Hardware Vs. Software Firewalls
Software firewall application
A software firewall application is designed to be installed onto an existing operating system running on generic server or desktop hardware. The application may or may not 'harden' the underlying operating system by replacing core components. Typical host operating systems include Windows NT, 2000 server or Solaris.
Software firewall applications all suffer from the following key disadvantages:
They run on a generic operating system that may or may not be hardened by the Firewall installation itself.
A generic operating system is non-specialised and more complex than is necessary to operate the firewall. This leads to reliability problems and hacking opportunities were peripheral/unecessary services are kept running.
Generic operating systems have their own CPU and memory overheads making software based firewalls slower than their dedicated hardware counterparts.
If the software firewalls uses PC hardware as the host platform, then there may be additional reliability problems with the hardware itself. Sub-optimal performance of generic hardware also affects software applications bundled with their own operating systems.
There is no physical or topological separation of the firewalling activity.
Software firewall application and operating system
Some software firewall applications include their own operating system and are designed to run on generic server or desktop hardware dedicated to the task of running the application. The operating system is invariably Linux based and is 'barebones', optimised for security and efficiency in processing network data.
Dedicated hardware Firewall
A dedicated hardware firewall is a software firewall application and operating system running on dedicated hardware. This means the hardware used is optimised for the task, perhaps including digital signal processors (DSPs) and several network interfaces. There may also be special hardware used to accelerate the encryption/decryption of VPN data. It may be rack mounted for easy installation into a comms' cabinet.
We recommend dedicated hardware firewalls as they offer several key advantages over software applications:
Dedicated hardware is typically more reliable.
Hardware firewalls are simpler, hence more secure.
Hardware firewalls are more efficient and offer superior performance, especially in support of VPNs.
The firewalling activity is physically and topologically distinct