Re: Help with finding hardware firewall that acts like software firewall

From: phil (
Date: 03/09/03

From: phil <>
Date: Sat, 08 Mar 2003 21:13:31 -0600

I guess I am just very disapointed in the lack of being able to
adequatly configure my BEFSX41. It is very limiting in its opitons,
such as the inablity to filter a port both in/out bound - you have to
do one for each. The limited number of rules that can be established,
terrible logging (hard to read), and no feedback in real time as to
what has been blocked or why something has been denied. Could you
recommend another alternative firewall that might do better in these
areas? I have read about Sonic SOHO3, is that a good one? Thanks for
your help and advise.

On Sat, 08 Mar 2003 22:58:20 GMT, "David" <>

>It could be done however I don't know that anyone is currently doing it. To
>pull off properly you would still need a client agent on each desktop that
>is responsible for identifying and more importantly validating that each
>application is truly what it is supposed to be. The closest I have seen to
>this in a dedicated hardware device implement filters at the application
>level but do not truly control things as per specific program executable.
>They are basically filtering the application data within the packets. Take a
>look at the CyberGuard KnightStar on the web. Even this is truly just a SCO
>Unix box underneath with a specific application suite installed. It seems
>that such an appliance would simply end up being a souped up pc with a
>jacked-up price tag. At that point I would much rather build my own scalable
>solution that is tuned and configured for my specific needs and does not
>hold me hostage to the firmware developers of the appliance.
>The biggest advantage to using a hardware device is performance. Filtering
>with an application gateway can impose quite a performance hit so it is best
>done on servers which are easily upgraded, clustered, and easily integrated
>with other types of access control which are often platform specific.
>Your best bet these days might be to set up dedicated application gateway
>server and in addition use a relatively inexpensive but efficient packet
>filtering device at the perimeter to take care of the majority of the
>unsolicited traffic and to keep the load of certain DOS attacks off of the
>application gateway. ISA server provides a great application gateway if you
>are in a windows specific environment. You would still need something on
>each desktop to validate the executables to get to the level of application
>protection provided by some of the personal firewalls, however I don't know
>of anything that works in real-time and also allows for exclusive
>centralized management. You can use something like ISS's real secure agents,
>however this leaves some of the management in the hands of the end user if
>the desktops are not static as far as installed applications are concerned.
>And the frequency of security patches these days throws that notion right
>out the window. There are other ways to go about this though.
>All in all through a combination of software products you can get very close
>to the application control provided for in some of the personal firewalls
>while taking the administration of such control off the individual desktop.
>And your other firewall functionality will far surpass what any of these
>personal firewalls provide. I suspect the administrative control issue is
>the whole point of doing such since it is otherwise pointless to consolidate
>some of the processor use centrally.
>This reminds me of a fairly new IBM commercial. "There is no universal
>There is no magic box for this however there is a way to put much of it on
>centrally managed servers.
>> A software firewall resides on your PC. As such it can offer the ability
>> filter the application(s) on your PC that are responsible for using a
>> specific port or ports.
>> OTOH a hardware firewall is a physically separate device from your PC. As
>> such it does not have the ability to know what application on your PC are
>> responsible for using a specific port or ports.
>> While I could be mistaken I think the best that you can probably do would
>> to implement a hybrid firewall that offers application layer filtering and
>> even this is not the same as what you're looking to accomplish.
>> > Help/advise finding the following SOHO firewall:
>> >
>> > I would like to purchase a Hardware fire wall that will let me filter
>> > (allow/deny/ask) by application and port just like software firewalls
>> > do. I would also like to prompt me just as the software firewalls do
>> > when it intercepts incomming and outgoing traffic that it does not
>> > have a specific rule for. Of course most bang for the buck, but
>> > without sacrificing the above requirements.
>> >
>> > Thanks.