A Comparison of Firewall Types
By Erik Rodriguez
Tags: Firewall Types, Hardware firewall, software firewall, hybrid firewall, OS-based firewall, host firewall, windows firewall
This article contains information on different types of firewalls. Each is explained and examples are provided.
I have been dealing with firewalls for over a decade. The technology powering them both hardware and software has come a long way. The basic operation however, has not changed. The following article discusses the basics of hardware and software based firewalls. The term hybrid is used throughout this article and referrers to PC-based devices using firewall software.
Hardware-based devices are usually more expensive. Dedicated hardware is provided from a vendor with propriety software which operates the device. The architecture of these devices is closely modeled after routers. Hardware firewalls generally do not contain hard drives, as their configuration is loaded from flash memory. The absence of hard drives generally increases performance as all the operations are handled by flash memory/ASICs or other components specifically designed to process firewall-based operations. Devices or networks are but "behind" these firewalls and therefore offer a layer of protection from the Internet or another network. These devices usually can perform other operations such as intrusion detection, anti-virus screening, anti-spam screening, etc. Examples of hardware firewalls include Juniper's SSG line, Cisco's ASA line, or Sonicwalls.
Software-based firewalls are nothing more than software running on a PC or server. Windows firewall is the most common example. The software protects the PC itself and generally does not offer protection for any other networks or devices. Software-based firewalls are generally less expensive and some are even free. It is important to remember this solution does not offer a layer of protection like a hardware device. If someone gains access to the PC or server running the firewall software, they usually have the ability to change, add, or remove features. Examples include Microsoft Windows firewall, Zone Alarm, Norton Internet Security, and McAfee Firewall. Linux/UNIX systems offer IPtables and IPFW.
Hybrid systems are best of both worlds. These are usually PC-based hardware devices running some type of firewall software. Like hardware devices, they do offer a layer of protection as they do protect other machines or networks. However, these devices do run on generic software which may suffer from performance problems, software bugs, or hardware failures. These devices generally run on a hard drive which can decrease performance. Solutions may be free or paid products. Examples of free products include ClearOS (clarkconnect), Smoothwall, IP cop and others. Paid solutions include Astaro, Vyatta, and Checkpoint. An example is shown below:
Choosing a Solution
Careful evaluation should take place when choosing a firewall solution. When possible, hardware devices should be used in all data center and corporate environments. Standalone servers running IPtables or Windows firewall can be more vulnerable than servers behind a dedicated hardware device. Hybrid solutions are gaining ground in both corporate and data center environments. Personally I have only deployed hybrid solutions in small offices, labs, or home offices. Paid solutions such as Astaro and Vyatta will do advanced features (like hardware-based firewalls) such as high availability, but usually come with price tags close to hardware firewalls. Again, these devices are only as good as the PC or server hardware on which the software is running. If one of these devices is deployed in a data center or corporate environment and the hardware fails, the server(s) or network behind will be unreachable.
NOTE: this form DOES NOT e-mail this article, it sends feedback to the author.