1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Hardware and Software Firewall?

Discussion in 'Security' started by blogreview, Nov 26, 2012.

  1. #1
    Can you use both a hardware and software firewall?
    Do they conflict/cause operating problems?

    What is the "best" software firewall to use if there is no
    problem using hardware and software firewalls?
    blogreview, Nov 26, 2012 IP
  2. bluebios

    bluebios Greenhorn

    Likes Received:
    Best Answers:
    Trophy Points:
    the best one is COMODO FIREWALL :)
    bluebios, Dec 9, 2012 IP
  3. RonBrown

    RonBrown Well-Known Member

    Likes Received:
    Best Answers:
    Trophy Points:
    Yes. We do. We front our service with high-availability hardware firewalls and run software firewalls on all our servers.

    In fact, it's a good idea to use both because you can block all unecessary outside traffic from reaching your network, but allow different firewall rules inside your network if you need to via the software firewalls...plus it provides additional protection if the hardware firewalls should be unavailable at any time.

    None - as long as you remember what order the firewalls are in

    There's no such thing. When it comes to hardware firewall we like Sonicwalls and Junipers but there's plenty of other makes with great features

    When it comes to hardware firewalls do you want a UTM (Unified Threat Management) firewall that will not only block ports but could include Intrusion Detection, Intrusion Prevention, Anti-Virus, Anti-Spam, DDOS protection, high-availability (active/active or active/passive) - expect to pay a significant sum yearly to renew licences with the higher spec firewalls costing significantly more - or a more "simple" firewall with just port-blocking and maybe some basic L7 stuff. You also get SPI (Stateful Packet) with hardware firewalls (you can with some software ones too) and usually a deep-packet inspection engine of some sort that will burrow down into each packet looking for threats. I've never seen deep packet inspection on software firewalls.

    Most hardware firewalls are specced on firewall throughput speed, UTM throughput (if you have it), max connections it can handle at the same time, and max new connections per second - plus whatever other features you want. You need to spec a firewall that can provide the necessary performance for your set-up (a small low-end firewall might be perfectly sufficient to protect one or two servers).

    Hardware firewalls for a busy rack can be expensive, starting about $5000 for a basic version and up to $100,000 for higher-spec ones, and even more if you're talking about enterprise-class protection.

    With Software Firewalls you tend not to get the same level of protection that you get with hardware firewalls, but granular port-blocking, and maybe some basic threat assessment tools will normally suffice. There are other software tools you can install (anti-malware, anti-virus, root-kit detectors) to help protect your server.

    Defence is depth is what it's about, and the more layers of protection you provide the safer it should be, but no system is ever 100% effective.

    Another thing worth mentioning is that ALL firewalls are software based to an extent in that much of the features of a "hardware firewall" are based in software. However, many hardware firewalls also have specialised and dedicated hardware installed e.g. a high-powered cryptogrpahic chip. It might be better think of a "hardware firewall" as being a dedicated hardware appliance running specialist software, while a "software firewall" is software that runs directly on the server it is designed to protect. Nit-picking, but maybe more accurate, because there is off-the-shelf firewalling software you can purchase that is designed to be installed on generic server hardware that turn that harware into a dedicated hardware firewall appliance.
    Last edited: Dec 12, 2012
    RonBrown, Dec 12, 2012 IP