Are Software Firewalls advised in addition to hardware firewall

Small Network ( 12 - 15 client nodes- 5 servers - two tape backups) Broadband gateway and  hardware firewall.

How important is it to complement the network hardware firewall with software firewalls on the clients.  And Why.  I'll need to explain and justify to the CEO next week.

It was my undersatnding that Software Firewalls are recommended as an additional layer of security against unwanted outbound traffic that might easily pass the hardware firewall in outgoing traffic.  Is this still valid.

Also what recommendations would you make for spyware utilities.  Are most well secured networks running two different spyware products on all clients?

Thanks for all advice and commentary!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Software Firewalls can be appropriate.  A hardware firewall typically only blocks incoming attacks.  Some can block outgoing as well, but need to be configured and even then to let the user actually work, you will likely have to permit SOME ports to be open.

a software firewall running on a computer can help ensure that no spyware/adware installed on a computer by accident is able to transmit that data out of the network.  Users must be trained appropriately, but with such training, the odds of a security breach DO go down.
zephyr_hex (Megan)DeveloperCommented:
it depends on what kind of hardware firewall you are running.  many retail routers that are meant for households do not have good firewall protection.  corporate firewalls do.

there is no need for firewall software if you have a good router.  for a company, i recommend upgrading your hardware.  it will be easier to maintain and easier to troubleshoot when problems arise.  software firewalls can cause too many headaches.

as for spyware utilities....  again... it helps to have a good router.  many corporate routers will log certain kinds of spyware activity, and some will even scan incoming traffic for viruses and spyware.  you can also block known spyware IPs.  i have yet to find a spyware utility that does a super good job at cleaning out an infected system ... you have to use multiple applications to remove the baddies.  as for prevention, make sure the antispyware runs real-time.

running multple spyware products is ok  (as long as it doesnt bog system resources too much).  running two antivirus products is not ok.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keith AlabasterEnterprise ArchitectCommented:
It really does depend on the quality of the hardware firewall, your requirements and to a degree your own knowledge. Even good hardware firewalls my not have the capability to block web content for example of a certain nature.
I use PIX firewalls on my outside amd ISA server as my internal firewall giving me the best of both worlds.

This model lets the hardware firewall (PIX) filter out all aspects of traffic that I am not interested in at all and also create the connection point for my VPN's. The PIX routes allowed traffic to the required interfaces (inside, DMZ etc), create the necessary mappings between outside and inside addresses and creates the NAT condition for outgoing traffic.

The inside software fiewall controls who is allowed out, what tye of site they can visit and at what times of the day and night. It also controls the authentication requests for my clients. ISA publishes my internal servers (Sharepoint, web and mail) to the Internet, blocks attachments

So bottom line, PIX deals with the routing and permissions and access up to layer 4 ISA, as an allpication layer gateway, deals with layers 5,6 and 7 giving you a full protection system. Maybe I am old fashioned but I don't care whether you have 5 workstaions/servers or 500; its the protection needed that decids the equipment.

I have Spybot-Search and destroy for my spyware removal; I only use the one.
For security in debth or layered defense, yes you would need a software FW. But for a small operation like yours, as long as you have a good, well configured, hardware FW you should be ok.
The software FW basically does the same thing your HW fw does, just incase it get's by the hardware FW.

Spyware, Most I know run one, mainly, and if there is a problem removing something, then they temporarly use another.
Keith AlabasterEnterprise ArchitectCommented:
Thanks :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.