Hardware Firewall VS Software firewall


Recommended Posts

Hi friends,

Now we are using shared hardware firewall for our Web Server, actually we want to know can we switch to software firewall on our web server. If you advice it is good to switch shared hardware firewall to Software firewall then please give me the software firewall details which is the best??

We are using Windows 2008 WEB Edition 32 bit with 4 GB RAM?

Why would you go to a software firewall? Do you like introducing more issues to your server? Do you like using extra resources that are precious to a server? If properly used a hardware firewall is best as the attacks need to get through the hardware firewall before they get to the server and chances are they aren't going through.

I would agree with hardware for a WEBSERVER, especially a main one. In a DDOS attack, your hardware firewall will be better able to deal with the load, and your Webserver won't see any of the attack (if it's blocked) meaning that internal users will still be able to access it.

Outgoing, you could use either or both. If you already have hardware firewall in place and configured, you're only benifit of moving to software outgoing is to allow for more incoming load.

If u have a clean machine there is no reason for one. If you have a compromised server you have no business in the server room.

Servers are not supposed to be workstations and you should not use them as such. Even on a pc, if you plan on doing things that will compromise it or plan on giving a pc to someone who has the ability to compromise it, the pc should be protected in its own area to not compromise the rest of the network or itself. There is absolutely no reason for a software firewall unless on dial up where the computer is directly exposed to the internet or in a situation to where the server and/or pc is directly exposed.

If the network has the right equipment and has been setup by the right people, the only thing that your computers will be infected with is end user stupidity.

  On 27/09/2010 at 13:30, Xenosion said:

Care to elaborate?

Because most hardware firewalls allow everything outgoing, only the incoming is firewalled. Software firewalls can alert and block those outgoing attempts, but yes, your PC would have to be compromised in the first place by the user recklessly executing a trojan, or a trojan sneaking into the installation files of his/her favourite software is also possible and could happen to anyone.

Once that trojan has connected to the internet, your hardware firewall now allows any incoming connections to this trojan simply because the hardware firewall saw this outgoing connection be allowed.

  On 27/09/2010 at 13:57, aarste said:

Because most hardware firewalls allow everything outgoing, only the incoming is firewalled. Software firewalls can alert and block those outgoing attempts, but yes, your PC would have to be compromised in the first place by the user recklessly executing a trojan, or a trojan sneaking into the installation files of his/her favourite software is also possible and could happen to anyone.

Once that trojan has connected to the internet, your hardware firewall now allows any incoming connections to this trojan simply because the hardware firewall saw this outgoing connection be allowed.

A good hardware firewall you can block all other ports than the ones needed, quite a few, but can be done. If you have the right monitoring hardware, you will see any thing coming off your computers on your network and can take action accordingly. You can even have a log sent to you of all activity, you know what your server names are or at least their IPs, so you can easily see what is going across your network on the outbound.

Servers get compromised daily, however it is because people use them for their own personal browsing or "trying" software on them. A production environment is not for any of that.

I'd go with Hardware for a major, production based server. If it's a private server with minimal traffic, then a software based firewall will be more than enough due to the smaller load it would have on the server itself.

As others have stated, if you have a hardware firewall, any attacks would have to breach the firewall before it could cause any problem to the main server. But you have to take into consideration that this is not what a firewall is designed for.

Yes, a firewall will block malicious attacks but it will not block a DDOS attack. A DDOS attack would disable the firewall and then any incoming traffic wouldn't be able to access your server. To avoid this you use load balancing servers, not firewalls. Ok, use them all in conjuction with each other but now it's going off topic. Most data centres have some kind of DDOS protection in place from their own switch. So you shouldn't have to worry about this kind of thing.

A software firewall can also be disabled, bypassed by rules/filtering (much like a hardware firewall could be bypassed) but if a software firewall goes down anything can get to your server and you cannot do anything about it.

If anyone else wants to add anything or correct me, please feel free.

aarste, just out of curiosity, could you cite some vendors / implementations please?

my experience has been that the commercial grade firewalls come closed up by default - no traffic passes in any direction, be it incoming or outgoing unless explicitly allowed

  On 27/09/2010 at 14:58, kaotixkc said:

Yes, a firewall will block malicious attacks but it will not block a DDOS attack. A DDOS attack would disable the firewall and then any incoming traffic wouldn't be able to access your server. To avoid this you use load balancing servers, not firewalls. Ok, use them all in conjuction with each other but now it's going off topic. Most data centres have some kind of DDOS protection in place from their own switch. So you shouldn't have to worry about this kind of thing.

that depends on the firewall and/or other appliances in place. For instance a barracuda link balancer (has a built in firewall) protects from ddos attacks.

http://www.barracudanetworks.com/ns/products/balancer_features.php - just as an example.

  On 27/09/2010 at 18:48, sc302 said:
<br />that depends on the firewall and/or other appliances in place.??For instance a barracuda link balancer (has a built in firewall) protects from ddos attacks.??<br /><a href='http://www.barracudanetworks.com/ns/products/balancer_features.php' class='bbc_url' title='External link'>http://www.barracuda...er_features.php</a> - just as an example.<br />
<br /><br /><br />

OK :) I would like to know more hardware firewalls capable of doing everything that Agnitum Firewall is doing in software, are there any such hardware firewall?

Sometimes, my downloads remains all night and I'm forced to keep computer ON (low powered) however, if someone knows of Router+FireWall+LAN+WLAN+Plus+Plus, now would be the right time to speak

sonicwall. Router + firewall + antimalware + content filter to block the known malware sites + WLAN + LAN + + +

they kind of suck (flakey at times), but everything is there in one appliance ala carte (you pay for each addon you want/need). Otherwise you are looking at a hardware firewall (router) + content filter with antimalware protection + wireless access point +

explain to me what features you like in your software, and maybe I/we can suggest something that taylors to your needs. I have no clue what that POS software firewall is doing for you, but it seems like it isn't doing too good by you (which is why I will always state they are the worst invention in the computer world and the person who invented them should be hung by their balls, not saying they don't serve a purpose but are very misused).

  • 2 weeks later...

On a small network. Server three pc. as the server is functioning to cover all eliminates of the network

You'd say a set up of internet > hardware firewall > server > switch > pc

Is best set up then?

What are the limitation of software based firewalls on the server? is their better control over content through a hardware firewall?

Thanks, I was curious :)

  On 13/10/2010 at 22:51, Renshaw said:

On a small network. Server three pc. as the server is functioning to cover all eliminates of the network

You'd say a set up of internet > hardware firewall > server > switch > pc

Is best set up then?

What are the limitation of software based firewalls on the server? is their better control over content through a hardware firewall?

Thanks, I was curious :)

basically the limitations are they are overbearing pos'es. They block more than they need to the point of too much and even when you "allow all traffic" it still blocks access to your computer when sharing files (mcafee, symantec). Or they block you from accessing web mail randomly or using torrents or downloading patches from adobe, microsoft, java, etc (zonealarm). The other side of it is that your computer is monitoring requests, whatever gets to your computer and then your computers software decides whether to accept or not. The fix to this, that I have found, is either completely disabling the firewall feature or uninstalling it completely (sometimes disabling isn't enough). Enabling ports, setting to allow all traffic, setting exceptions for your ip subnet aren't enough in some cases to allow traffic that you want to access your computer.

A hardware firewall takes this request and trashes it if needed, no extra processes taken on your computer to process traffic, no extra software on you computer needed. You can control the whole network with a hardware firewall depending on the type, this includes what sites your computers can go to, what types of sites you are going to allow your computers to go to, it can be based on user or by computer, you can allow a user access to one site, all sites, everything but advertisements, etc (this is the content filter add on), it can also scan for viruses helping the real time scanner of the pc (with the av module purchased, and depending on the fw it can also have a real time client on the pc and monitor that), as well as do firewall packet inspections. A linksys no, but a fortigate or sonicwall, etc, yes (depending on the modules you purchased).

A hardware firewall can be a very powerful tool if purchased the right one.

Limitations on sw firewall: configuration

Is there better control on a hw firewall: yes depending on what you purchase/install

I see the advantage of this that you can control traffic allot more simply.

what i'm setting up is on a low end budget just based on where it is.

What is the best to get hold of second hand maybe to keep the price down around £150 (uk) or somewhere to looking to to prices verse features.

Just to complete my proposal to the directors. :)

Also are Router with build in firewalls at all affective?

Thank you.

(sorry for stealing your post, but i believe your question was answered) :)

you are going to have to look. sonicwall a transfer of ownership will be needed or sonicwall will not support you or allow you to add in add ons.

NAT is as basic of a firewall as it gets and, as far as I know, every router is capable of NAT. The low end (linksys, belkin, netgear, d-link, etc) have NAT enabled out of the box.

"what i'm setting up is on a low end budget just based on where it is."

If you on a shoe string budget, I would really suggest you look into setting up a linux distro to be used as your networks gateway/firewall.

I would suggest pfsense, but you could also take a look at ipcop, smoothwall, m0n0wall, etc. There are plenty of linux distro gateway/firewalls out there - many designed to run on older pc hardware, but can also be bought/installed on an appliance. This pretty much what sonicwall is, software running on dedicated hardware.

This is what every hardware firewall is -- software running on dedicated hardware. Be it the software is loaded from a true HDD, or nvram, CF, etc.

If you on a budget you can not beat the power you can get with something like pfsense running on some throw away PC you had laying around.. Mine is running on a old p3 - 800, with 256MB of ram and an old 6GB HDD.

You will be amazed at the ease of use and depth of features available and speed -- even on older hardware.

keep in mind if you want to start getting real fancy with IPS/IDS (snort), ntop, squid, squidguard (web content filtering), antivirus proxy, vpn endpoint, modsecurity package (web application firewall), IP Blacklist, hardware failover (CARP), etc. etc.. then you might need some more horse power and ram to allow for more features.. How many users, what bells and whistles you want to use would determine the level of cpu and ram you would need to handle number of users and bandwidth, etc.

To be honest really easy/cheap way for home users or ma an pop shops or even bigger companies to get the power and functionality of a hardware firewalls for FREE ;)

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Does it mean that the game will have weapons now? If that is the case, I'm interested. Not having weapons does not make any sense, even if it changes the gameplay. In such a hostile environment the first thing anyone would do is get as much weapons as they could.
    • This DDR5-6400 CL36 32GB RGB RAM that supports both AMD and Intel is only $72 by Sayan Sen Recently, we covered several SSD deals, both internal and external. These include the Crucial X9 Pro and X10 Pro, the P310 2280, and the Samsung 990 EVO Plus. Meanwhile if you are looking for RAM to upgrade your desktop PC or build a new one, the PNY XLR8 Gaming EPIC-X RGB DDR5-6400 Kit can be your go-to choice as it is currently just $72 (purchase link down below). In terms of specs, this dual-RAM kit delivers 32GB of total DDR5 capacity (each module is 16GB) running at 3200 Hz to deliver 6400 MT/s (PC5-51200) at 1.4 volts. Pre-programmed Intel XMP 3.0 and AMD EXPO memory overclocking preset profiles mean you can fire up the kit to its rated speed with a simple BIOS tweak, rather than having to deal with manual timing adjustments. The CAS latency for this DDR5-6400 kit is 36, which is quite tight for a preset profile. Thermal performance is said to be stellar thanks to the aluminum heat spreader, which should help dissipate heat during extended gaming sessions. Additionally, the heat spreader is also said to feature an "embossed pennant design that enhances the overall look and complements the lighting of other components." Speaking of lighting, the included EPIC-X RGB model features ARGB LEDs diffused through a geometric polymer light pipe and allows syncing via Asus Aura Sync, Gigabyte RGB Fusion, MSI Mystic Light, or ASRock Polychrome Sync software. Get the PNY RAM at the link below: PNY XLR8 Gaming Epic-X RGB™ 32GB (2x16GB) DDR5 RAM 6400 CL36-48-48-104 Desktop Memory Kit (MD32GK2D5640036XRGB): $72.24 (Sold and Shipped by Amazon US) (MSRP: $109.99) This Amazon deal is US-specific and not available in other regions unless specified. If you don't like it or want to look at more options, check out the Amazon US deals page here. Get Prime (SNAP), Prime Video, Audible Plus or Kindle / Music Unlimited. Free for 30 days. As an Amazon Associate, we earn from qualifying purchases.
    • Vivaldi 7.5 is out with colorful tab stacks, improved tab menu, and more by Taras Buria Vivaldi Technologies has released a new feature update for the Vivaldi browser. Version 7.5 is now available with some much-requested features by the community, privacy improvements, bug fixes, and other changes. The release is not the biggest one, but it still packs useful changes, such as colorful tab stacks, a reworked tab context menu, and multiple improvements under the hood: Vivaldi now supports colorful Tab Stacks. This feature groups related tabs and helps you keep everything well-organized. Now, besides giving your stacks names, you can assign colors, which makes it easier to find the stack you need. Developers also added a new dialog: right-click a stack, click "Edit Stack," and give it a new name or choose a color. The browser also received a cleaner and better-organized tab context menu. Vivaldi says the new version is more intuitive and easier to use. Another important change is the ability to define a custom DNS provider with support for DNS over HTTPS. Finally, here are some of the under-the-hood improvements in Vivaldi 7.5: Address Bar: Fixed focus weirdness, suggestion hiccups, and dropdown quirks Ad Blocker: Now supports badfilter, strict3p, and strict1p rules Bookmarks & Notes: Better drag-and-drop, with clearer visual feedback Mail & Calendar: Smarter threading, invite handling, and polish throughout Dashboard & Widgets: Layout tweaks, transparency improvements, drag-and-drop goodness Quick Commands: Now shows synced tabs and handles errors more gracefully Settings: UI improvements across the board, from DNS input to workspace rules visibility You can find the complete changelog for Vivaldi 7.5 in a blog post on the official website. If you want to try this highly customizable browser, download it using this link.
    • "While users may say they do not want their data used for personalized ads, Meta believes that without personalization, user experience declines with an almost 800% rise in ads being marked as “irrelevant” or “repetitive”. The ads might be more irrelevant, but it's not like people crave ads in the first place. My user experience with ads isn't better with personalization, because I don't want them there to begin with. So I might as well have non-personalized ads if I am gonna have ads, because then I at least get tracked less, and that makes it a better user experience for me.
    • The fact that they didn't offer a non-personalized ad-supported option, when they were mandated by law, was the final nail in the coffin in my case.
  • Recent Achievements

    • Week One Done
      BeeJay_Balu earned a badge
      Week One Done
    • Week One Done
      filminutz earned a badge
      Week One Done
    • Reacting Well
      SteveJaye earned a badge
      Reacting Well
    • One Month Later
      MadMung0 earned a badge
      One Month Later
    • One Month Later
      Uranus_enjoyer earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      446
    2. 2
      ATLien_0
      161
    3. 3
      +FloatingFatMan
      147
    4. 4
      Nick H.
      65
    5. 5
      +thexfile
      62
  • Tell a friend

    Love Neowin? Tell a friend!