Re: Hardware vs software firewall

From: Mark S (marks_at_nothere.com)
Date: 12/23/04


Date: 22 Dec 2004 21:18:05 -0600

A hardware firewall usually runs a hardened OS, or in some cases a
proprietery OS. So you don't have to worry about underlying OS security
flaws or configuration issues.

Most hardware firewalls get regular feature updates with new firmware
releases.

Finally a lot of hardware firewalls run on ASICs designed to this type of
application. This gives much better performance than say throwing a generic
'86 family chip into a box and hoping for the best. It also limits potential
failure points that are redundant to the units operation (ie graphics card,
keyboard and mouse I/O ports).

You need to research the product to figure out what you're getting.

Take these examples:
Checkpoint - Software Firewall
Cisco Pix - Appliance, but running on intel chipset without ASICs, so its
really a software firewall
Netscreen - ASIC based appliance
Sonicwall - ASIC based appliance
Fortinet - ASIC based appliance

Take the entry level products in each, then compare the throughput
capabilities (ie Cisco PIX 501 vs Netscreen 5GT and Sonicwall TZ170). You
soon see the software boxes suck.

Some would argue that the software firewalls offer better upgrade paths. But
once again take the entry level Cisco & Checkpoint products vs the entry
level Netscreen/Sonicwall/Fortinet and you find the appliance feature set is
far greater (ie Gateway AV, IDP/DI, Anti-Spam, Content Filtering). And in
some cases, like the Netscreen vs the Cisco, you'll find the fundamental
routing and VPN capabilities are also far greater.

"NCBill" <wrwnc@donotreplybellsouth.net> wrote in message
news:V6nyd.53$5y3.32@bignews5.bellsouth.net...
> In an earlier thread, it was said that a hardware firewall is superior
> to a software firewall. In fact a recommendation was made to buy a
> router with built in firewall.
>
> As a clueless newbie to firewall alternatives, I would naively think
> that a software firewall, with regular updates would be better than a
> hardware firewall, which would seem to be unable to adapt. Obviously, I
> am missing something here.
>
> Could someone help me understand why a hardware firewall is superior to
> a software one?



Relevant Pages