How/Why are hardware firewalls better than software?

Currently, I have no router so basically no hardware firewall. Do hardware firewalls provide more security than software firewalls? If so, how? and what makes them better than software firewalls?

 

hardware firewalls usually only handle inbound traffic but they are fast since it has its own processor any stuff.

id still keep a software firewall tho. it can handle anything that gets by the hardware firewall and it can also control outbound connections.

 

Some technical explanation here.

http://www.webopedia.com/DidYouKnow/Hardware_Software/2004/firewall_types.asp

 

Yes, they do, especially during the the vulnerable period when you are installing or reinstalling Windows prior to your software firewall and all the patches and updates being in place. Some software firewalls in the past (maybe still) have had a very small time window during windows start up and shutdown that the firewall was disabled before the network connection.
A properly configured hardware firewall would handle all that as well as take the burden off your computer's cpu of all the port scans that go on.
It will also let you share your internet connection with other computers (if it has multiple ports). Good security investment overall. I use both, but if I had to choose just one, I would go with the hardware firewall (or just a NAT Router).

 

Not true. Some very cheap ones do, but most can handle outbound as well.

 

Hi ... I did once long ago used a third party software firewall ( sygate and zonealarm , not at the same time )with my router but now I no longer find the need for a third party software , slow the internet connection some what , not a whole lot , I find just using windows firewall and my router is good enough , I mean if a real hacker want to hack your computer ? It isn't going to make a different if you are using a third party software or just windows firewall , Though I would make sure to use a spyware program

 

Software = some sort of potential exploit/vulnerability.
The service(s) might not start...a router pretty much will always work..unless fried. But then you'd know it's broken the minute it breaks.
Router offloads your system..the router has its own CPU and RAM, doesn't bog down your PCs CPU.

 

ok ill rephrase it: hardware firewall do not handle outbound traffic on a per-application basis as software firewalls do.

is this right or no?

 

Yes.

 

For protection against incoming attacks, a router will suffice. However for home users, the risk of a real "hacker" ("cracker" is a better description) attacking them is next to zero since they have almost nothing of value (unless you are a celebrity and r00ting you can give a cracker brownie points). The major problem is malware and a properly-configured software firewall with good leaktest performance (i.e. not Windows firewall) can alert you to any such program should it attempt to make a network connection. Anti-malware scanners can catch the most popular ones but will never be a 100% solution.

 

With your "typical home grade routers"..that's true.

 

It applies to any router or external firewall - filtering by application is only possible if a firewall knows what application is responsible for the traffic and only a software firewall running on the host itself can see this.

 

Fair enough..yes, my mind works thinking of it more in the "port based" sense...hence saying no home grade ones can, yet higher end can.

I'm really getting into these Linux based firewalls due to their rich UTM type features, Endian for example...by default, only allows web traffic out...blocks other things..like IM traffic.

 

Thank you all for this informations

 

I have a dedicated linux router/firewall that I'm very happy with. I'm a little annoyed with iptables though; Ive never liked the comand syntax. I set up ipfilter on a Solaris box once and thought that was much easier to follow. I'm currently working on getting ipfilter going on my firewall box.

 

Most attacks that are serious will come from the outside. Install the fresh non patched version of XP, plug yourself into the internet, and you will be owned within about 5 minutes.

A hardware firewall will block any inbound attempt of someone scanning ports on the outside. People on this site will start moaning about outbound protection right about now.

I have been (still running) a Fortigate 60 firewall with IPS/AV for over a year now and have not even had a sniffle. Most software firewalls, if not all software firewalls are easy to defeat with leak tests. Until the day a software firewall passes all know leaktests, they are useless. Anyone who tells you different has $$ to gain from there opinion, or just no clue.

The best setup is a nat router minimum to keep you invisible from the outside, and the use of process control. I use Ghost security (appdefend/regdefend). Appdefend does have outbound protection, but its not a true firewall. It will let you know what programs are trying to established a connection, which is all you really need...

 

HW firewalls don't offer any protection against leaktests. All leaktests are about is outbound protection, keeping trojans and other baddies at bay. So they don't go out if you have that malware installed.

XP Sp2 fw will offer same protection or more than a router. Rumors of it having been shut down cause advocating so much to have a HW firewall/router.? Sure they are sold just to make you "feel" protected better.

 

Jarmo,


Thanks for the regurgitation of my post. You must be a security professional to know that leaktests have to do with outbound protection. BTW, XP's firewall will not do a better job then a router due to the fact that it doesnt nat out addresses.

What is your point? Is the point that since software firewalls partially protect against leaktests that they are better then hardware firewalls Do software firewalls protect against http decoder request smuggling?

If you want to protect you computer against being owned is quite simple.
1. Nat routing with inbound protection.
2. Make sure your ports are ghosted.
3. turn off java globally in your browser while browsing unknown sites.
4. Use some sort of process/ registry control (ghost security).
5. A/V protection.


You do not need a full software firewall, period.

 

As you say, the Windows Firewall will protect your computer from incoming attacks, as will a router. If malware was downloaded to your system, however, it could easily disable the XP Firewall, whereas a password protected software firewall or router would still be functioning.

 

Absolutely agree..matter of fact...I'd even drop that time period to under a minute. Multiply the problems by 100 if you unbuckled your OS leaving the Adminstrator account with a <blank> password. I always always always built computers behind a NAT router for that very reason.

 

To me..the fact that malware was downloaded in the first place would be the problem. Get some quality antivirus on there and re-educate the user.

 

As I understand it, with XP SP2 a blank Admin PW will not allow remote login? Some state that it is safer then a weak PW.

 

I was just totally amazed at how silent my hard drive was after getting a NAT Router. I kept the software firewall but it is only a backup for inbounds and out bound permission based security app. useage. Without the Router all that load is being placed on your software FW and as someone said sucking down resources. A Hardware Firewall in what ever form is a good choice imho.

budfox and StoneCat make excellent points.

 

No antivirus can offer 100% detection - a software firewall with good leaktest performance can therefore provide a good backup in alerting users should undetected malware attempt a network connection.

Aside from malware, an increasing amount of software now "phones home" by default. A software firewall will alert users to this behaviour and allow them to control it.

Finally, since Budfox mentions Fortigate so often, now would be a good time to mention that they are one of the worst GPL violators since their "FortiOS" is just a Linux kernel, encrypted to hide its origin.

 

So in other words, free linux built made-at-home-firewall distros are the same as professional grade ones.

Interesting thought to keep in mind.

I also think that software firewalls are a must have. It might be redundant in some cases, but it's often better to have some sort of control over what's accessing the internet.