Software vs Hardware Firewalls

[Senad]

As a Network/Security Expert here at Steadfast, I like to look at security and network stability as the most important aspect within any corporate infrastructure. Today I would like to write a little information about Host based firewalls and hardware based firewalls (the Cisco ASA firewalls we offer to clients as an additional option), the benefits of both and the recommendation set forth by different standards. A good article which I will mostly be quoting and paraphrasing can be found in the credit link below. I have also attached and edited the article to be more specific in general to the services we offer.




Hardware Firewall

Hardware firewalls are important because they provide a strong degree of protection from most forms of attack coming from the outside world. Additionally, in most cases, they can be effective with little or no configuration, and they can protect every machine on a local network (on the inside or DMZ area) whereas a host based firewall will only protect that one server.


A hardware firewall in a typical setup employs a technique called packet filtering, which examines the header of a packet to determine its source and destination addresses. This information is compared to a set of predefined and/or user-created rules that determine whether the packet is to be forwarded or dropped. It includes a more advanced technique called Stateful Packet Inspection, which looks at additional characteristics such as a packet's actual origin (i.e. did it come from the Internet or from the local network) and whether incoming traffic is a response to existing outgoing connections, like a request for a Web page.



The Cisco ASA's are always configured with two rule sets as a standard. These two rules (access-list inside and access-list outside...meaning both the inside and outside locations) will restrict ips, ports, and even subnets according to client specifications and keep a stateful inspection of the packets.



An additional and highly recommended way to keep your internal network is to use Network Address Translation (NAT) and then using a VPN to only be able to access the internal network in that manner. The server would have a static link to the outside to allow certain ports to connect to the outside world (IE: Port 80 HTTP). Any administration such as SSH, RDP, telnet (which is highly not recommended), or any other ways to access the server such as ftp, etc... would be only available to people who access a 256-bit AES encrypted VPN tunnel. Once you are connected to this tunnel your connection to the outside world would be unavailable (IE: You cannot go anywhere except for the servers in the internal network). Some clients request that we setup split-tunneling which allows you to access your internet connection and the internal network at the same time. This is always highly not recommended since it allows for back-door attacks from your internet connection to the internal VPNed network.




Advantages of Software Firewalls
With a software firewall, you can specify which applications are allowed to communicate over the Internet from that PC. Programs that aren't explicitly allowed to do so are either blocked or else the user is prompted for confirmation before the traffic is allowed to pass. Therefore, it would likely intercept this kind of traffic before it left your computer.
Another potential scenario where a software firewall would be useful is in the case of an e-mail worm with its own e-mail sever. Its built-in mail server could attempt to send mail on the valid Simple Mail Transfer Protocol (SMTP), port (25), which would probably pass through the hardware firewall because of its trusted origin.


On the other hand, a software firewall could be configured to only allow a certain program such as Thunderbird to use port 25 (assuming Thunderbird is your e-mail client). Any attempt by another application to use the port would be dropped, or blocked pending user confirmation. For that matter, the application's attempt to use any port would be blocked if the firewall was configured that way.


By comparison, a hardware firewall that had the ability to filter outgoing traffic might allow you to block most kinds of traffic from a particular PC. The firewall can also be configured to use syslog or snmp to sent reports/logs to your server so you can see if there were any potential scans or attempts to access the server on certain ports..


One obvious downside to software firewalls is that they can only protect the machine they're installed on, so if you have multiple computers (which many small offices do), you need to buy, install, and configure a software firewall separately on each machine. This can get expensive and can be difficult to manage if you have a lot of computers.


Software firewalls generally offer the best measure of protection against certain types of situations like Trojan programs or e-mail worms although the ASAs are fully capable of offering anti-spam,anti-phishing, anti-spyware, and anti-virus scanning within your internal network with an added module.



Whether you end up using a software firewall or a hardware firewall, you should always supplement it with anti-virus, anti-spam, anti-phising, and anti-spyware software. Having these installed is just as important as the firewall itself.



It is my personal recommendation that one install both a hardware and a software firewall on their servers. The reason one would like to have both is for higher protection (at the software and network level) and for redundancy in the case of an unlikely compromise of the hardware firewall. The Cisco ASA firewalls will provide you with an additional state of security via VPN tunnels and with NAT which a software firewall cannot offer. In addition to installing a firewall one must ensure that an anti-virus, anti-spam, anti-phishing, anti-spyware, and even root kit detection software is installed.



Credits:
http://www.smallbusinesscomputing.co...le.php/3103431

[Hemanth]

Thanks for the informative post Senad. Can you shed more light on DDoS Attacks and prevention.

[Henrik]

Senad, you should really write on the steadfast blog - it'll help the Steadfast brand to have a lively blog with knowledgeable posts like yours!

[Senad]

Thanks for the informative post Senad. Can you shed more light on DDoS Attacks and prevention.

Before I can go into much detail about DDoS prevention methods, I am curious to know which type of DDoS attack methodologies you would like to discuss further. There are Server Side (Weaker and more prone to DDoS attacks) and network wide DDoS attack prevention methods.

Unfortunately nothing is still 100% with DDoS as it is a constant thorn in any network infrastructure as it is constantly changing. I myself am an avid preacher of the next-gen internet at is does away with a lot of the security issues at hand.

[Blue)(Fusion]

I know I'm digging up an old post, but I'm new to these forums and thought it would be relevant anyway.

So this thread differentiates the pros and cons of hardware and software firewalls, however it is a common misconception that hardware firewalls are limited to "firewall appliances" (i.e. the Cisco ASA or PIX). While those are made specifically to be firewalls and maybe a little bit more (VPN, NAT, etc.) they are not the only way to go.

I know this does not apply so much for those users with a single server using a 100Mbps port or less, but in a multi-server environment (such as a private rack), hardware firewalls can become exceedingly expensive. A common mistake is people not understanding what the maximum throughput on their firewall is. Even if the firewall appliance ("hardware firewall") has gigabit ports, the CPU may be a limiting factor and it can only reach 200Mbps or so. See the Cisco ASA model comparison to see what kind of throughput you can get.

The fact of the matter is there is much confusion between hardware and software firewalls. It's not really anyone's fault as it became a bad habit around the internet. All firewalls are indeed software firewalls. Even Cisco PIX and ASA model firewalls use x86 hardware (i.e. Intel Pentium III) using a custom operating system. The correct term for something like a Cisco ASA would be "firewall appliance" meaning it is a physical product that connects to your network for firewalling. A software firewall by common usage would refer to a firewall application or program that runs on a computer that has a different main role (i.e. a server, PC, etc.).

To save costs and probably get more throughput, a standard computer can be used as a "hardware firewall," too. An old Dell Dimension 2350 with a Pentium 4 2.0GHz running Gentoo Linux that was going to be trashed serves as my NAT router, firewall, packet shaper, DNS server, DHCP server, OpenVPN server, and more on my home network. Of course the internet connection is a far cry from Gigabit speeds, but for line-speed testing purposes, it handled 600Mbps with plenty of performance to spare. The limit at 600Mbps was because I was unable to send enough data through it between the PCs and servers in my house due to disk speed limitations.

The con of using a regular server or PC as a firewall for a whole network is that it does not include easy configuration utilities. But for the cost you save, surely it can be worth reading a few HOWTOs or hiring somebody to do it for you.

Once again, this would be irrelevent for small bandwidth, dedicated server users as the price to rent a Cisco ASA from SF is much cheaper than renting a second server. However, if you are someone like me that needs truly high gigabit speeds in a private rack with a firewall appliance without the expense of a firewall appliance, something like this can be cheap and effective. A Dell PowerEdge 1650, 1.6GHz with dual gigabit ports can go for $300 on eBay and be as effective as a Cisco ASA 5540 (which costs around $10,000+).

[Senad]

So this thread differentiates the pros and cons of hardware and software firewalls, however it is a common misconception that hardware firewalls are limited to "firewall appliances" (i.e. the Cisco ASA or PIX). While those are made specifically to be firewalls and maybe a little bit more (VPN, NAT, etc.) they are not the only way to go.

Correct as I stated having both is the best and optimal option.

I know this does not apply so much for those users with a single server using a 100Mbps port or less, but in a multi-server environment (such as a private rack), hardware firewalls can become exceedingly expensive. A common mistake is people not understanding what the maximum throughput on their firewall is. Even if the firewall appliance ("hardware firewall") has gigabit ports, the CPU may be a limiting factor and it can only reach 200Mbps or so. See the Cisco ASA model comparison to see what kind of throughput you can get.

Correct however, ports do not matter. Firewall To L3 switch inside the same vlan etc....

In regards to speeds and throughput correct there can be that bottle neck. However, there are different limitations. For instance buying security modules for your catalyst switches. In full honesty Cisco ASAs are an AMAZING bargain price. Comparing them with the competition and with the PIX they are feature rich and spending a few hundred or a couple thousand dollars for a firewall in order to have proper layers of security should be a well worth investment for any company.

The fact of the matter is there is much confusion between hardware and software firewalls. It's not really anyone's fault as it became a bad habit around the internet. All firewalls are indeed software firewalls. Even Cisco PIX and ASA model firewalls use x86 hardware (i.e. Intel Pentium III) using a custom operating system. The correct term for something like a Cisco ASA would be "firewall appliance" meaning it is a physical product that connects to your network for firewalling. A software firewall by common usage would refer to a firewall application or program that runs on a computer that has a different main role (i.e. a server, PC, etc.).

Wrong in this sense. Hardware firewalls can do more for the corporate network as they are NETWORK based firewalls. Host firewalls are firewalls for HOST based servers. Each does its own tasks accordingly. I would not call it an appliance or link it to a software device as it is a network device. It does routing (RIP, OSPF, Static) and does a lot more in regards to the security aspect of a network. Yes a linux machine can do the same but then again Cisco has full support with 24/7 / 4 hour replacement and quality on the quality of the product. A big different from a software based corporation.

To save costs and probably get more throughput, a standard computer can be used as a "hardware firewall," too. An old Dell Dimension 2350 with a Pentium 4 2.0GHz running Gentoo Linux that was going to be trashed serves as my NAT router, firewall, packet shaper, DNS server, DHCP server, OpenVPN server, and more on my home network. Of course the internet connection is a far cry from Gigabit speeds, but for line-speed testing purposes, it handled 600Mbps with plenty of performance to spare. The limit at 600Mbps was because I was unable to send enough data through it between the PCs and servers in my house due to disk speed limitations.

The con of using a regular server or PC as a firewall for a whole network is that it does not include easy configuration utilities. But for the cost you save, surely it can be worth reading a few HOWTOs or hiring somebody to do it for you.

You would not get more throughput as the limitation to PCs is 1 GB as is the Cisco. Also running everything on an open source based software may have more open vulnerabilities than something such as cisco which is closed source. Another thing to keep into conideration is the constant patching and monitoring of the device. Higher management for network purposes = bad network management in general and the same is with system engineering management.

I know many corporations (and you can read many articles online) who tried to save money by skipping out on proper defense in depth measures only to lose millions of more that they could have saved only if they would have invested in security in the first place.

Once again, this would be irrelevent for small bandwidth, dedicated server users as the price to rent a Cisco ASA from SF is much cheaper than renting a second server. However, if you are someone like me that needs truly high gigabit speeds in a private rack with a firewall appliance without the expense of a firewall appliance, something like this can be cheap and effective. A Dell PowerEdge 1650, 1.6GHz with dual gigabit ports can go for $300 on eBay and be as effective as a Cisco ASA 5540 (which costs around $10,000+).

[/quote]
I disagree again, a cisco asa is extremely cheap even for small appliance machines if you decide to colo ($350). I know many corporate environments who dished out the money for a cisco asa device to add additional security and functionality to their corporate network. They were pushing less than 100 GB of bandwidth per month.

Also add proper costs to your entire analysis.

Dell: No Warranty
Cisco: Warranty with upgrades for one year. 24/7/next business day replacement support included with new products.

Dell: No guarantee of quality and performance
Cisco: Testing and certified


Dell: If it breaks you have to buy more parts...used parts could be cheaper...may come in broken...have to wait....
Cisco: 24/7/4 hour replacement can be purchased very cheap for the guaranteed replacement time.

Dell: No guarantee that this network protocol will work if they don't follow certain RFC standards...example ignoring certain bgp rfc standards (I've seen one linux product actually do this which nullified the point of ever using bgp).
Cisco: Works with networks. It does what its supposed to do.

Dell: Will need to install, update, configure.
Cisco: Read out of the box for your easy configuration needs.

and so on...

If you add the price of the quality and support to the product you can see why Cisco is well worth it (also the price continually goes down).

I'm sorry but I always like to advocate to my clients and users not to cut corners as history has repeated itself constantly and it is well worth more to buy quality products and ensure quality performance than to go the cheaper by a few hundred bucks product that may or may not work.

If you are starting to run higher throughput you can always add the security features to your switch/router (hopefully a proper layer3 switch so the eventual long term is to get to the catalyst 6500 series ).

[Blue)(Fusion]

Always appreciate long-winded posts. I am in no way questioning your knowledge/abilities, but there are some points I still disagree on. I always love a little friendly debate .

You would not get more throughput as the limitation to PCs is 1 GB as is the Cisco. Also running everything on an open source based software may have more open vulnerabilities than something such as cisco which is closed source. Another thing to keep into conideration is the constant patching and monitoring of the device. Higher management for network purposes = bad network management in general and the same is with system engineering management.

The line speed of both a PC and a Cisco firewall may be 1Gbps, however the processor may not be able to keep up with that. As I stated before, Cisco firewalls range in CPU specs. I do not have much knowledge on the ASA firewalls, but I do with the PIX. Our PIX 525 firewall could only give us sustained throughput of about 350Mbps despite it having gigabit ports. The limitation is the processor speed (under 1Ghz). For our purposes, we required a large increase in throughput and instead of buying a PIX 535, I decided to build my own since I proved that Dell Dimension desktop could keep up and do its job. More on that below...

Yes, Cisco and other firewalls are closed source code, I still would not consider open source a security issue. Open source gets community support from thousands of contributors versus Cisco's code having maybe a handful of code developers. The beauty of open source, as you can see in the recent years of the Linux desktop evolution, is how users contribute bug reports, patches to those bugs, and other additional functionality as they see fit. There's more eyes that can spot mistakes in the code. I have no doubt in my mind that black hat hackers are among those people looking through the source code of the kernel to see how they can get past iptables, but if they're that dedicated, they could find a way to "uncompile" and reverse engineer the Cisco closed source code.

As far as updating and patching a Linux system as a firewall, I wouldn't say any more maintenance is required for that than maintaining a Cisco firewall. If the user decides it's time to compile a new kernel because of a number of security patches, it could have gone months without being touched, like a Cisco firewall.

The downside that I don't doubt is a bug problem is using harddrives as the storage medium on conventional PCs. We all know they're the most likely component to fail. With that said, there are alternatives. Flash drives can be useful although probably not very smart/safe. LinuxBIOS is something I'm looking into to make an embedded Linux system with all the essentials for a router/firewall. It's not widely supported yet, but running Linux from the flash ROM which the BIOS is stored is a safe and fast way to store a minimal Linux kernel and the required software (DNS, DHCP, etc. that other firewalls may provide).

Also add proper costs to your entire analysis.

Dell: No Warranty
Cisco: Warranty with upgrades for one year. 24/7/next business day replacement support included with new products.

Dell: No guarantee of quality and performance
Cisco: Testing and certified


Dell: If it breaks you have to buy more parts...used parts could be cheaper...may come in broken...have to wait....
Cisco: 24/7/4 hour replacement can be purchased very cheap for the guaranteed replacement time.

Dell: No guarantee that this network protocol will work if they don't follow certain RFC standards...example ignoring certain bgp rfc standards (I've seen one linux product actually do this which nullified the point of ever using bgp).
Cisco: Works with networks. It does what its supposed to do.

Dell: Will need to install, update, configure.
Cisco: Read out of the box for your easy configuration needs.

Yes, Cisco may have a replacement warranty, but if a user is using a conventional PC and Linux as a firewall, he or she already knows a thing or two about the hardware and software. So long as the configuration is backed up (which would be required on a Cisco, too), a user can get a different system installed, configured, and restored to the same running condition in just a few hours.

I'm sorry but I always like to advocate to my clients and users not to cut corners as history has repeated itself constantly and it is well worth more to buy quality products and ensure quality performance than to go the cheaper by a few hundred bucks product that may or may not work.

After running 2x (for redundancy) Dell PowerEdge 2650s w/ 1x Xeon 3.06GHz, 2GB RAM with iptables for firewalling, tc for packet shaping, and other various software (DHCP, DNS, etc.) for over a year now in a private rack doing about 800Mbps sustained at peak hours, I've had no issues with this approach, nor would I call it cutting corners. And since the 2 2650s were not being used for anything else, it cost only $30 total for us to get 2x HP NC6770 Gig-SX fiber adapters so we could hook up to the fiber drops. Pretty cheap all things considered. In the past year, we updated once just 2 months ago, had no security, performance, or stability issues, and plan to use this method for any other racks I set up.

I could add more, but after hours of fighting against a Sun Fire X4500 (and losing), my fingers hurt .

[Senad]

The line speed of both a PC and a Cisco firewall may be 1Gbps, however the processor may not be able to keep up with that. As I stated before, Cisco firewalls range in CPU specs. I do not have much knowledge on the ASA firewalls, but I do with the PIX. Our PIX 525 firewall could only give us sustained throughput of about 350Mbps despite it having gigabit ports. The limitation is the processor speed (under 1Ghz). For our purposes, we required a large increase in throughput and instead of buying a PIX 535, I decided to build my own since I proved that Dell Dimension desktop could keep up and do its job. More on that below...

First of all PIX 525s clearly state on the Cisco site: "It also delivers more than 330 Mbps of firewall throughput with the capability to handle more than 280,000 simultaneous sessions." The ASAs offer a much bigger increase in CPU/Memory specs.

Yes, Cisco and other firewalls are closed source code, I still would not consider open source a security issue. Open source gets community support from thousands of contributors versus Cisco's code having maybe a handful of code developers. The beauty of open source, as you can see in the recent years of the Linux desktop evolution, is how users contribute bug reports, patches to those bugs, and other additional functionality as they see fit. There's more eyes that can spot mistakes in the code. I have no doubt in my mind that black hat hackers are among those people looking through the source code of the kernel to see how they can get past iptables, but if they're that dedicated, they could find a way to "uncompile" and reverse engineer the Cisco closed source code.

True about reverse engineering the code. False about stating open source is more secure. No actual proof can come anywhere from this statement.

As far as updating and patching a Linux system as a firewall, I wouldn't say any more maintenance is required for that than maintaining a Cisco firewall. If the user decides it's time to compile a new kernel because of a number of security patches, it could have gone months without being touched, like a Cisco firewall.

Unlike a cisco firewall you would still require software updates on the server accordingly. Cisco Firewalls are updated only when big security changes or checks are needed.

Yes, Cisco may have a replacement warranty, but if a user is using a conventional PC and Linux as a firewall, he or she already knows a thing or two about the hardware and software. So long as the configuration is backed up (which would be required on a Cisco, too), a user can get a different system installed, configured, and restored to the same running condition in just a few hours.

A few hours compared to less than 30 minutes with a text file config back up is a pretty big thing if you are a network driven business.

After running 2x (for redundancy) Dell PowerEdge 2650s w/ 1x Xeon 3.06GHz, 2GB RAM with iptables for firewalling, tc for packet shaping, and other various software (DHCP, DNS, etc.) for over a year now in a private rack doing about 800Mbps sustained at peak hours, I've had no issues with this approach, nor would I call it cutting corners. And since the 2 2650s were not being used for anything else, it cost only $30 total for us to get 2x HP NC6770 Gig-SX fiber adapters so we could hook up to the fiber drops. Pretty cheap all things considered. In the past year, we updated once just 2 months ago, had no security, performance, or stability issues, and plan to use this method for any other racks I set up.

I could add more, but after hours of fighting against a Sun Fire X4500 (and losing), my fingers hurt .

For 800Mbps first of all I would not going with a cisco firewall since it simply can't push that much throughput and would myself look at alternative options such as linux boxes or more higher end level security network firewalls. Like I said there is a big difference between a hardware firewall and a software firewall and both should be used. But it is also a good security measure to keep seperate types of equipment within the topology. IE: Use a firewall that doesn't use linux if your systems are using linux. Or don't use just a cisco but add a checkpoint firewall or a sonicwall in the mix for the second firewall etc. There are many benefits to using a hardware/network firewall and you yourself have proven that you use it as well. There obviously isn't a need to always go with Cisco but you need to state the requirements of your network before we can go into a lengthy argument. If I knew you were pushing 800Mbps of bandwidth then I would have not recommended or even argued for Cisco to you in the first place .

[Blue)(Fusion]

First of all PIX 525s clearly state on the Cisco site: "It also delivers more than 330 Mbps of firewall throughput with the capability to handle more than 280,000 simultaneous sessions." The ASAs offer a much bigger increase in CPU/Memory specs.

When the site started off that was more than enough and did not expect the growth we encountered as fast as we did (but that's not really a bad problem to have ). Because we had already spent money one that unit, I decided to take a new approach and it worked out great for our needs (and added redundancy with the dual units).

True about reverse engineering the code. False about stating open source is more secure. No actual proof can come anywhere from this statement.

I don't really believe open source is more secure than the Cisco firmware. But I would not agre with you that Cisco firmware is more secure than Linux. With that said, that comes down to the user. If a Ubuntu user decided to set that up as a firewall, there's probably going to be security risks. If a more advancd user refines the kernel and only use the required software and know what he or she is doing, I don't see any reason it would be less secure. A similar argument gos for Windows. If a Windows admin and a Linux admin each are good at what they do, both will be near impenetrable.

Unlike a cisco firewall you would still require software updates on the server accordingly. Cisco Firewalls are updated only when big security changes or checks are needed.

Why can't I just update Linux when big security changes are made? I may compile a new kernel on my desktops each time a new version is on kernel.org, but there's no real reason to do so if there's nothing substantial to the firewall security. Same goes for the other relevant software.

A few hours compared to less than 30 minutes with a text file config back up is a pretty big thing if you are a network driven business.

True, but at the same time, if you have servers laying around, you don't have to waste time on the phone with Cisco to get the unit replaced. Pick out a new server, get it ready, and then worry about calling up the manufacturer (if under warranty) to get a replacement. And in an enterprise environment, hopefully redundant firewalls and switches are used.

For 800Mbps first of all I would not going with a cisco firewall since it simply can't push that much throughput and would myself look at alternative options such as linux boxes or more higher end level security network firewalls. Like I said there is a big difference between a hardware firewall and a software firewall and both should be used. But it is also a good security measure to keep seperate types of equipment within the topology. IE: Use a firewall that doesn't use linux if your systems are using linux. Or don't use just a cisco but add a checkpoint firewall or a sonicwall in the mix for the second firewall etc. There are many benefits to using a hardware/network firewall and you yourself have proven that you use it as well. There obviously isn't a need to always go with Cisco but you need to state the requirements of your network before we can go into a lengthy argument. If I knew you were pushing 800Mbps of bandwidth then I would have not recommended or even argued for Cisco to you in the first place .

Well like I said above, we didn't expect that much traffic so soon. So when we first started, the Cisco was great. But honestly, since then we've been replacing our Cisco switches with Foundry. I find their performance much better with high traffic.

But besides the 800Mbps we're pushing for this enterprise setup, the Linux firewall can still be very useful and cheap in small setups - like a home network. Now, this gets off the topic of what services SteadFast offers, but I still think it's relevent. Take an older desktop that would otherwise be destroyed and turn it into something useful. Sure, a Linksys NAT router would be more than enough for most SOHO setup, but if you need more options than one provides then that would be a practically free option, and some knowledge can be gained out of it (it did in my case anyway) .

P.S. Here's my little hobby-corner in the basement with the home-made firewall, and some other networking stuff: http://gallery.richgannon.net/displa...lbum=11&pos=13

[cisco-tips]

Great post Senand. I was looking for a comparison between software and hardware firewalls for an ebook I'm writing and your post came in handy. Great forum also.

Thanks

Harris

As a Network/Security Expert here at Steadfast, I like to look at security and network stability as the most important aspect within any corporate infrastructure. Today I would like to write a little information about Host based firewalls and hardware based firewalls (the Cisco ASA firewalls we offer to clients as an additional option), the benefits of both and the recommendation set forth by different standards. A good article which I will mostly be quoting and paraphrasing can be found in the credit link below. I have also attached and edited the article to be more specific in general to the services we offer.




Hardware Firewall

Hardware firewalls are important because they provide a strong degree of protection from most forms of attack coming from the outside world. Additionally, in most cases, they can be effective with little or no configuration, and they can protect every machine on a local network (on the inside or DMZ area) whereas a host based firewall will only protect that one server.


A hardware firewall in a typical setup employs a technique called packet filtering, which examines the header of a packet to determine its source and destination addresses. This information is compared to a set of predefined and/or user-created rules that determine whether the packet is to be forwarded or dropped. It includes a more advanced technique called Stateful Packet Inspection, which looks at additional characteristics such as a packet's actual origin (i.e. did it come from the Internet or from the local network) and whether incoming traffic is a response to existing outgoing connections, like a request for a Web page.



The Cisco ASA's are always configured with two rule sets as a standard. These two rules (access-list inside and access-list outside...meaning both the inside and outside locations) will restrict ips, ports, and even subnets according to client specifications and keep a stateful inspection of the packets.



An additional and highly recommended way to keep your internal network is to use Network Address Translation (NAT) and then using a VPN to only be able to access the internal network in that manner. The server would have a static link to the outside to allow certain ports to connect to the outside world (IE: Port 80 HTTP). Any administration such as SSH, RDP, telnet (which is highly not recommended), or any other ways to access the server such as ftp, etc... would be only available to people who access a 256-bit AES encrypted VPN tunnel. Once you are connected to this tunnel your connection to the outside world would be unavailable (IE: You cannot go anywhere except for the servers in the internal network). Some clients request that we setup split-tunneling which allows you to access your internet connection and the internal network at the same time. This is always highly not recommended since it allows for back-door attacks from your internet connection to the internal VPNed network.




Advantages of Software Firewalls
With a software firewall, you can specify which applications are allowed to communicate over the Internet from that PC. Programs that aren't explicitly allowed to do so are either blocked or else the user is prompted for confirmation before the traffic is allowed to pass. Therefore, it would likely intercept this kind of traffic before it left your computer.
Another potential scenario where a software firewall would be useful is in the case of an e-mail worm with its own e-mail sever. Its built-in mail server could attempt to send mail on the valid Simple Mail Transfer Protocol (SMTP), port (25), which would probably pass through the hardware firewall because of its trusted origin.


On the other hand, a software firewall could be configured to only allow a certain program such as Thunderbird to use port 25 (assuming Thunderbird is your e-mail client). Any attempt by another application to use the port would be dropped, or blocked pending user confirmation. For that matter, the application's attempt to use any port would be blocked if the firewall was configured that way.


By comparison, a hardware firewall that had the ability to filter outgoing traffic might allow you to block most kinds of traffic from a particular PC. The firewall can also be configured to use syslog or snmp to sent reports/logs to your server so you can see if there were any potential scans or attempts to access the server on certain ports..


One obvious downside to software firewalls is that they can only protect the machine they're installed on, so if you have multiple computers (which many small offices do), you need to buy, install, and configure a software firewall separately on each machine. This can get expensive and can be difficult to manage if you have a lot of computers.


Software firewalls generally offer the best measure of protection against certain types of situations like Trojan programs or e-mail worms although the ASAs are fully capable of offering anti-spam,anti-phishing, anti-spyware, and anti-virus scanning within your internal network with an added module.



Whether you end up using a software firewall or a hardware firewall, you should always supplement it with anti-virus, anti-spam, anti-phising, and anti-spyware software. Having these installed is just as important as the firewall itself.



It is my personal recommendation that one install both a hardware and a software firewall on their servers. The reason one would like to have both is for higher protection (at the software and network level) and for redundancy in the case of an unlikely compromise of the hardware firewall. The Cisco ASA firewalls will provide you with an additional state of security via VPN tunnels and with NAT which a software firewall cannot offer. In addition to installing a firewall one must ensure that an anti-virus, anti-spam, anti-phishing, anti-spyware, and even root kit detection software is installed.