Solved

When does a hardware firewall become justified?

Posted on 2010-09-23
19
917 Views
Last Modified: 2013-11-22


In a small business setup one server, lets say Server 2008 and anywhere from 4-12 client computers.

When does a hardware firewall (like Sonicwall) become justified?

At what point do you say, "yes, a hardware firewall is needed here"?
0
Comment
Question by:jetsonx
  • 3
  • 3
  • 3
  • +5
19 Comments
 
LVL 11

Expert Comment

by:rowansmith
ID: 33742552
Never.  The decision to use an appliance Firewall or a Software based firewall needs to be made based on any other purchasing decision.

I manage software Firewalls for organisations with 1000's of users.

I manage hardware Firewalls for organisations with 1000's of users.

Unless you are talking about Gigabits of throughput, 100Mbits of VPN  then the Hardware vs Software debate comes down to: ease of use, return on investment, features and $$$$

For the number of users you are talking a software Firewall would perform equally with a hardware Firewall.

-Rowan
0
 
LVL 19

Expert Comment

by:lamaslany
ID: 33742722
I'd agree with rowansmith.  

To confirm:  I assume that you are talking about the pros and cons of using a hardware or software dedicated firewall, rather than asking if a dedicated firewall is justified if you have a host-based firewall?
0
 

Author Comment

by:jetsonx
ID: 33742806
Basically, want to know why do so many small businesses (with sometimes only as few as 6 computers) have a dedicated firewall like Sonicwall or Fortinet?
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33742885
Define "hardware firewall" and "software firewall".

All software firewalls runs on some kind of  hardware, and all "hardware firewalls" runs some kind of firewalling software.

You should always protect yourself against internet and other external parties. What kind of firewall you run is a matter of taste and which functions you need, nothing else.

/Kvistofta
0
 
LVL 19

Assisted Solution

by:lamaslany
lamaslany earned 76 total points
ID: 33743065
Several reasons I suppose.  From a security point-of-view it is 'Defense In-Depth'.  By having multiple layers of security you minimise your exposure should one layer be compromised.

Another consideration is that most dedicated firewalls double up as a router providing at the very least NAT/PAT functionality.  If you have to buy a router anyway then it makes sense to have one that also contributes to your defense in depth strategy.    

Most modern dedicated firewalls provide filtering all the way up to the application layer.  This multi-layer filtering can be resource intensive and by offloading this filtering to a dedicated device it reduces possible performance impact on the end user machines.  As dedicated firewalls can make use of hardware acceleration for certain tasks, such as processing SSL/VPN, by centralising the point at which these functions are performed you can reduce the need to buy more expensive hardware for each client.


I would also say that dedicated hardware firewalls are usually marketed as 'more secure' than software firewalls as they run on known hardware and with a hardened OS.  In truth I am not sure how much of an impact this actually has.  Many hardware firewalls are just running a hardened version of Linux.  Others are proprietary but because of that is makes possible flaws harder to find.  Personally I like software-based firewalls, particularly those based on Linux, as they seem more flexible.
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 76 total points
ID: 33743108
>When does a hardware firewall (like Sonicwall) become justified?
A firewall is a device/application that is needed for any network design; it is hand in hand with a Internet connection and/or departmentalized segmentation (AP/AR, Corp, Sales, etc).

>At what point do you say, "yes, a hardware firewall is needed here"?
I think what you mean here is an appliance (Externally of a host: pc, workstation and/or server). Firewall software installed on a host becomes limited depending on the vendor; most software firewalls are not deep packet inspection (DPI) firewalls, and of course do not have specialized ASICs specific to DPI (All firewall appliances do not have specialized ASICs, but are much more sophisticated than a "software" firewall. As with anything else in IT, you have to design a business case that puts everything out on the table: Cost to managed all hosts that have a software firewall (This includes patching, access updating, log security checks, etc), side by side comparison of software firewalls and hardware firewalls, cost of licensing (Software and hardware firewalls), advantages and disadvantages, etc. In my professional opinion, I would ALWAYS recommend a hardware firewall (An external dedicated appliance that is designed for deep packet inspections).

Good Luck
Billy
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33743156
Is a Checkpoint appliance a "hardware firewall"?
Is an iptables-box a "software firewall"?

Both runs as an application on top of linux on a standard PC.

/Kvistofta
0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 76 total points
ID: 33743238
The reason why most small businesses have a dedicated hardware (appliance) Firewall (in my humble opinion) is because of:

1. Exceptionally good marketing by vendors of said appliances
2. Lack of organisational knowledge in the information security domain
3. Minimal installation overhead "one-click-setup/install"

-Rowan
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 24

Expert Comment

by:rfc1180
ID: 33743369
<pre>
Is a Checkpoint appliance a "hardware firewall"?
Is an iptables-box a "software firewall"?

now your getting into semantics; you ask anyone in the IT field, and most will agree that a checkpoint is a hardware firewall (Dedicated hardware external of a host) and a software firewall is iptables (Mcafee, Symantec) running a host that you want to protect, also called personal firewalls.

Yes, you can argue that a checkpoint is running a firewall application as does a host, but, the hardware tag comes from firewalls that have specialized ASICs specific to DPI.

That is like saying BGP is also a Layer 7 application though it provides layer 3 services; most will argue that BGP is not at layer 7 and is only layer 3, but it is an application on a router (A PC) that listens on a port and sends and receives TCP messages, no different than HTTP and http is at Layer 7. That is also try for a router, does a router only operate at layer 3, no, it is a PC and operates at all layers of the OSI model.

Billy
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33743533
Billy: Yes, I am going into semantics, and the reason is simple; my point is that the definition of firewalls (hardware vs software) is outdated and irrellevant. My message to the author is that he/should have a decent firewall with a sufficient level of protection and required features, no matter if it is classified as a "hardware" or a "software" firewall.

And yes, BGP is absolutely L7. And a router operates at all levels while the routing-functionality happens at L3. :-)

/Kvistofta
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33744575
>my point is that the definition of firewalls (hardware vs software) is outdated and irrellevant.
Agreed and well stated!
0
 
LVL 63

Assisted Solution

by:SysExpert
SysExpert earned 76 total points
ID: 33747536
I agree with the statements made so far, and would like to add, that your type of firewall may end up being dependent on your expertise and budget.

Simple appliance firewall at reasonable cost

Windows firewall - requires expertise and machine resources

Dedicated software firewall ( linux or sinilar) also requires expertise and separate machine resources ( unless using a VM for everything )

For a small business, usually any of these will be fine.
If you need a VPN an remote dial in access, then this may add to the expertise required for software firewalls, while an appliance is usually fairly easy to set up.

Support is also an issue. If it does not work,  who do you turn to ?

I hope this helps !
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 33751056
Hi jetsonx,

Has your question been answered?  Is their any further information myself or the other Experts can assist you with?

Thanks.

-Rowan
0
 

Author Comment

by:jetsonx
ID: 33752803

Guys, thank you for all that excellent information.

Yes, I have been a victim of "exceptionally good marketing" by firewall vendors and was always under the assumption that just because its a hardware device it must be better in some way...

>>>Many hardware firewalls are just running a hardened version of Linux.
- excellent comment, lamalaney

>>> dependent on your expertise and budget.(Sysexpert)
- very important point - the best firewall in the wall in the wrong hands will be useless!

>>> while an appliance is usually fairly easy to set up.(Sysexpert)
- I thought software would be easier to setup?

0
 
LVL 63

Expert Comment

by:SysExpert
ID: 33758378
>>> while an appliance is usually fairly easy to set up.(Sysexpert)
>- I thought software would be easier to setup?

This depends on the firewall software - some are easier than others, and the dedicated firewalls or applicaes may be easier than an add on.
Also your own expertise comes into play, If you are already a linux Guru, then many firewalls  may seem easier to set up ..
0
 
LVL 23

Assisted Solution

by:Mysidia
Mysidia earned 76 total points
ID: 33759377
"Basically, want to know why do so many small businesses (with sometimes only as few as 6 computers) have a dedicated firewall like Sonicwall or Fortinet?"  Reliability, Security, Reporting,  Perception of Security,  Cost of ownership, and Maintainability.  For most businesses,  reliability and perception of security  is slightly more important  than purchase price of the device or anything else.

When it comes to  Egress filtering  ---  protection against internal intrusions,  for example filtering outbound traffic  to prevent an Employee  from leaking proprietary company information (data leak prevention), to control employee web surfing,  or to  prevent  Bob in IT  from IRC'ing while he should be working on the servers,  dedicated firewall appliances are very beneficial.

That is, the firewall would normally be managed by a security team who would be at arms length from the server admin / network admin,   for example,  the Firewall admin (and his boss) would have access to the Firewall password,  but  not  the  server admins or the network admins.

The dedicated nature of the appliance helps reinforce that separation and deter internal attacks against it that might be attempted and succeed easily against a general purpose PC,  just boot it from alternate media, and alter whatever rules you want..


Performance is a major consideration, but usually not for so few users, where the firewall is just for separation of a local Intranet LAN from an untrusted Internet-connected WAN.
In scenarios where you have a DMZ  (You have multiple local networks that your firewall separates) and need high throughput across the firewall to local servers,  performance may be a major issue with PC-based firewall software, however.


The cost to the business of a hacker intrusion can be significant, even if there are only 6 computers; it just takes one compromise for a hacker to obtain banking info.  There is no particularly number of machines that is necessary to justify providing a security appliance;  even  ONE is enough to justify your network having this security.


However, the more machines, the more internet activity,  the more elaborate or higher capacity a firewall device may be required.  If you have a large number of PCs,  a  software-based firewall  (whether it's a dedicated appliance or not)  may be inadequate,    or at a certain  Packets per second rate,  the firewall may be a bottleneck on your network.


Using anything other than a computer or other device dedicated to the firewall function is a risk in terms of real security and perception of security,   because  if  the server is hacked -- your firewall may now be impaired also.

The firewall provides a critical security function for your LAN.
If the firewall goes down,  you have no internet connectivity.

If internet connectivity is important to your business, you will want a reliable firewall  that you can have replaced easily and quickly,  without days of downtime  to  rebuild.

PC firewalls use mechanical components such as spinning hard drive motors,  spinning fans,  parts are more generic low-end consumer grade stuff, which can  sometimes make them more prone to failure,  compared to  Enterprise grade firewalls,  which are based on higher-end components, solid state storage,  less reliance on moving parts,  lower power electronics.

Using a general purpose OS for your firewall such as Windows or Linux  is a risk in terms of perceived security (and possibly an impairment in actual security as well, in some cases)  -- particularly if the  OS is not specially hardened.

Dedicated firewall devices such as a Cisco ASA, or a Sonicwall  do not run a general purpose OS -- the OS they run is dedicated to the firewall function,  implements minimal functionality,  is hardened,   therefore has a much smaller attack service than a general purpose OS.

Hackers also know less about your dedicated firewall selection -- there are many to pick from,  the nature of these OSes, and how to compromise them,  if they have any vulnerabilities  is  less understood by  hackers,   the dedicated configuration is a more suitable bastion and less likely to be attacked  than a common OS.



In terms of cost of ownership:  dedicated firewall units such as an ASA or aSonicwall,  may use less electricity,  than a standard desktop PC,  consume less space in your rack.

Not require building or installing an elaborate OS...  instead there is a simple firmware,  just one program the  'firewall image'  to be updated.   Updates are usually automatic -- there are few components that can break,  and upgrade is generally a one-click process.

Your firewall won't be compromised because you forgot to upgrade 1 of 300 programs in a stock OS install, that the vendor forgot about..   that is, most dedicated firewall devices are Monolithic in nature,   one  software program,  some are a few programs..


They are easier for you to maintain than a PC.   Generally you just have 'a configuration' to backup.
Not a software stack.
If you need to 'restore a backup'  to a replacement firewall,  the process is simpler than rebuilding a PC.












0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34143518
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now