Advantage of hardware firewalls over software firewalls?

firewall

All firewalls are software.

Hardware firewalls

...are a physically separate entity, using dedicated hardware. Because they are a specialized device, the hardware & software is minimized in an effort to make them more secure. The less there is to exploit, the less chance of being exploited...

The cost effective alternative is to setup a *nix/BSD box, using:

  • Pentium 100+
  • 1+ GB hard drive
  • 2 Network Interface Cards (NICs)
  • 1+ wireless adapters

I recommend using OpenBSD & PacketFilter (PF), assuming that's still current. Otherwise look at Linux's IPTables.

What you get when you buy a hardware firewall from a vendor is a turn-key solution. You unbox it, plug it in, login & configure what rules you need. If there's an update, you apply the patch/firmware. You get a nice web interface GUI. But these days, software like DD-WRT provides the same stuff on your router/firewall...

Software firewalls

...reside on the host itself. Because they have to be accessible to the user, they can be turned off at will (permissions allowing). And because they reside on an OS tailored to users, more services are on - increasing the possibility of exploitation/circumvention.

If you're really concerned with security

...you'd employ the "onion" defence: You implement multiple layers of security, by having both a hardware firewall and software firewalls on each host in your network.


Hardware firewalls as a general rule tend to be more reliable and faster. Since the manufacturer can choose/build the OS, they can make it very specific to supporting a firewall. Software firewalls don't have this luxury. They are dependent on the OS they are installed on.
That being said, there are many good software firewalls. Some, like iptables, are even free. If you are looking to protect a medium to large business network, then IMO you should choose a hardware firewall.
I think you hit the nail on the head with your question, it's really the same question: you get what you pay for.

EDIT: Another thing that should matter to you is ICSA certification. There are about 20-25 hardware firewalls on this list and about 50 software firewalls, including personal firewalls.


In my experiences it's mainly a maintenance issue. Hardware firewalls by and large come with everything pre-installed (OS on up), just plug it in and you're close to having a functional unit. Many of them will also come with options that will let you quickly define your policy rules and whatnot in order to get you going quickly.

Updating them is typically just a matter of applying a firmware update. This is often a big advantage since all of the patching and updates are really done by the vendor, you just have to load the patched image.

In my opinion, it just depends on your environment, experience and your needs whether or not there's a real advantage.

Related

Sharing filesystem between Linux and Windows servers
New standalone ESXi 5 deployments - USB versus SD card?
Send message to another Computer through Network via CmdLine
apache2 points non-www to root instead of website folder
One VirtualHost for certain URLs, another VirtualHost for all other URLs in Apache
Cannot remotely telnet to Port 25
How to add computer to domains with Active Directory
Tracking who installed Software on server
Increase Linux Partition dynamically?
Setting up and configuring a new VPS server
Smart Array P600: Can't get drives recognized on port 2i
When should I create a new Primary DNS Zone?