RE: Hardware Firewall vs Software Firewall

From: McHugh, Sean (SMchugh@grey.com)
Date: 10/02/01


Message-ID: <E087B1AAE943D511A6C400508BDF15E6CCB701@xch5s.grey.com>
From: "McHugh, Sean" <SMchugh@grey.com>
To: "'security-basics@securityfocus.com'" <security-basics@securityfocus.com>
Subject: RE: Hardware Firewall vs Software Firewall
Date: Mon, 1 Oct 2001 18:13:48 -0400 

Actually, I think a hardware firewall might be something different. A PIX
box is
definitely just a PC, like a lot of other so-called 'hardware firewalls' out
there.

But, there are boxes that implement filtering and such in ASIC chips, which
is supposed to be considerably
faster than the method the PIX and other boxes use. I think the ASIC based
firewalls can
be properly considered to be hardware firewalls. Whether they are faster
and/or more secure is
q question I am not able to answer.

-----Original Message-----
From: Frank Dick [mailto:fdick@pironet-ndh.com]
Sent: Monday, October 01, 2001 5:16 AM
To: 'theog@yoda.dnsq.org'; 'Mickey S. Olsberg'; 'Luke LeBoeuf';
'satyam'; 'security-basics@securityfocus.com'
Subject: RE: Hardware Firewall vs Software Firewall

The Cisco Secure PIX is a high perfoming firewall, as it does nothing more
than a basic firewalling (with VPN-Server).

The PIX offers Statefull Inspection (tracking the source and destination
address, TCP sequence numbers, port numbers, and additional TCP flags), if
you use other features (more content aware) or NAT, it will not beat other
Firewalls in performance. Even logging is outsourced to a syslog-server as
the PIX runs completely from flash memory.

The PIX runs on Intel Hardware and a proprietary (Cisco IOS like) Operating
System.

"One of our main goals was to move our platforms to a purely embedded
design, while using the fastest processors available," explains Adam Walb,
manager of hardware engineering at Cisco. Based on Cisco specifications,
Intel worked with Cisco engineers to implement a design based on the Intel®
Celeron(tm) and Pentium® III processors, Intel® 440BX chipset, Intel®
82559ER Ethernet controller, and Intel® Boot Block flash and Intel
StrataFlash® memory devices, integrated in a small form-factor motherboard.
(http://developer.intel.com/platforms/applied/eiacomm/commfocus/ttm.htm)

Pix 506 Processor: 1 x Intel Pentium MMX 200 MHz (troughput
8MBit/sec)
.
.
.
PIX 535 Processor: 2 x Intel Pentium III 1 GHz (throughput
1GBit/sec)

You see, there is nothing mysterious about Hardware-Firewalls.

I didn't followed this thread so I don't actual know if someone mentioned
that hardware firewalls mostly do not need as much maintanance as software
Firewalls. In general, Hardware Firewalls are not faster than
Software-Firewalls, but easier to use as you do not have to install and
configure the OS (initially installed by the manufacturer; updates via tftp
(tftp) or Windows programms). In general the Hardware comes from other
manufacturers than the Firewall (NOKIA, Cobalt(now SUN)), if you have
problems nobody feels responsible and they will say that the problem is
caused by the other manufacturer.

Regards

Frank

--

PIRONET NDH Frank Dick - Head of eSecurity Theodor-Heuss-Strasse 92-100 - 51149 Cologne Germany Phone: +49 (0)2203 935 300 - Fax: +49 (0)2203 935 3099 mailto:fdick@pironet-ndh.com - http://www.pironet-ndh.com http://www.esecurity.de

-----Original Message----- From: theog@yoda.dnsq.org [mailto:theog@yoda.dnsq.org] Sent: Freitag, 28. September 2001 02:53 To: Mickey S. Olsberg; 'Luke LeBoeuf'; 'satyam'; security-basics@securityfocus.com Subject: RE: Hardware Firewall vs Software Firewall

Well you would be right if you had a 100bps internet connection , throughout the internet , but it is not the case , even if it was so , you can use load balancing with two or more machines acting as one firewall.

TheOg

-----Original Message----- From: Mickey S. Olsberg [mailto:molsberg@hotmail.com] Sent: Thursday, September 20, 2001 11:30 AM To: 'Luke LeBoeuf'; 'satyam'; security-basics@securityfocus.com Subject: RE: Hardware Firewall vs Software Firewall

I don't know if anyone has addressed this yet, but most of the reasons for choosing a hw firewall over a sw one is purely throughput. A software firewall, while more robust and much more configurable (for things like mail filtering), takes a lot more time to pass packets than a hardware firewall, and as such cannot handle the sheer load or bandwidth utilization that a hw one can. Think of a hardware firewall, such as the PIX, as a glorified router with specialized Access Control Lists, hence the reason for it being faster.

My .02, Mickey

-----Original Message----- From: Luke LeBoeuf [mailto:lleboeuf@riptech.com] Sent: Wednesday, September 19, 2001 11:42 AM To: 'satyam'; security-basics@securityfocus.com Subject: RE: Hardware Firewall vs Software Firewall

Hard Ware with proprietary IOS.

Luke S. LeBoeuf

Riptech, Inc. Real-Time Information Protection (c)703.593.6127 (e)luke@riptech.com http://www.riptech.com/

-----Original Message----- From: satyam [mailto:datasoftvsp@sify.com] Sent: Wednesday, September 19, 2001 1:51 AM To: security-basics@securityfocus.com Subject: Re: Hardware Firewall vs Software Firewall

Hi what is Cisco PIX a s/w or h/w firewall?

regards dp-newbie

----- Original Message ----- From: Leytens Francois X. <F.Leytens@sedelec-vs.ch> To: <devdas@worldgatein.net>; Shaun Prince <Info@cabletek.ca> Cc: <security-basics@securityfocus.com> Sent: 18 September 2001 13:48 Subject: RE: Hardware Firewall vs Software Firewall

Hi all,

About this ambiguitus subject, my experience is that :

A software firewall is set on an OS and often, the OS present more security holes than any software firewall. The other fact is that one of the simpliest info to get is the OS brand and version and therefore it is very easy to check all vulnerabilities about that OS. You must then secure your OS and then install your firewall and secure it. You need to upgrade both OS and firewall as well as maintaining both. The fact that a software firewall is cheaper is true but don't forget to had the hardware price and the OS license. Also, the IP stack with all the networking hardware on the computer might give you limitations.

A hardware firewall usually work closer to the hardware and most of the time is integrated to the hardware OS. Often, this OS is unknown and hard to attack (I said often and not all the time). When you need to patch your firewall, the patch are very often (again) for both OS and firewall and you don't need to care about patches for one or the other. In this case, the networking hardware and the IP stack are often better and more integrated.

You can even work with a mix of the two (like the nokia one) which is a dedicated hardware with a dedicated OS (based on BSD) and with a checkpoint licence install on it. In this case the upgrade and maintenance are still the same as the hrdware box but working with a software product.

In my point of view, the most critical point to check to make you decision is the thruput you need across your firewall.

Hope this can help

regards

Francois X. LEYTENS

******************************** Francois X. LEYTENS Directeur - Ingénieur SEDELEC SA VALAIS Rue du Chemin de Fer 24 Case Postale 16 1958 St Leonard -------------------------------- Tel : +41 27 205 6000 Direct : +41 27 205 6002 Mobile : +41 79 205 6002 Fax : +41 27 205 6001 Email : f.leytens@sedelec-vs.ch ********************************

> -----Message d'origine----- > De: Devdas Bhagat [SMTP:devdas@worldgatein.net] > Date: samedi, 15. septembre 2001 08:35 > À: Shaun Prince > Cc: security-basics@securityfocus.com > Objet: Re: Hardware Firewall vs Software Firewall > > On Fri, 14 Sep 2001, Shaun Prince spewed into the ether: > > Could anyone explain to why most people prefer to use software > > firewalls > as > > opposed to using a hardware firewalls? > At some point, your firewall is software. If it was purely hardware, > you would not be able to configure it in anyway other than the default

> settings. The benefits of a hardware (or rather firmware) based > firewall is that most work is done very close to the hardware, as > opposed to the usual software firewall which runs on an OS, or in an > OS kernel. The biggest advantage of a software firewall is that it is > cheaper, and easier to upgrade and maintain than a hardware firewall. > My recommendation would be to go with what you can secure properly and > fits in your budget. > > Devdas Bhagat > -- > Power corrupts. And atomic power corrupts atomically.



Relevant Pages