"Hardware Firewall" is a misnomer. Some top of the line so-called hardware firewalls have spinning disks.
Most folks in this newsgroup seem to equate hardware firewall with "real" firewall. Not true. Or sometimes hardware firewall is associated with any hardware NAT router solution. Not true. Lots more to it.
A Firewall that acts as a router is not the same as a router with firewall features - notice the difference?
Both are appliances, so both are hardware devices. Generally anything that is a dedicated appliance, used for nothing else, is considered a "Hardware Firewall". Generally that excludes a PC running an application that is also used to run anything other than that application.
Not quite the same, it's firmware. Firmware is software, but it's not anything like running an application on a non-dedicated box.
Actually, both - a firewall appliance is a device specifically setup/coded to do ONE thing and it does it very-well. It's specifically tested to do that one thing and often certified as being able to do that one thing under all sorts of conditions. As an example, a firewall running a BSD solution does not run ALL of the BSD solution, only the parts necessary to act as the firewall and run the firmware coded by the vendor.
Firewalls (appliances) are also built with less code than a Computer running an OS and then running a firewall Application. So you have less chance for error, less chance for exploits, less chance for something to "slip by" the designers.
Now you know, and it's 100% true.
Nope, hope you understand now why a application running on a PC is not as secure as an Appliance, and why none of us trust a Firewall application running on a Non-Dedicated computer.
Ralph Höglund wrote in news:xjiPe.32351$ snipped-for-privacy@newsb.telia.net:
Yeah there is a difference such as a packet filtering FW router, a router using NAT solely as a means of protection and nothing else FW like, and then there are FW appliances.
Yes this is true. However, a router running a packet filtering FW or a FW appliance is a standalone device. A host based FW runs on a computer and needs the computer's O/S to function and is only as secure as the O/S is made to be secure and runs the risk of being attacked and compromised just like the O/S can be attacked and compromised.
You have routers that have FW like abilities but are not running FW software, packet filtering FW routers, FW appliances, network host based FW(s) that use two interfaces an Internet facing interface/NIC and private side network interface/NIC, and then you have the so called personal FW host based solutions that need an O/S to function that is not a FW since it's not separating two networks and is machine level protection that protects the O/S, its services, and Internet applications that are running on the machine for a computer that has a direct connection to the Internet.
That depends on the type of FW solution you're talking about. A gateway computer running a host based network FW and the O/S is secure is just as good in the protection as a packet filtering FW router or FW appliance. You're talking about a router that's running NAT only as a limited means of protection or a PFW solution; they seem to be suspect or questionable as to how well they protect, IMHO.
Yes, it depends on how well the FW software is configured and for a host based network FW, it also depends upon how secure is the O/S that it's running with at the same time along with how well the software is configured. Plug and go solutions such as packet filtering FW routers or FW appliances are for the most part preconfigured devices that need very little setup and have the means to set more complex filtering rules if need be. A router running solely NAT really has no configuration abilities to speak of but some have FW like features that can be configured.
The links may help you in understanding FW(s) and FW solutions.
I like to think "Appliance" and not Hardware, as an Appliance is different than a PC (even a dedicated one) running an OS/Application. Applainces are not able to be used as PC's, they are dedicated devices with one purpose.
As for Firewall, there are many types of Firewall Solutions, some based on appliances, some based on PC/Servers with a custom OS or a hardened OS, and then the Firewall Software and at least two network cards...
NAT Routers, those cheap things you get at BestBuy, are never considered as Firewalls in my mind/solutions - but they do offer a minimum level of protection that all home users should have.
A "software" or "personal" firewall runs on the computer that it's protecting, and protects only that computer. A "hardware" firewall runs on a separate piece of equipment, and provides perimeter protection, to a group of computers.
Both hardware and software firewalls require an operating system. The hardware firewall contains a stripped down operating system, that provides only the ability to examine, and to move, packets between the interfaces (WAN and LAN), and maybe a small web server that allows you to make configuration changes.
The software firewall uses an operating system that lets you use your computer for non-firewall purposes, and make changes to reflect how you want to use your computer.
There are advantages and disadvantages to both. Saying that one is better than the other is like saying Coke is better than Pepsi, or Chevrolet better than Ford.
Hardware Firewall. # Advantages: Smaller and more efficient. Contains less code to exploit. Contains minimal code that can be exploited by the user. Filters malicious incoming traffic before it hits the protected computers. Has a dedicated processor, and dedicated storage, which when in use does not impact use of protected computers. # Disadvantages: Has no knowledge of programs running on the protected computers, so can't effectively filter outgoing traffic. The dedicated processor, and dedicated storage, is finite in capacity, so must be carefully chosen for the intended workload. Can be exploited by overload. Requires one more power connection, and one more network cable. Hardware is not easily upgradable, except by replacing the firewall itself.
Software Firewall. # Advantages: More configurable. Since it sits on your desktop, you can make changes at will. Since it can hook into the operating system, it knows what programs are running there, and can protect accordingly. Provides individual protection - if one computer in the LAN gets infected with malware, all computers running a software firewall are protected. Is easily upgraded, by adding hardware to the protected computer. # Disadvantages: More configurable. Since it sits on your desktop, you can make changes at will. Uses processor power, and storage, which may compete with use of computer, causing tuning needs, and temptation to disable features. Can be exploited, thru its many features. Malicious incoming traffic is filtered only after it hits the computer, and the operating system.
A Freesco firewall appears to be a personal firewall, running on a (hopefully) dedicated computer running Linux. Linux is an operating system, and has the features of an operating system. How do you use the Freesco box? Does it contain any applications, such as a web browser or text editor? Does it support a monitor and keyboard, or do you configure it thru a web browser? When you load Freesco, does it strip down the features, to make it more like the operating system in a "hardware firewall"? All of these questions determine how versatile it is, and how exploitable it is.
But how many "hardware" firewalls use a VHDL infrastructure? Even the big CISCO routers have their IOS. IOS is, I suspect, somewhere between an operating system and VHDL. It's text based, but it has numerous utilities. And it uses an interface for programming.
Where is VHDL processed? In firmware, or in the hardware itself? And if it has to be upgraded, how is that done? The WikipediA article just scratches the surface, and talks about theory. VHDL is in fact a fairly general-purpose programming language, provided that you have a simulator on which to run the code. It can read and write files on the host computer...
My dissertation is just the start, and plenty more details are needed.
Just because they have a motherboard and run a limited controlled language, that does not make them a PC hardware. There are a world of differences between a controller (which uses some components - like a CPU/Memory) and a Personal Computer motherboard. I don't expect you to understand this or to even want to, but you should not assume that any Firewall Appliance is just a Personal Computer motherboard with some software.
And a home user setting up a Linux box is not going to be as secure as one purchasing a "Firewall Appliance" by default. Consider all of the exploits out for nix boxes before you reply.
Not every firewall implementation is routing. Look at the PIX, for example.
A firewall is the concept to have security zones for your network, and to have a box in between two zones, which is restricting communication between zones according to your policy.
Software to implement that, especially filtering software, often is called "firewall" also.
Ready made computers with software "out of the box" to implement this, are also called "firewalls". This is what is called a "hardware firewall", it's a product type you can buy.
Yes.
Of course, a "Personal Firewall" is no firewall at all. It's host based filtering, not having a firewall between the hosts in one network and another.
Host based filtering sometimes is a good idea; unfortunately, the "Personal Firewall" providers are promisng heaven and earth in their advertisments, but delivering questionable products.
So if someone compares filtering routers with "Personal Firewalls" by calling them "hardware firewall" and "software firewall", I can understand why to prefer "hardware firewalls". ;-)
This is nonsense. Most people call the software "firmware", which is booted through ROM or FlashRAM first, when a computer starts. This can be any software.
Of course, it's a good idea, to reduce code to have security. So of course you're right here, hopefully with any firewall implementation there is as few code on that machine as possible.
That would be a Dedicated Firewall Server, which, while not the same as an Appliance, is many times better than something one runs on their personal computer that they use for daily use.
There are dedicated servers, appliances, and personal firewall software solutions.
Yes, of course. Whatever you mean with a "limited controlled language".
Not every product, which is called "firewall appliance", consists of PC hardware. Most of them (if not every) consist of computers, and many of them run BSD or Linux. Some of them even are build with PC hardware. Some others even have proprietary operating systems, like the Cisco PIX.
You seem to be a little clouded, if I should not interpret this as impolite.
I never thought that. Why should I? I did not write "any", I wrote "many". Yes, that's just a single letter, but an important one ;-)
People, who are just buying security in boxes, wether they are doing this by buying a Linux distribution and putting it onto a PC, or purchasing a "firewall appliance" product and just pluggin it in, are not very secure.
It is a common mistake to assume, that you need an operating system for running software (i.e. filtering software to build a "firewall") on a computer.
It's not true. Operating systems have big advantages, but sometimes it's a good idea not to have one. For filtering software, in common cases there will be an operating system.
Sometimes filtering systems are implemented directly in hardware, though, i.e. through describing the tasks in VHDL, see:
formatting link
Then you have no software at all. This is not very common.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.