Pros and cons of a centralized firewall

FWIW I subscribe to windows secrets. The issue that just arrived has an article by Fred Langa called:

They don't want subscribers to pass the whole article along but encourage using the following link. It takes you (I hope to the whole newsletter.

https://windowssecrets.com/newsletter/from-pc-to-hdtv-via-googles-chromecast

He concludes that a router/modem FW adds security but users still need local sw fw's and av's due to local lan bypass methods, cd's, usb's, downloaded files music etc.

Hope you all find it interesting.

 

The full article is behind a paywall for me.
There's no denying that a hardware firewall is an asset. As for making it a combined security appliance and making that the core of your security package like the Sonicwall link there suggests, I disagree. Such a package can be a good addition to a security package, but it is not a replacement for it. Putting a security suite on a separate piece of hardware does not make it any more effective. The AV component for example would be ineffective against malicious code delivered via USB and other portable media. Its detection rate wouldn't be any better than the AV on the PCs. A perimeter firewall can't differentiate between legitimate traffic and malicious traffic on the same port.

The terms hardware and software firewalls are so misleading. They're both software firewalls running on hardware. The only difference is one is separate from the users operating system while the other is part of it. When that "hardware" firewall becomes a combined security package, a lot of the differences disappear. Like a PC, it has an AV, web filtering, etc. It becomes a linux or BSD based PC with the user apps removed. Adding all those features to a "hardware" firewall increases its attack surface, which includes the servers that keep its AV and other components up to date. A bad update could completely compromise the unit. This is reintroducing the same problem that made software firewalls vulnerable, attacks from within via other software. Given recent revelations regarding the NSA compromising security every way it can, including coercing vendors, IMO the risk is unacceptable. AFAIC, a perimeter firewall should be freestanding and independent with as little attack surface as possible. This feature creep only serves to weaken its ability to perform its primary responsibility, blocking unwanted traffic.

Regarding the software firewall, I consider them an absolute necessity, more so than the hardware firewall. This is truer now than it has ever been, especially if you factor privacy and undesirable outbound traffic into the equation. Look at the recent exploiting of TorBrowser for example. A properly configured software firewall with loopback control would have made that exploit useless. A "hardware" firewall would have been useless against it, no matter what it included in its package.

 

I say, use an enterprise hardware firewall and add a UTM in bridge mode to catch the pass through packets and filter with Blue Coat WebPulse or Zvelo’s enterprise web filter. Use an SSL proxy to catch common encrypted data coming through on port 443. I don't go that far as the wife hates how locked down our home network is, so for now the SSL proxy is off.

With my setup, my traffic passes through 2 enterprise web filters, 3 different enterprise based streaming gateway AV's and 1 IDS/IPS. I have 95% of all counties in the world blocked. Every PC and Mac has it's own AV on the client. In NO way can you rely on gateway AV to defend the client, even if you have 3 of them. It is all about layering of defense.

I do feel a bit safer then the average home owner while surfing the internet.

.