-
Join the MyBroadband community
South Africa’s biggest forum. Discuss, discover, and connect with thousands of members.
-
Question of the Day: What's the most interesting small town you've visited in South Africa?
Hardware vs. Software Firewall
- Thread starter dewd
- Start date
Darth Garth
Executive Member
- Joined
- Oct 29, 2004
- Messages
- 6,207
- Reaction score
- 268
A hardware firewall is actually a software firewall 
.
Most consumer end modem/routers runs a version of Linux which comes with built-in firewall software.
All it means is that instead of utilizing your CPU for running a firewall as part of your TCP/IP stack it rather uses the dedicated CPU that is present on your ADSL modem/router.
I run with both firewalls i.e the one on the router as last resort against incoming type of attacks and one on the PC to guard against outbound spyware/hijack programs which your router can't protect against.
.Most consumer end modem/routers runs a version of Linux which comes with built-in firewall software.
All it means is that instead of utilizing your CPU for running a firewall as part of your TCP/IP stack it rather uses the dedicated CPU that is present on your ADSL modem/router.
I run with both firewalls i.e the one on the router as last resort against incoming type of attacks and one on the PC to guard against outbound spyware/hijack programs which your router can't protect against.
koffiejunkie
Executive Member
tibby is right, there isn't really such a thing as a hardware firewall - they're all software, some are just dedicated to the task of being a firewall and nothing (or little) else. The advantage of this is that they usually do masquerading, which means your external (read internet) interface is on the firewall, and all traffic going out, even if you have 1000 machines behind it, appears to come from one machine.
You don't need to shell out a lot of money to have a dedicated firewall. Buy (or ressurect from the attic) an old Pentium-1 with 64 or so MB memory and a gig disc, download IP-COP (if you want to use slower hardware go for version 1.3 instead of 1.4). It's really easy to set up - even a windows user with no linux experience can do it. Follow the instructions, the web interface is straight forward. Presto, you have a dedicated firewall. Now you can remove the keyboard and screen, chuck it in a closet and forget it exists...
You don't need to shell out a lot of money to have a dedicated firewall. Buy (or ressurect from the attic) an old Pentium-1 with 64 or so MB memory and a gig disc, download IP-COP (if you want to use slower hardware go for version 1.3 instead of 1.4). It's really easy to set up - even a windows user with no linux experience can do it. Follow the instructions, the web interface is straight forward. Presto, you have a dedicated firewall. Now you can remove the keyboard and screen, chuck it in a closet and forget it exists...
swordfish1
Expert Member
- Joined
- Apr 10, 2005
- Messages
- 3,304
- Reaction score
- 6
one thing to keep in mind is that the so called "hardware" ones are usually "sort of" faster, but lack flexibility, the "software" ones are as fast as your machine and depend on what else you are doing on that machine ... but on the other hand they are far more flexible (under unix/linux at least).
So it is trade-off between performance and flexibility.
Some good routers do have open source firmware (Linksys for example) which makes them more or less as flexible as the software ones, although the process is slightly more complicated when you need to add some new feature
So it is trade-off between performance and flexibility.
Some good routers do have open source firmware (Linksys for example) which makes them more or less as flexible as the software ones, although the process is slightly more complicated when you need to add some new feature
I don't understand why most people seeem to opt for a router. Most people aren't sharing their connections... is a regular ADSL modem a waste? If I'm only going to be connected at 192K, what's wrong with using something like ZoneAlarm with an ADSL modem?
koffiejunkie
Executive Member
The other issue with running a software firewall with your adsl plugged directly into your machine, is that you are putting your computer on the perimiter. With a dedicated firewall, be it a fancy appliance type jobbie or an old Pentium, you're basically hiding your machine from all visibility, and unless you forward certain ports to your computer, an attacker would have to compromise your firewall first before they can even start probing for your computer.
Of course, user stupidity can completely bypass the best firewalls and online security software....
Of course, user stupidity can completely bypass the best firewalls and online security software....
swordfish1
Expert Member
- Joined
- Apr 10, 2005
- Messages
- 3,304
- Reaction score
- 6
very correct, koffiejunkie
dewd, try think big, tomorrow friend of yours will come to visit you with his/hers laptop and (s)he might want to show you somthing on the laptop which needs internet and you will not be able to plug the laptop into your network.
That is why you need a router or switch at least.
Best option I found is:
ADSL modem -> Linux dedicated firewall (with 2 NICs) -> switch -> all other computers
The easy and cheap option for most people is:
ADSL router -> all computers
either way you can have many computers on your network and centralised firewall. Having to configure firewall on each machine is pain in the ars! So this is why things like Zone Alarm are not coming into the picture
dewd, try think big, tomorrow friend of yours will come to visit you with his/hers laptop and (s)he might want to show you somthing on the laptop which needs internet and you will not be able to plug the laptop into your network.
That is why you need a router or switch at least.
Best option I found is:
ADSL modem -> Linux dedicated firewall (with 2 NICs) -> switch -> all other computers
The easy and cheap option for most people is:
ADSL router -> all computers
either way you can have many computers on your network and centralised firewall. Having to configure firewall on each machine is pain in the ars! So this is why things like Zone Alarm are not coming into the picture
koffiejunkie
Executive Member
dewd, if you're using swordfish1's second option, a four port router is for you. I prefer the first option: having the router, a linux firewall behind it, and then my network (at this point two people with two desktops and a notebook) hanging off the switch.
The other option of using the dedicated machine as a firewall, is I'm also running a squid proxy on it, which speeds things up significantly.
At this point my router is in dumb modem mode, the firewall PC is managing the connection. I intend to change this so that the modem handles the connection (providing an extra layer of firewall), then my Linux box (which provides a number of other services too - I have all my old hard discs in it for extra storage, proxy, smtp relay, and I'm planning to make it a game server at some point too.
The other option of using the dedicated machine as a firewall, is I'm also running a squid proxy on it, which speeds things up significantly.
At this point my router is in dumb modem mode, the firewall PC is managing the connection. I intend to change this so that the modem handles the connection (providing an extra layer of firewall), then my Linux box (which provides a number of other services too - I have all my old hard discs in it for extra storage, proxy, smtp relay, and I'm planning to make it a game server at some point too.
Darth Garth
Executive Member
- Joined
- Oct 29, 2004
- Messages
- 6,207
- Reaction score
- 268
dewd said:
Nothing really but ZoneAlarm V6 is getting rather terrible reviews in terms of memory bloat and general weirdness ... most people recommend either going back to ZA V4 or switch to Kerio or Outpost.
I myself use Tiny Desktop Firewall 2005.