hardware vs software firewalls

If the CPU in a hardware firewall stops executing code then no traffic is possible. A firewall appliance is likely to have a separate piece of hardware which will detect this and reset the CPU. The firewall may then start working properly again. If the CPU cannot run because of a hardware fault then there will be no traffic and you need a new firewall.

However, what happens to a software based firewall if the

In this case it is possible that you are left with no protection. There are plenty of viruses/trojans out there which attempt to shut down software firewalls. If your firewall and your virus/trojan are both running with the same privileges then the software firewall is completely useless. There is plenty of code out there which demonstrates how to bypass software firewalls. I have come across users who hadn't noticed that a software firewall had been shut down by a virus.

Jason

You've got to different things here:

1) Firewall Appliance, running micro code and firmware in a stand alone device - not a PC exactly

2) A PC running an application acting as a firewall with two NICs - a PC.

In the first instance, since the small OS and firmware are all that's running, and since it's been tested and certified for this purpose, it's going to block all access not let everything through.

In the second instance you have a full OS running with a application. The combination has not been certified. You should expect that the failure of either would block access, but without testing you never know.

OK, this question is only really valid if we're comparing a hardware firewall with a software firewall based on a separate PC - something like a Smoothwall setup with red and green adapters.

I'm led to believe that if the software within a hardware firewall crashes the whole connection is lost so I'm not left with an unprotected connection. However, what happens to a software based firewall if the firewall software crashes? Am I then left with an unprotected connection, or will the connection be broken as well? It's clearly not desirable for this to happen...

Mike

In the world of CheckPoint you have a switch to through to make this decidion for you should the firewall stop working (the software) the OS (on IPSO) can through the box into what is called ipsoforward where it becomes a brdge but you lose all statefull inspection. Ideally no matter what type if the firewall is not fuctioning be it software or hardware like a pix you would not want any traffic to flow. the pix on the otherhand as it is called a hardware firewall has the same option should something happen to the firewall set up or the firewall execution code it can fail open if you choose. But remember that failing open is wide ot the owrld so if a box on hte inside is listenng for nfs it is not NFS to the world of they want. BTW both of these boxes also have the option should the hardware fail you can have a fail open siti\\uation if traffic is that important. Meaning it flows with or without power or harddrive or processor.

Deceptocon

Leythos wrote:

hardware

something like a

connection,

desirable for

Thanks for the responses. Failing to open is not a desirable outcome as far as I'm concerned. Failing to block all traffic is, to me a pretty good way of finding out that it's busted.

cheers Mike