In an earlier thread, it was said that a hardware firewall is superior to a software firewall. In fact a recommendation was made to buy a router with built in firewall.
As a clueless newbie to firewall alternatives, I would naively think that a software firewall, with regular updates would be better than a hardware firewall, which would seem to be unable to adapt. Obviously, I am missing something here.
Could someone help me understand why a hardware firewall is superior to a software one?
To answer your question there really is not a true "hardware" firewall. This is a mistake that people make. Really what they mean is this. A standalone firewall that does not run on top of an OS (UNIX or Windoze) is a "hardware firewall". Some examples are Cisco's PIX etc. Really these firewalls use some sort of OS. A "software firewall" is a firewall that runs on top of a OS like UNIX or Windoze. An example of this would be Firewall-1 (runs on Solaris, Linux and Windoze).
Now, there is another type. Personal vs network firewalls. A personal firewall runs on your PC. It protects your system ONLY!. A network firewall protects you internal network from the external network (ie Internet).
In addition to that there are layer 3/4 firewalls (statefull) and layer 7 (proxy application layer).
A hardware firewall usually runs a hardened OS, or in some cases a proprietery OS. So you don't have to worry about underlying OS security flaws or configuration issues.
Most hardware firewalls get regular feature updates with new firmware releases.
Finally a lot of hardware firewalls run on ASICs designed to this type of application. This gives much better performance than say throwing a generic '86 family chip into a box and hoping for the best. It also limits potential failure points that are redundant to the units operation (ie graphics card, keyboard and mouse I/O ports).
You need to research the product to figure out what you're getting.
Take these examples: Checkpoint - Software Firewall Cisco Pix - Appliance, but running on intel chipset without ASICs, so its really a software firewall Netscreen - ASIC based appliance Sonicwall - ASIC based appliance Fortinet - ASIC based appliance
Take the entry level products in each, then compare the throughput capabilities (ie Cisco PIX 501 vs Netscreen 5GT and Sonicwall TZ170). You soon see the software boxes suck.
Some would argue that the software firewalls offer better upgrade paths. But once again take the entry level Cisco & Checkpoint products vs the entry level Netscreen/Sonicwall/Fortinet and you find the appliance feature set is far greater (ie Gateway AV, IDP/DI, Anti-Spam, Content Filtering). And in some cases, like the Netscreen vs the Cisco, you'll find the fundamental routing and VPN capabilities are also far greater.
A firewall appliance, which is not to be confused with those routers that have NAT (like the Linksys, D-Link, Netgear, etc...) differs in the in most cases they are not something that the user can screw-up while using their computer, can protect multiple computers at one time, and block inbound and outbound based on rules that you setup for the network.
A firewall appliance can not protect your computer from itself, meaning that if you open an email with a virus and run the virus, the firewall appliance will not stop the virus from infecting your computer, but, if the firewall rules are setup properly, it may not be able to infect anyone else OUTSIDE your local network.
A router, like you are probably thinking about, uses NAT to protect the users network. It blocks inbound only if your computer didn't start the conversation. It does not block outbound traffic by default, so that means anything your computer wants to access on the internet it can.
A personal firewall (software based application running on your computer) is like wearing a condom - it keeps things from getting into or out of your computer, but is only as good as the installer and the maintenance in keeping it working. If something gets past your personal firewall it can disable your firewall and leave you completely open. PFW are also very prone to user misconfiguration.
For home users, the first line of defense should be a SOHO ROUTER with NAT unless they can afford a real firewall device. If you are one of the paranoid or have others using your computer, you might want to install a personal firewall application on it for the added protection.
There are a lot more things you need to learn about securing your PC from threats, but starting with a Router with NAT is a good place.
You most definitely do. Do a search on Bugtraq, and you'll find plenty of vulnerabilities. Do a search on the vendor sites (or Bugtraq again), and you'll find plenty of firmware upgrades for security flaws.
No, it doesn't. It gives a low cost, low power consumption, and (hopefully) adequate performace for the given task. The chipsets are picked from a very simple formula: What's the cheapest chipset that will do the job?
Few people would put a graphics card or hook up external interfaces to a box used for a firewall. It's not needed, steals resources, and as you said, adds another potential point of failure.
But at least you can disable unused ports in the BIOS of a *ix box, unlike your average firewall appliance. And you don't have to wait to get shipped a new unit when something breaks -- your average computer store will have all you need.
That's a major problem with most firewall appliances and NAT routers -- they're not really good routers, nor good firewalls. They're mediocre at both, at best. I have yet to see one you can configure for active FTP, for example. You're usually limited to only *half* of the routing table, and can't route to drop or reject, nor specify the order of rules.
A simple Linux box with two network cards is FAR more configurable than any firewall appliance or firewall router I've ever seen. And cheaper, if you already have the skills to set it up.
Firewall appliances are stil good, for two reasons:
1: They're easy to set up.
2: They don't use a lot of power.
But the order of the rules *is* significant, and if there's no order, it prevents some rules from being made.
As for active FTP, I doubt very much that it can handle rules like:
if established(lanhostX>1024/tcp to wanhostY=21/tcp) allow wanhostY=20/tcp to lanhostX>1024/tcp endif
For one thing, no appliance I've seen has enough memory to keep track of whether connections are established or not, and port triggering open/close is based on a timeout. Second, no appliance I've seen will let you do conditional allows based on the *remote* source port number -- only the local source port and remote destination ports.
That's proxying, a completely different ball game.
Check out watchguard, you can do all of that, and you don't have to worry about the order of the rules lik with FW1 or some of the others. A FireBox will also let you remove objects from web sessions and from SMTP sessions.
It's not so much "hardware vs. software", but rather "on the same machine as the user" vs. "separate machine".
If the firewall is on a separate machine, it cannot be influenced by any malware that the user foolishly installs on his machine. OTOH, a firewall on a separate machine won't know which software is making a connection to the Internet. All in all, a separate firewall is safer, but still doesn't replace the need to think before running software you don't know.
The order thing was a firewall-1 thing when I learned it long ago, and Sonic's did the same. Not all firewalls need to have an Order, not is it preferable, it's just the old way it was done.
With the watchguard, in my office and home, I have 4 HTTP rules, each rule can impact any user or a specific user. In my case at home, I filter web experiences for ActiveX and use the content filters to block unapproved web sites, but I have another HTTP rule that allows two systems complete http access, and another http rule that permits authenticated users to have complete access.
In some installations I have 11 or 12 HTTP rules, you can create as many as you want. I like the ability to select Block Sites That Attempt To Connect by this rule, I use it for 134,445,1026,1027 and 1433/1434 and a couple others - it imposes a 20 minute block.
I can specify the remote IP, but can not specify the remote (their outbound) port, but I can specify the local IP and local port and even redirect the local (inbound) port to another port internally (meaning that just because it hits the firewall on 21 does not mean it has to hit my server on 21, I could redirect it to 99 if I wanted).
Yes, I know, but it's a nice feature that I didn't see in FW1 the last time I used one.
When it comes to firewalls, I'll stick with WatchGuard as my first choice. We've installed them in factories, hospitals, accounting firms, development centers, doctors offices, health centers, government offices, and other types of businesses all over the US. So far, none of them are having performance problems, none are failing, and they are all doing the job selected for without any problem. I have some that are more than 5 years old, installed and running, without any sign of failing.
1) Appliance - dedicated box with a vendor provided OS of some type running a dedicated application.
2) Server - a system with user or vendor provided OS, running a application that works as a firewall.
3) Personal Firewall - anything firewall application that runs on a machine that is not dedicated as a firewall.
Quite usefull, too - it sometimes gets confusing when you have to have one rule for a large subnet, and another conflicting rule for a smaller subnet inside that large subnet.
Because FW-1 is a packetfilter (with added VPN, if you pay for it). Firebox is an all-in-one appliance. There's "software-based" variants that offer stuff like that, too: Borderware, for example, runs on normal PC hardware, and offers proxying.
Only ever had one customer buy a Watchguard from me back in my consulting days. Most wanted either Checkpoint (expensive, but nobody ever got fired for buying from the market leader), Borderware (cheaper because it runs on normal PC hardware and does DNS and other stuff), or Biodata (packet-filter appliance, usually two of them with a proxy in the middle).
Actually, it's a router running Nokia's IPSO os. And with the FW-1 installed, you could think of it as a turbo-charged router with a hell of a lot more flexibility in configuring it.
And you could actually add one more item to your list. That would be a router that is closed down and have only specific ports open. Of course there is no way to really giving any time of complex rules to follow. This could actually be listed as a "hardware" solution.
If I could install Linux on an X-Box, I would call it a workstation. I justify this by being able to load an OS, then load apps, etc...
In my Firebox units I can't change the OS, I can only update the firmware (program running on it) and update the settings. Since it can't do anything else I would call it an Appliance, single tasked, not able to do anything else - even though it does run a version (stripped) of Linux.
Not necessarily - Netscreen's ScreenOS (for example) is able to see the PORT YYYYY command from the client and permit the corresponding outbound data connection from the server without needing a static rule - provided the client sends his data transfer command in a timely fashion (since it's not a true application proxy, the opening will time out).
IOW it's not a matter of appliance vs. software firewall, rather does the firewall understand FTP? Many don't, which makes FTP a useful evaluation criterion.