Back to Top

Friday, September 29, 2006

Software vs. Hardware firewalls

I've already done my post for the day and was listening to episode 56 of Security Now when I've heard something that ticked me of. I hear this all the time from various sources (but those are mostly uninformed and not security experts). This won't be an other Hack the Gibson post, although you can expect more of those shortly.

There are several variations of this misinformation, like: You don't need a software firewall, if you have a router / hardware firewall, Hardware firewalls are better than software firewalls and so on. The main point is: they have different purposes!

Now to elaborate on this: back in the old days a firewall was (and still is a lot of times) a hardware / software device using which you could filter your traffic using rules like if it comes from port X, allow it, if it comes from the IP X, allow it and so on. This is what the hardware firewalls can do (and probably 99.9% percent of the home routers have this feature integrated). The problem is that it's rather hard to set up (I would like to know what percent of the home users even know what an IP is), and rather ineffective because these days a very large percent of the traffic flows through port 80 (so if you don't allow port 80, you basically can't communicate and if you allowed it, you allowed almost all the traffic - so it becomes an all or nothing decision).

Software firewalls had the same features at the beginning, however they evolved in what is called "personal firewall software" and now offer a control on a per program basis. What this means basically that you can set different rules for different applications (although this usually is an all-or-nothing decision in most of the personal firewalls to avoid overwhelming the user, but at least it's on the application level). A major drawback is that because it runs on the same machine were the malware runs (if the machine gets infected), the malware can turn it off, or inject code in other processes so that the firewall thinks that the other program is trying to communicate.

One note about the firewall built in Windows XP and 2003 (as opposed to the one build in to Vista which is rumored to have this feature): it doesn't contain filtering for outgoing connections (which means connection initiated from your computer) only for incoming connections. This means that it can prevent classic backdoors from working (like SubSeven or BackOrifice), but it won't catch most of the modern malware which initiates the connection, usually on port 80 (so that your hardware firewall won't filter it either).

In conclusion my advice would be (from the point of view of the firewalls):

  • Use a router so that you can use file-sharing (I'm referring to the integrated file sharing, not some peer-to-peer program) without complicated configuration on your firewall.
  • I also use a router because I do web development on my machine so it will run Apache / MySQL / PostgreSQL and I sleep better to know that there is no way somebody from the outside can reach those (even if I missconfigure something locally).
  • In addition use a personal firewall so that you can control per program which has access to what on the network.
  • This isn't directly related to firewalls but: don't run as admin (watch my blog because I'll have more posts that should help you avoiding running as admin).

1 comment:

  1. Newer hardware firewalls like Unified Threat Management (UTM) can ptotect you against a comprehensive array of attacks, combining intrusion prevention, anti-virus and anti-spyware with the application-level control. We use Sonicwall in all of our site ( , www.LogixPower and and have seen no issues.