Are Software Firewalls advised in addition to hardware firewall

Posted on 2006-04-13
Last Modified: 2013-11-16
Small Network ( 12 - 15 client nodes- 5 servers - two tape backups) Broadband gateway and  hardware firewall.

How important is it to complement the network hardware firewall with software firewalls on the clients.  And Why.  I'll need to explain and justify to the CEO next week.

It was my undersatnding that Software Firewalls are recommended as an additional layer of security against unwanted outbound traffic that might easily pass the hardware firewall in outgoing traffic.  Is this still valid.

Also what recommendations would you make for spyware utilities.  Are most well secured networks running two different spyware products on all clients?

Thanks for all advice and commentary!
Question by:tometh
    LVL 95

    Assisted Solution

    by:Lee W, MVP
    Software Firewalls can be appropriate.  A hardware firewall typically only blocks incoming attacks.  Some can block outgoing as well, but need to be configured and even then to let the user actually work, you will likely have to permit SOME ports to be open.

    a software firewall running on a computer can help ensure that no spyware/adware installed on a computer by accident is able to transmit that data out of the network.  Users must be trained appropriately, but with such training, the odds of a security breach DO go down.
    LVL 42

    Accepted Solution

    it depends on what kind of hardware firewall you are running.  many retail routers that are meant for households do not have good firewall protection.  corporate firewalls do.

    there is no need for firewall software if you have a good router.  for a company, i recommend upgrading your hardware.  it will be easier to maintain and easier to troubleshoot when problems arise.  software firewalls can cause too many headaches.

    as for spyware utilities....  again... it helps to have a good router.  many corporate routers will log certain kinds of spyware activity, and some will even scan incoming traffic for viruses and spyware.  you can also block known spyware IPs.  i have yet to find a spyware utility that does a super good job at cleaning out an infected system ... you have to use multiple applications to remove the baddies.  as for prevention, make sure the antispyware runs real-time.

    running multple spyware products is ok  (as long as it doesnt bog system resources too much).  running two antivirus products is not ok.
    LVL 51

    Assisted Solution

    by:Keith Alabaster
    It really does depend on the quality of the hardware firewall, your requirements and to a degree your own knowledge. Even good hardware firewalls my not have the capability to block web content for example of a certain nature.
    I use PIX firewalls on my outside amd ISA server as my internal firewall giving me the best of both worlds.

    This model lets the hardware firewall (PIX) filter out all aspects of traffic that I am not interested in at all and also create the connection point for my VPN's. The PIX routes allowed traffic to the required interfaces (inside, DMZ etc), create the necessary mappings between outside and inside addresses and creates the NAT condition for outgoing traffic.

    The inside software fiewall controls who is allowed out, what tye of site they can visit and at what times of the day and night. It also controls the authentication requests for my clients. ISA publishes my internal servers (Sharepoint, web and mail) to the Internet, blocks attachments

    So bottom line, PIX deals with the routing and permissions and access up to layer 4 ISA, as an allpication layer gateway, deals with layers 5,6 and 7 giving you a full protection system. Maybe I am old fashioned but I don't care whether you have 5 workstaions/servers or 500; its the protection needed that decids the equipment.

    I have Spybot-Search and destroy for my spyware removal; I only use the one.
    LVL 9

    Assisted Solution

    For security in debth or layered defense, yes you would need a software FW. But for a small operation like yours, as long as you have a good, well configured, hardware FW you should be ok.
    The software FW basically does the same thing your HW fw does, just incase it get's by the hardware FW.

    Spyware, Most I know run one, mainly, and if there is a problem removing something, then they temporarly use another.
    LVL 51

    Expert Comment

    by:Keith Alabaster
    Thanks :)

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now