Software Firewall vs Hardware Firewall

By sn ·
I originally posted this as a discussion topic, however, after some thinking, I believe it better suited to be posted as a question. Unfortunately, I could not see an easy way to change that without re-posting, so here goes:

We currently have a network consisting of a couple of Windows 2000 Active Directory servers and a Mac OS X Leopard Server running Open Directory, iChat, and Web. Both platforms are used as file servers, too.

At the moment, we have a NAT device and hardware firewall separate from the servers, however, I am looking into setting up a Leopard server for VPN, and was thinking about running NAT and Firewall on that server, as well.

So, basically what I'm curious about, are the pros and cons are of using a separate hardware NAT/Firewall device versus using the tools integrated into Leopard.

I have not been able to find a definitive answer, and am curious about what people think.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

What i think

by Levi_L In reply to Software Firewall vs Hard ...

I think that there are quite a few differences, but here are what I consider to be the ones that stick out to me:
1) hardware firewall is dedicated to serving one or two specific purposes, and only those purposes. If you delegate those roles to a server that may have other roles added to it down the road, you may end up asking a machine to do more than it can handle (resulting in messing up your entire network).
2)There are less "things" to break when it comes to a hardware firewall. As I'm sure you know, Computers will eventually break down, so the less moving parts and components, the better. Also, in the event of a catastrophic failure, on a software firewall that is hosted on your VPN server, your external users will be without communication until you can repair the issue or get a new machine up and running. If you have a hardware failure, you can setup your server as a fail over device, so your external users will still have internal access. That way, if there is failure, you just change some wire, start a few services, and all is well while you work on fixing the hardware failure.

Now, I would say that you can setup a separate machine to be your gateway (like an box). Because all of the processing isn't being done on one machine, you have less change of catastrophic failure and it offers some pretty cool features that most hardware firewalls don't.

Collapse -

My thoughts

by fhvasco In reply to Software Firewall vs Hard ...

I prefer hardware NAT/Firewall devices over any software protection for a few simple reasons.

1. Less prone for failure (software and OS bugs and holes)
2. typically offers more customization and features to protect
3. less administration to have one device to manage

The real question is what are you trying to achieve by deploying another layer of security?

If this server sole purpose is to offer VPN services, I might consider placing the server in a DMZ. Configure the Firewall to allow only PPTP to the public interface, and setup additional rules for the internal interface to control what VPN users have access to.

My 2 cents

Collapse -

Bringing a knife to a gunfight, or why hardware firewalls are better

by robo_dev In reply to Software Firewall vs Hard ...

While it is true that hardware firewalls have an OS, these devices have two main advantages:

1) The OS on a hardware firewall has been hardened and tested extensively. Most hardware firewalls use a modified and often proprietary OS kernel. So OS exploits on the firewall are very rare, and most hackers simply choose a softer target.

While you can harden some servers fairly well, it's easy to get wrong, and the server OS is a softer target because it's better documented and typically much easier to enumerate.

2) Most hardware firewalls are intentionally 'idiot-proof' in their configuration. You cannot just accidentally forget to disable FTP or Telnet on a hardware firewall, because it's default configuration is typically locked down 'deny everything'.

Collapse -

I agree

by Jicious In reply to Bringing a knife to a gu ...

Exactly what i think.

Collapse -


by sn In reply to Software Firewall vs Hard ...

Thanks everyone for your help. I was kind of leaning towards a hardware firewall/gateway, but wanted opinions before spending the additional $$$.

You all offered valid points, which I will consider over the next couple of days.


Related Discussions

Related Forums