Can you use both a hardware and software firewall? Do they conflict/cause operating problems? What is the "best" software firewall to use if there is no problem using hardware and software firewalls?
Yes. We do. We front our service with high-availability hardware firewalls and run software firewalls on all our servers. In fact, it's a good idea to use both because you can block all unecessary outside traffic from reaching your network, but allow different firewall rules inside your network if you need to via the software firewalls...plus it provides additional protection if the hardware firewalls should be unavailable at any time. None - as long as you remember what order the firewalls are in There's no such thing. When it comes to hardware firewall we like Sonicwalls and Junipers but there's plenty of other makes with great features When it comes to hardware firewalls do you want a UTM (Unified Threat Management) firewall that will not only block ports but could include Intrusion Detection, Intrusion Prevention, Anti-Virus, Anti-Spam, DDOS protection, high-availability (active/active or active/passive) - expect to pay a significant sum yearly to renew licences with the higher spec firewalls costing significantly more - or a more "simple" firewall with just port-blocking and maybe some basic L7 stuff. You also get SPI (Stateful Packet) with hardware firewalls (you can with some software ones too) and usually a deep-packet inspection engine of some sort that will burrow down into each packet looking for threats. I've never seen deep packet inspection on software firewalls. Most hardware firewalls are specced on firewall throughput speed, UTM throughput (if you have it), max connections it can handle at the same time, and max new connections per second - plus whatever other features you want. You need to spec a firewall that can provide the necessary performance for your set-up (a small low-end firewall might be perfectly sufficient to protect one or two servers). Hardware firewalls for a busy rack can be expensive, starting about $5000 for a basic version and up to $100,000 for higher-spec ones, and even more if you're talking about enterprise-class protection. With Software Firewalls you tend not to get the same level of protection that you get with hardware firewalls, but granular port-blocking, and maybe some basic threat assessment tools will normally suffice. There are other software tools you can install (anti-malware, anti-virus, root-kit detectors) to help protect your server. Defence is depth is what it's about, and the more layers of protection you provide the safer it should be, but no system is ever 100% effective. Another thing worth mentioning is that ALL firewalls are software based to an extent in that much of the features of a "hardware firewall" are based in software. However, many hardware firewalls also have specialised and dedicated hardware installed e.g. a high-powered cryptogrpahic chip. It might be better think of a "hardware firewall" as being a dedicated hardware appliance running specialist software, while a "software firewall" is software that runs directly on the server it is designed to protect. Nit-picking, but maybe more accurate, because there is off-the-shelf firewalling software you can purchase that is designed to be installed on generic server hardware that turn that harware into a dedicated hardware firewall appliance.