Software v Hardware Firewall - Unsafe versus unscalable?

Hi all

This topic is an attempt to foster discussion and build deeper understanding of the pro's and con's of software versus hardware firewalls in an Enterprise environment.

What are your comments on the following observations about firewall implementations? What are the other design weaknesses/strengths to consider?

I would be happy to summarise this post if it gathers sufficient material and make it available for any one interested.

Software Firewalls - Unsafe?
IMHO building a firewall on top of an OS increases the vulnerabilities. Not only do you have weaknesses/vulnerabilities of the firewall but you also have the OS weaknesses/vulnerabilities. This is regardless if it is open source OS or proprietary like Windows. However you can quite easily deploy this quite easily and may suit the less technically inclined. (but shouldn't these be the people that need greater protection?)

Hardware Firewalls - Unscalable?
Again IMHO using a hardware based firewall limits your future growth. You purchase a dedicated box to handle x amount of traffic and processing. When you exceed this you must purchase a new firewall box. Therefore cost becomes a factor and you have issues in creating a failover back up (with software based firewalls you could ghost the working build).

Cheers for your time and consideration

Software Firewalls - Unsafe?

I don't see why firewalls running on conventional x86 or other wide-use computers can't be as safe as firewalls running on dedicated hardware. They all run some kind of OS after all, just in the first case you have a wider variety of usage options and potentially a larger possibility of a configuration mistake, but appart from that it's in your hand to make it equally safe to a hardware device. Besides, a possible vulnerability of the OS will affect only local access control, which is not an issue for use as a firewall

IMHO efficiency in power/ space consumption are maybe the most importand advantages of firewall & router devices. Also (at least in theory) the limited and light OS of a firewall device *should* provide a more stable and tight enviroment as it is totally costumized for the particular hardware and functionality. Again, that's not to say software firewalls are not credible, i.e. I haven't rebooted my Openbsd router/firewall that runs on a P1 200 for 2 months or so and it works flawlessly, routing more than 60 GB/day.

About the second part, I agree that hardware firewalls' limited power prove a bottleneck much sooner than a conventional computer's, though I imagine that when an organization meets such a growth that it needs to upgrade, the cost of a couple such devices won't be an issue

What Nske says is true.. the base operating system of the firewall has to be secure.. thats the primary objective. This is one of the biggest points in favour of a hardware firewall since they come with a stripped down, hardened o/s.. there is nothing worse than seeing a Check Point installation on a Windows box which is unpatched and running a thousand services.

Most people will agree that a firewall should do only one task -- firewalling.. this speaks in favour of a hardware device, since it is customized to suit that role.. as far as scalability is concerned.. depending on the firewall you buy, they are usually extensible in terms of RAM and additional interfaces.. logging facilities IMHO should always be to a separate syslog server anyway.. so that takes care of disk space constraints.

Firewalls that are built on regular systems..for example iptables on Linux or pf on BSD can be very effective systems.. as long as someone has the expertise to harden the underlying OS and then write a good set of rules.

I find that most people with hardware firewalls complicate their ruleset.. as far as rules go.. simpler is always better, and you'll be amazed at how much better your ruleset can be if you build the box from scratch and write the rules directly to reflect your company's security policy.

I've handled PIX's & Netscreens, but I honestly prefer building my own firewall..

Of course for some people its easier to justify the spending by having something pretty to look at in the rack.


Cheers,

Well I think the general agreement is that the software Firewall works as long as the OS is fully patched.

But this makes me see a software solution as being more suitable for those who are cost conscious (is FreeBSD with firewall) or want the challenge of building a firewall from scratch (a very satisfying task for those interested I'm sure!)

IMHO I am starting to lean towards a Hardware solution because you gain the advantage of increased speed for throughput and reduced attack vectors. As Sahirh said you can upgrade the RAM and processor for improved performance. The hardware solution would also be more secure for those organisations that may not have the in house technical expertise to successfully manage the firewall otherwise.