Home | Articles | About | Contact | Forum |
Friday, September 20, 2019

Lunarpages.com Web Hosting

Mailing List

By Joining the mailing list you will be notified of site updates.

Show Your Support For
This Site By Donating:

Audience: System Admins - Experts
Last Updated: 3/24/2011 6:22:45 PM
Original Creation Date: 3/24/2011 6:22:45 PM
**All times are EST**

A Comparison of Firewall Types

By Erik Rodriguez

Tags: Firewall Types, Hardware firewall, software firewall, hybrid firewall, OS-based firewall, host firewall, windows firewall

This article contains information on different types of firewalls. Each is explained and examples are provided.


I have been dealing with firewalls for over a decade. The technology powering them both hardware and software has come a long way. The basic operation however, has not changed. The following article discusses the basics of hardware and software based firewalls. The term hybrid is used throughout this article and referrers to PC-based devices using firewall software.

Hardware Firewalls

Hardware-based devices are usually more expensive. Dedicated hardware is provided from a vendor with propriety software which operates the device. The architecture of these devices is closely modeled after routers. Hardware firewalls generally do not contain hard drives, as their configuration is loaded from flash memory. The absence of hard drives generally increases performance as all the operations are handled by flash memory/ASICs or other components specifically designed to process firewall-based operations. Devices or networks are but "behind" these firewalls and therefore offer a layer of protection from the Internet or another network. These devices usually can perform other operations such as intrusion detection, anti-virus screening, anti-spam screening, etc. Examples of hardware firewalls include Juniper's SSG line, Cisco's ASA line, or Sonicwalls.

Software Firewalls

Software-based firewalls are nothing more than software running on a PC or server. Windows firewall is the most common example. The software protects the PC itself and generally does not offer protection for any other networks or devices. Software-based firewalls are generally less expensive and some are even free. It is important to remember this solution does not offer a layer of protection like a hardware device. If someone gains access to the PC or server running the firewall software, they usually have the ability to change, add, or remove features. Examples include Microsoft Windows firewall, Zone Alarm, Norton Internet Security, and McAfee Firewall. Linux/UNIX systems offer IPtables and IPFW.

Hybrid Firewalls

Hybrid systems are best of both worlds. These are usually PC-based hardware devices running some type of firewall software. Like hardware devices, they do offer a layer of protection as they do protect other machines or networks. However, these devices do run on generic software which may suffer from performance problems, software bugs, or hardware failures. These devices generally run on a hard drive which can decrease performance. Solutions may be free or paid products. Examples of free products include ClearOS (clarkconnect), Smoothwall, IP cop and others. Paid solutions include Astaro, Vyatta, and Checkpoint. An example is shown below:

Choosing a Solution

Careful evaluation should take place when choosing a firewall solution. When possible, hardware devices should be used in all data center and corporate environments. Standalone servers running IPtables or Windows firewall can be more vulnerable than servers behind a dedicated hardware device. Hybrid solutions are gaining ground in both corporate and data center environments. Personally I have only deployed hybrid solutions in small offices, labs, or home offices. Paid solutions such as Astaro and Vyatta will do advanced features (like hardware-based firewalls) such as high availability, but usually come with price tags close to hardware firewalls. Again, these devices are only as good as the PC or server hardware on which the software is running. If one of these devices is deployed in a data center or corporate environment and the hardware fails, the server(s) or network behind will be unreachable.

Contact Us

If you found this information useful, click the +1 button

Your E-mail:


Type verification image:
verification image, type it in the box


NOTE: this form DOES NOT e-mail this article, it sends feedback to the author.

Juniper SRX anti-spam filtering config
Windows Server 2008 Clustering Configuration
Windows 2008 R2 Network Load Balancing (NLB)
Extreme Networks: Downloading new software image
Juniper SRX save config to USB drive
Juniper SRX logout sessions
Extreme Networks Syslog Configuration
Command line drive mapping
Neoscale vs. Decru
Data Security vs. Data Protection
Juniper SRX Cluster Configuration
HOWTO - Create VLAN on Extreme Switch
Using a Non-local Colocation Facility
Linux Server Administration
IT Chop Shops
Flow Viewers: SFLOW, NetFLOW, and JFLOW
Exchange 2007 Back Pressure
IPtables open port for specific IP
Politics in IT Departments
HOWTO - Block Dropbox
Cisco IOS Cheat Sheet
Subnet Cheat Sheet
Design a DMZ Network
How DNS works
Firewall Configuration
Juniper SSG Firewalls
Server Management
Configuring VLANs
Runlevels in Linux
Server Clustering
SONET Networks
The Red Hat Network
Server Colocation
Complicated Linux Servers
Dark Fiber
Data Center Network Design
Firewall Types
Colocation Bandwidth

Copyright © 2002-2016 Skullbox.Net All Rights Reserved.
A division of Orlando Tech Works, LLC
By using this site you agree to its Terms and Conditions.
Contact Erik Rodriguez