How/Why are hardware firewalls better than software?

Discussion in 'other firewalls' started by Sunnysdsr, Jul 15, 2006.

Thread Status:
Not open for further replies.
  1. Sunnysdsr

    Sunnysdsr Registered Member

    Joined:
    Feb 3, 2006
    Posts:
    36
    Currently, I have no router so basically no hardware firewall. Do hardware firewalls provide more security than software firewalls? If so, how? and what makes them better than software firewalls?
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    hardware firewalls usually only handle inbound traffic but they are fast since it has its own processor any stuff.

    id still keep a software firewall tho. it can handle anything that gets by the hardware firewall and it can also control outbound connections.
     
  3. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,617
    Location:
    Canada
  4. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Yes, they do, especially during the the vulnerable period when you are installing or reinstalling Windows prior to your software firewall and all the patches and updates being in place. Some software firewalls in the past (maybe still) have had a very small time window during windows start up and shutdown that the firewall was disabled before the network connection.
    A properly configured hardware firewall would handle all that as well as take the burden off your computer's cpu of all the port scans that go on.
    It will also let you share your internet connection with other computers (if it has multiple ports). Good security investment overall. I use both, but if I had to choose just one, I would go with the hardware firewall (or just a NAT Router).
     
  5. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Not true. Some very cheap ones do, but most can handle outbound as well.
     
  6. Nontechguy

    Nontechguy Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    16
    Hi ... I did once long ago used a third party software firewall ( sygate and zonealarm , not at the same time )with my router but now I no longer find the need for a third party software , slow the internet connection some what , not a whole lot , I find just using windows firewall and my router is good enough , I mean if a real hacker want to hack your computer ? It isn't going to make a different if you are using a third party software or just windows firewall , Though I would make sure to use a spyware program
     
  7. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Software = some sort of potential exploit/vulnerability.
    The service(s) might not start...a router pretty much will always work..unless fried. But then you'd know it's broken the minute it breaks.
    Router offloads your system..the router has its own CPU and RAM, doesn't bog down your PCs CPU.
     
  8. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    ok ill rephrase it: hardware firewall do not handle outbound traffic on a per-application basis as software firewalls do.

    is this right or no?
     
  9. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Yes. :)
     
  10. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    For protection against incoming attacks, a router will suffice. However for home users, the risk of a real "hacker" ("cracker" is a better description) attacking them is next to zero since they have almost nothing of value (unless you are a celebrity and r00ting you can give a cracker brownie points). The major problem is malware and a properly-configured software firewall with good leaktest performance (i.e. not Windows firewall) can alert you to any such program should it attempt to make a network connection. Anti-malware scanners can catch the most popular ones but will never be a 100% solution.
     
  11. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    With your "typical home grade routers"..that's true.
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    It applies to any router or external firewall - filtering by application is only possible if a firewall knows what application is responsible for the traffic and only a software firewall running on the host itself can see this.
     
  13. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Fair enough..yes, my mind works thinking of it more in the "port based" sense...hence saying no home grade ones can, yet higher end can.

    I'm really getting into these Linux based firewalls due to their rich UTM type features, Endian for example...by default, only allows web traffic out...blocks other things..like IM traffic.
     
    Last edited: Jul 17, 2006
  14. hero96559

    hero96559 Registered Member

    Joined:
    Jul 18, 2006
    Posts:
    1
    Thank you all for this informations
     
  15. craigbass76

    craigbass76 Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    72
    Location:
    Maine, USA
    I have a dedicated linux router/firewall that I'm very happy with. I'm a little annoyed with iptables though; Ive never liked the comand syntax. I set up ipfilter on a Solaris box once and thought that was much easier to follow. I'm currently working on getting ipfilter going on my firewall box.
     
  16. budfox

    budfox Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    103
    Most attacks that are serious will come from the outside. Install the fresh non patched version of XP, plug yourself into the internet, and you will be owned within about 5 minutes.

    A hardware firewall will block any inbound attempt of someone scanning ports on the outside. People on this site will start moaning about outbound protection right about now.

    I have been (still running) a Fortigate 60 firewall with IPS/AV for over a year now and have not even had a sniffle. Most software firewalls, if not all software firewalls are easy to defeat with leak tests. Until the day a software firewall passes all know leaktests, they are useless. Anyone who tells you different has $$ to gain from there opinion, or just no clue.

    The best setup is a nat router minimum to keep you invisible from the outside, and the use of process control. I use Ghost security (appdefend/regdefend). Appdefend does have outbound protection, but its not a true firewall. It will let you know what programs are trying to established a connection, which is all you really need...
     
  17. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    HW firewalls don't offer any protection against leaktests. All leaktests are about is outbound protection, keeping trojans and other baddies at bay. So they don't go out if you have that malware installed.

    XP Sp2 fw will offer same protection or more than a router. Rumors of it having been shut down cause advocating so much to have a HW firewall/router.? Sure they are sold just to make you "feel" protected better.
     
  18. budfox

    budfox Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    103
    Jarmo,


    Thanks for the regurgitation of my post. You must be a security professional to know that leaktests have to do with outbound protection. BTW, XP's firewall will not do a better job then a router due to the fact that it doesnt nat out addresses.

    What is your point? Is the point that since software firewalls partially protect against leaktests that they are better then hardware firewallso_O Do software firewalls protect against http decoder request smuggling?

    If you want to protect you computer against being owned is quite simple.
    1. Nat routing with inbound protection.
    2. Make sure your ports are ghosted.
    3. turn off java globally in your browser while browsing unknown sites.
    4. Use some sort of process/ registry control (ghost security).
    5. A/V protection.


    You do not need a full software firewall, period.
     
  19. tayres

    tayres Guest

    As you say, the Windows Firewall will protect your computer from incoming attacks, as will a router. If malware was downloaded to your system, however, it could easily disable the XP Firewall, whereas a password protected software firewall or router would still be functioning.
     
    Last edited by a moderator: Jul 24, 2006
  20. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England

    Absolutely agree..matter of fact...I'd even drop that time period to under a minute. Multiply the problems by 100 if you unbuckled your OS leaving the Adminstrator account with a <blank> password. I always always always built computers behind a NAT router for that very reason.
     
  21. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    To me..the fact that malware was downloaded in the first place would be the problem. Get some quality antivirus on there and re-educate the user.
     
  22. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    As I understand it, with XP SP2 a blank Admin PW will not allow remote login? Some state that it is safer then a weak PW.
     
  23. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    I was just totally amazed at how silent my hard drive was after getting a NAT Router. I kept the software firewall but it is only a backup for inbounds and out bound permission based security app. useage. Without the Router all that load is being placed on your software FW and as someone said sucking down resources. A Hardware Firewall in what ever form is a good choice imho. ;)

    budfox and StoneCat make excellent points. :thumb:
     
  24. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    No antivirus can offer 100% detection - a software firewall with good leaktest performance can therefore provide a good backup in alerting users should undetected malware attempt a network connection.

    Aside from malware, an increasing amount of software now "phones home" by default. A software firewall will alert users to this behaviour and allow them to control it.

    Finally, since Budfox mentions Fortigate so often, now would be a good time to mention that they are one of the worst GPL violators since their "FortiOS" is just a Linux kernel, encrypted to hide its origin.
     
  25. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    So in other words, free linux built made-at-home-firewall distros are the same as professional grade ones.

    Interesting thought to keep in mind.

    I also think that software firewalls are a must have. It might be redundant in some cases, but it's often better to have some sort of control over what's accessing the internet.
     
Loading...
Thread Status:
Not open for further replies.