General discussion


Software Versus Hardware Firewall

By JHaley ·
Last week I changed jobs and employer and took over a Network Admin position. Their is no documention of the current the network. My first task is to update their existing firewall. This company has a T1 to the parent company and 12 Frame Relay connections to internal branch offices. It's an all CISCO network with the exception of the firewall. The current firewall is an AXent Raptor Firewall V6.0 for NT. Now I'm to review to two choices for implementation:
(1)Installation of a free upgrade to the Symantec Enterprise Firewall with Symantec Enterpise VPN Ver 6.5.
(2) Installation of Symantec VelociRator 700.

We have future plans of implementing a point to point VPN at each Frame location, install DSL, and eliminate the cost of the Frame connections.

Is anyone utilizing either of the two products?
Are you satisfied with the results?
Which one would you recommend utilizing?
Also are you utilizing any Intrusion Detection Software?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

errr PIX??

by DukeBytes In reply to Software Versus Hardware ...

I know that this is not what your are asking - BUT - if it is an all CISCO network with the exception of the firewall - why would you buy anything other than a PIX. With the new 6.0 ios and all the VPN stuff that is in it you really wouldn't need anything else????

A 520 at the main location and 506's at the branch offices would do it for you. Go to and check up on the firewall testing that they have done - the PIX is on top. And I have a VPN between 2 506's and a 520 and it works very well. That and the fact that the configs are very similar to the RSM and the 3640's even adds to the value.

Sorry if this isn't what you wanted to hear :)

Good luck,

Collapse -

A PIX is not an application firewall

by BR-TR In reply to errr PIX??

A PIX firewall does not have the security of a Symantec Raptor or Velociraptor. It is a stateful inspection firewall which only inspects the headers of messages, rather than their contents. It is very good for an internal firewall between segments, or as front end to a hardened server farm, but should not be used for protecting corporate assets and desktops.

Collapse -

Make the HARD choice...

by isys In reply to Software Versus Hardware ...

Remember, no matter how good the software firewall, the OS is exposed to the Internet and can be hacked. With the hardware appliance, you are using a hardened OS. Just make sure it's NCSA approved. I use a Sonicwall Pro VX and love it.

Collapse -


by wm_rato In reply to Software Versus Hardware ...

I agree, I see this growing just as email has.

But what kind of security is implemented in Exchanges IM? can you store conversations/threads
to monitor for corporate information protection?

Also can you add code into a website that would connect to a selective bank of IM users, siimilar to HumanClick?

Collapse -

Both of these are really software.

by BR-TR In reply to Software Versus Hardware ...

Both of these choices are really for the same firewall. The difference is for the packaging rather than the software.
Both run the same code, but the Velociraptor is implemented as an appliance by packaging the software in a Sun Cobalt Linux box that is pre-hardened and configured. The Symantec Enterprise Firewall runs on either NT or Solaris and can be scaled more readily then the Velociraptor, but the underlying engine is the same.
Chose the Velociraptor if you feel that your capacity needs are fairly static and your ruleset will be fairly simple.
Chose the SEF if you may want mor specialized configurations.

Although they both support VPN, they don't have hardware VPN accelerators and are limited in the number of simultaneousconnections.
A better VPN solution is a specialized box such as Contivity or Intel (Shiva) terminating on a separate subnet attached to firewall. This subnet would go through your firewall to your internal network, sanitizing it, but be encrypted over the Internet.

The SEF is very secure but does require some babying (from 6 years experience with it).

Related Discussions

Related Forums