Should Windows webservers have a hardware firewall?

security windows

Solution 1:

If you have only a single server, then I think it's OK to rely on the built-in software firewall if you know what you are doing.

However, when you have 2, 3, 4 ... 10 servers, this becomes rather complex to manage, and you're better off with a hardware firewall you can manage in one place instead.

(you'll still want software and hardware firewalls for the whole "defense in depth" theory, though, so you can't get out of running the software firewalls on each server in any case. In my experience, Windows Server 2008 and beyond have excellent software firewalls and we used them exclusively on Stack Overflow for 2 years.)

Solution 2:

Obviously "professional-grade" isn't an official term with definite properties, but if we assume it to generally mean the best-case configuration, then yes, a hardware firewall is preferred in my experience. While hardware and software firewalls can theoretically perform the same functions, a hardware firewall allows you to offload that work to a dedicated device. "Professional-grade" firewalls also have features that most software firewalls do not, and allow for much more advanced management. Also, any "professional-grade" configuration will generally include strong vendor support, which is generally superior for hardware firewalls.

Edited to add: More specifically, it runs on dedicated hardware, so it doesn't rob performance from your boxes. It sets at the border of your network, so that you have the "vault door" approach that @jowqwerty noted. It provides centralized management of firewall rules, NAT translations, etc for multiple servers. It may allow more advanced NAT/PAT configurations or other options than a typical software firewall. It typically has stronger professional vendor support.

Solution 3:

"Hardware" firewalls are just dedicated devices running firewall software. They aren't actually implemented solely in hardware. That said, most hardware firewalls are thoroughly bulletproofed against script-kiddies, malware, and various exploits that might exist in a full Windows PC. For high value sites I would never trust Windows Software to be secure enough on it's own.

Related

Are new HP Gen8 servers compatible with g7 drives?
Getting rid of your server in a small business environment
Is account lockout a denial of service attack waiting to happen?
Nginx to apache reverse proxy, instruct use of unix sockets
Surge protection for outdoor network cable run [closed]
Find IPv6 Router advertising a prefix
Interpreting read, write and total IO time in /proc/diskstats
How to change back to previous path quickly?
Can I use the new free SSL/TLS AWS certificates without ELB or Beanstalk on plain EC2?
How to make cronjobs high available?
Setting up vsftpd, hangs on list command
Cisco IOS QoS prioritize SSH but not SCP