Do you like using extra resources that are precious to a server? If properly used a hardware firewall is best as the attacks need to get through the hardware firewall before they get to the server and chances are they aren't going through.

[DanLeto]

Hardware for incoming, software for outgoing.

[Chris123NT]

Hardware for incoming, software for outgoing.

Hardware is more than capable of doing both.

[cybertimber2008]

I would agree with hardware for a WEBSERVER, especially a main one. In a DDOS attack, your hardware firewall will be better able to deal with the load, and your Webserver won't see any of the attack (if it's blocked) meaning that internal users will still be able to access it.

Outgoing, you could use either or both. If you already have hardware firewall in place and configured, you're only benifit of moving to software outgoing is to allow for more incoming load.

[Bryan R.]

Hardware for incoming, software for outgoing.

Care to elaborate?

[sc302 Veteran]

If u have a clean machine there is no reason for one. If you have a compromised server you have no business in the server room.

Servers are not supposed to be workstations and you should not use them as such. Even on a pc, if you plan on doing things that will compromise it or plan on giving a pc to someone who has the ability to compromise it, the pc should be protected in its own area to not compromise the rest of the network or itself. There is absolutely no reason for a software firewall unless on dial up where the computer is directly exposed to the internet or in a situation to where the server and/or pc is directly exposed.

If the network has the right equipment and has been setup by the right people, the only thing that your computers will be infected with is end user stupidity.

[Salty Wagyu]

Care to elaborate?

Because most hardware firewalls allow everything outgoing, only the incoming is firewalled. Software firewalls can alert and block those outgoing attempts, but yes, your PC would have to be compromised in the first place by the user recklessly executing a trojan, or a trojan sneaking into the installation files of his/her favourite software is also possible and could happen to anyone.

Once that trojan has connected to the internet, your hardware firewall now allows any incoming connections to this trojan simply because the hardware firewall saw this outgoing connection be allowed.

[sc302 Veteran]

Because most hardware firewalls allow everything outgoing, only the incoming is firewalled. Software firewalls can alert and block those outgoing attempts, but yes, your PC would have to be compromised in the first place by the user recklessly executing a trojan, or a trojan sneaking into the installation files of his/her favourite software is also possible and could happen to anyone.

Once that trojan has connected to the internet, your hardware firewall now allows any incoming connections to this trojan simply because the hardware firewall saw this outgoing connection be allowed.

A good hardware firewall you can block all other ports than the ones needed, quite a few, but can be done. If you have the right monitoring hardware, you will see any thing coming off your computers on your network and can take action accordingly. You can even have a log sent to you of all activity, you know what your server names are or at least their IPs, so you can easily see what is going across your network on the outbound.

Servers get compromised daily, however it is because people use them for their own personal browsing or "trying" software on them. A production environment is not for any of that.

[kaotixkc]

I'd go with Hardware for a major, production based server. If it's a private server with minimal traffic, then a software based firewall will be more than enough due to the smaller load it would have on the server itself.

As others have stated, if you have a hardware firewall, any attacks would have to breach the firewall before it could cause any problem to the main server. But you have to take into consideration that this is not what a firewall is designed for.

Yes, a firewall will block malicious attacks but it will not block a DDOS attack. A DDOS attack would disable the firewall and then any incoming traffic wouldn't be able to access your server. To avoid this you use load balancing servers, not firewalls. Ok, use them all in conjuction with each other but now it's going off topic. Most data centres have some kind of DDOS protection in place from their own switch. So you shouldn't have to worry about this kind of thing.

A software firewall can also be disabled, bypassed by rules/filtering (much like a hardware firewall could be bypassed) but if a software firewall goes down anything can get to your server and you cannot do anything about it.

If anyone else wants to add anything or correct me, please feel free.

[Packet1009]

aarste, just out of curiosity, could you cite some vendors / implementations please?

my experience has been that the commercial grade firewalls come closed up by default - no traffic passes in any direction, be it incoming or outgoing unless explicitly allowed

[sc302 Veteran]

Yes, a firewall will block malicious attacks but it will not block a DDOS attack. A DDOS attack would disable the firewall and then any incoming traffic wouldn't be able to access your server. To avoid this you use load balancing servers, not firewalls. Ok, use them all in conjuction with each other but now it's going off topic. Most data centres have some kind of DDOS protection in place from their own switch. So you shouldn't have to worry about this kind of thing.

that depends on the firewall and/or other appliances in place. For instance a barracuda link balancer (has a built in firewall) protects from ddos attacks.

http://www.barracudanetworks.com/ns/products/balancer_features.php - just as an example.

[JunkMail]

<br />that depends on the firewall and/or other appliances in place.??For instance a barracuda link balancer (has a built in firewall) protects from ddos attacks.??<br /><a href='http://www.barracudanetworks.com/ns/products/balancer_features.php' class='bbc_url' title='External link'>http://www.barracuda...er_features.php</a> - just as an example.<br />

<br /><br /><br />

OK :) I would like to know more hardware firewalls capable of doing everything that Agnitum Firewall is doing in software, are there any such hardware firewall?

Sometimes, my downloads remains all night and I'm forced to keep computer ON (low powered) however, if someone knows of Router+FireWall+LAN+WLAN+Plus+Plus, now would be the right time to speak

[sc302 Veteran]

sonicwall. Router + firewall + antimalware + content filter to block the known malware sites + WLAN + LAN + + +

they kind of suck (flakey at times), but everything is there in one appliance ala carte (you pay for each addon you want/need). Otherwise you are looking at a hardware firewall (router) + content filter with antimalware protection + wireless access point +

explain to me what features you like in your software, and maybe I/we can suggest something that taylors to your needs. I have no clue what that POS software firewall is doing for you, but it seems like it isn't doing too good by you (which is why I will always state they are the worst invention in the computer world and the person who invented them should be hung by their balls, not saying they don't serve a purpose but are very misused).

[sc302 Veteran]

A Sonicwall TZ 210 with wireless N would do what you want. Maybe a Sonicwall TZ 100 with wireless. You never stated price.

[CCS-IT]

Hello Guys,

Thanks for your valuable reply's, i got now hardware firewall fortigate 60c for my Web server...

[Renshaw]

On a small network. Server three pc. as the server is functioning to cover all eliminates of the network

You'd say a set up of internet > hardware firewall > server > switch > pc

Is best set up then?

What are the limitation of software based firewalls on the server? is their better control over content through a hardware firewall?

Thanks, I was curious :)

[sc302 Veteran]

On a small network. Server three pc. as the server is functioning to cover all eliminates of the network

You'd say a set up of internet > hardware firewall > server > switch > pc

Is best set up then?

What are the limitation of software based firewalls on the server? is their better control over content through a hardware firewall?

Thanks, I was curious :)

basically the limitations are they are overbearing pos'es. They block more than they need to the point of too much and even when you "allow all traffic" it still blocks access to your computer when sharing files (mcafee, symantec). Or they block you from accessing web mail randomly or using torrents or downloading patches from adobe, microsoft, java, etc (zonealarm). The other side of it is that your computer is monitoring requests, whatever gets to your computer and then your computers software decides whether to accept or not. The fix to this, that I have found, is either completely disabling the firewall feature or uninstalling it completely (sometimes disabling isn't enough). Enabling ports, setting to allow all traffic, setting exceptions for your ip subnet aren't enough in some cases to allow traffic that you want to access your computer.

A hardware firewall takes this request and trashes it if needed, no extra processes taken on your computer to process traffic, no extra software on you computer needed. You can control the whole network with a hardware firewall depending on the type, this includes what sites your computers can go to, what types of sites you are going to allow your computers to go to, it can be based on user or by computer, you can allow a user access to one site, all sites, everything but advertisements, etc (this is the content filter add on), it can also scan for viruses helping the real time scanner of the pc (with the av module purchased, and depending on the fw it can also have a real time client on the pc and monitor that), as well as do firewall packet inspections. A linksys no, but a fortigate or sonicwall, etc, yes (depending on the modules you purchased).

A hardware firewall can be a very powerful tool if purchased the right one.

Limitations on sw firewall: configuration

Is there better control on a hw firewall: yes depending on what you purchase/install

[Renshaw]

I see the advantage of this that you can control traffic allot more simply.

what i'm setting up is on a low end budget just based on where it is.

What is the best to get hold of second hand maybe to keep the price down around £150 (uk) or somewhere to looking to to prices verse features.

Just to complete my proposal to the directors. :)

Also are Router with build in firewalls at all affective?

Thank you.

(sorry for stealing your post, but i believe your question was answered) :)

[sc302 Veteran]

you are going to have to look. sonicwall a transfer of ownership will be needed or sonicwall will not support you or allow you to add in add ons.

NAT is as basic of a firewall as it gets and, as far as I know, every router is capable of NAT. The low end (linksys, belkin, netgear, d-link, etc) have NAT enabled out of the box.

[Rudy]

Hardware all the way

[+BudMan MVC]

"what i'm setting up is on a low end budget just based on where it is."

If you on a shoe string budget, I would really suggest you look into setting up a linux distro to be used as your networks gateway/firewall.

I would suggest pfsense, but you could also take a look at ipcop, smoothwall, m0n0wall, etc. There are plenty of linux distro gateway/firewalls out there - many designed to run on older pc hardware, but can also be bought/installed on an appliance. This pretty much what sonicwall is, software running on dedicated hardware.

This is what every hardware firewall is -- software running on dedicated hardware. Be it the software is loaded from a true HDD, or nvram, CF, etc.

If you on a budget you can not beat the power you can get with something like pfsense running on some throw away PC you had laying around.. Mine is running on a old p3 - 800, with 256MB of ram and an old 6GB HDD.

You will be amazed at the ease of use and depth of features available and speed -- even on older hardware.

keep in mind if you want to start getting real fancy with IPS/IDS (snort), ntop, squid, squidguard (web content filtering), antivirus proxy, vpn endpoint, modsecurity package (web application firewall), IP Blacklist, hardware failover (CARP), etc. etc.. then you might need some more horse power and ram to allow for more features.. How many users, what bells and whistles you want to use would determine the level of cpu and ram you would need to handle number of users and bandwidth, etc.

To be honest really easy/cheap way for home users or ma an pop shops or even bigger companies to get the power and functionality of a hardware firewalls for FREE ;)

[bruNo_]

^

Great post, great explanation. (Y)