RE : Hardware Firewall vs Software Firewall

From: Collin, Frederic (Frederic.Collin@ccq.org)
Date: 09/21/01


Message-ID: <A2D5EEB837D2D411AE6100062950D1F00286@ns1.ccq.org>
From: "Collin, Frederic" <Frederic.Collin@ccq.org>
To: 'Jeff Miller' <jrm.wa@verizon.net>, 'satyam' <datasoftvsp@sify.com>, security-basics@securityfocus.com
Subject: RE : Hardware Firewall vs Software Firewall
Date: Fri, 21 Sep 2001 09:23:42 -0400

Actually it is simply an overpriced packaged PC (P2 or P3), using either
Intel or 3Com NICs with a 2MB or 8MB or 16MB BOOT eeprom on either an ISA
(older Pix 520) or PCI (newer PIXes) card. The good stuff in there is the
Finesse OS on the flash rom (which is of course upgradable) which compared
to other firewall is probably a LOT less prone to os security holes, in the
case of security, smaller is better, auditing and producing a 2MB OS is much
better than trying to patch a full blown os into making it secure, and most
NT/W2K firewall vendors (for example) have no control over the holes (of the
os) on which their software sits on top of.

It's not because a firewall is ncsa/icsa certified that it means there
aren't holes, they just haven't found them yet! Look at the latest Nimda
worm/virus, if you had a Pix no matter where the attack came from the Pix
itself wouldn't turn against you, well in the case of your software based fw
on the typical NT box it could well become your worst enemy since it could
get infected from the inside, this of course doesn't apply to *nixes.

Frederic Collin
An OS is like swiss cheese, the bigger it is, the more holes you get!

-----Message d'origine-----
De : Jeff Miller [mailto:jrm.wa@verizon.net]
Envoyé : 20 septembre, 2001 03:56
À : 'satyam'; security-basics@securityfocus.com
Objet : RE: Hardware Firewall vs Software Firewall

Hardware. It runs on a specialized Cisco box.

-----Original Message-----
From: satyam [mailto:datasoftvsp@sify.com]
Sent: Tuesday, September 18, 2001 10:51 PM
To: security-basics@securityfocus.com
Subject: Re: Hardware Firewall vs Software Firewall

Hi
what is Cisco PIX
a s/w or h/w firewall?

regards
dp-newbie

----- Original Message -----
From: Leytens Francois X. <F.Leytens@sedelec-vs.ch>
To: <devdas@worldgatein.net>; Shaun Prince <Info@cabletek.ca>
Cc: <security-basics@securityfocus.com>
Sent: 18 September 2001 13:48
Subject: RE: Hardware Firewall vs Software Firewall

Hi all,

About this ambiguitus subject, my experience is that :

A software firewall is set on an OS and often, the OS present more security
holes than any software firewall. The other fact is that one of the
simpliest info to get is the OS brand and version and therefore it is very
easy to check all vulnerabilities about that OS. You must then secure your
OS and then install your firewall and secure it. You need to upgrade both OS
and firewall as well as maintaining both. The fact that a software firewall
is cheaper is true but don't forget to had the hardware price and the OS
license. Also, the IP stack with all the networking hardware on the computer
might give you limitations.

A hardware firewall usually work closer to the hardware and most of the time
is integrated to the hardware OS. Often, this OS is unknown and hard to
attack (I said often and not all the time). When you need to patch your
firewall, the patch are very often (again) for both OS and firewall and you
don't need to care about patches for one or the other. In this case, the
networking hardware and the IP stack are often better and more integrated.

You can even work with a mix of the two (like the nokia one) which is a
dedicated hardware with a dedicated OS (based on BSD) and with a checkpoint
licence install on it. In this case the upgrade and maintenance are still
the same as the hrdware box but working with a software product.

In my point of view, the most critical point to check to make you decision
is the thruput you need across your firewall.

Hope this can help

regards

Francois X. LEYTENS

********************************
Francois X. LEYTENS
Directeur - Ingénieur
SEDELEC SA VALAIS
Rue du Chemin de Fer 24
Case Postale 16
1958 St Leonard
--------------------------------
Tel : +41 27 205 6000
Direct : +41 27 205 6002
Mobile : +41 79 205 6002
Fax : +41 27 205 6001
Email : f.leytens@sedelec-vs.ch
********************************

> -----Message d'origine-----
> De: Devdas Bhagat [SMTP:devdas@worldgatein.net]
> Date: samedi, 15. septembre 2001 08:35
> À: Shaun Prince
> Cc: security-basics@securityfocus.com
> Objet: Re: Hardware Firewall vs Software Firewall
>
> On Fri, 14 Sep 2001, Shaun Prince spewed into the ether:
> > Could anyone explain to why most people prefer to use software firewalls
> as
> > opposed to using a hardware firewalls?
> At some point, your firewall is software. If it was purely hardware,
> you would not be able to configure it in anyway other than the default
> settings. The benefits of a hardware (or rather firmware) based
> firewall is that most work is done very close to the hardware, as
> opposed to the usual software firewall which runs on an OS, or in an OS
> kernel.
> The biggest advantage of a software firewall is that it is cheaper, and
> easier to upgrade and maintain than a hardware firewall.
> My recommendation would be to go with what you can secure properly and
> fits in your budget.
>
> Devdas Bhagat
> --
> Power corrupts. And atomic power corrupts atomically.



Relevant Pages

  • Re: [Firewalls] Re: Neither, buy a router.
    ... Encryption are often way faster on hardware solutions. ... "You do realize that once someone has penetrated your hardware firewall, ... >> 1) Software firewalls utilize CPU cycles on the machine they run on. ... > Maybe your argument is valid for some of the software firewall products ...
    (comp.security.firewalls)
  • RE: Hardware Firewall vs Software Firewall
    ... Hardware Firewall vs Software Firewall ... will drive the price to the point where the PIX is more cost effective. ... on a router ACL unless you're using the CSPM, ...
    (Security-Basics)
  • Re: CPU runing at 100%, help
    ... Could be hardware - but.. ... Clean up and find out.. ... using Windows XP "prettifications". ... You should at least turn on the built in firewall. ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: WindowsXP slower after reinstall.
    ... > Did you get on the Internet unprotected by a firewall or antivirus? ... > Also - did you test your hardware before reinstalling - it could be a bad ... > will have to do whatever you did before to get them installed or download ... > You can see the critical patches released for a given ...
    (microsoft.public.windowsxp.basics)
  • Re: WindowsXP slower after reinstall.
    ... > Did you get on the Internet unprotected by a firewall or antivirus? ... > Also - did you test your hardware before reinstalling - it could be a bad ... > will have to do whatever you did before to get them installed or download ... > You can see the critical patches released for a given ...
    (microsoft.public.windowsxp.basics)