All home networking related discussions.
Marco
New Member
Posts:
4
Joined:
Sun Feb 12, 2006 9:09 pm

Hardware or Software Firewall

Sun Feb 12, 2006 9:13 pm

Anyone know where I can get info on why choose Hardware or Doftware firewall?
I now have a PIX firewall, and my boss has asked me to look into maybe moving to using a software firewall.

geko29
Ultimate Member
Posts:
952
Joined:
Mon Feb 06, 2006 5:11 pm

Mon Feb 13, 2006 6:28 am

What does the PIX not do that you/your boss need? It's a very capable firewall and even makes a halfway-decent VPN endpoint. A software firewall is not "moving up" in my opinion, unless you consider something like Checkpoint a sofware firewall. I don't, because it generally runs on highly specialized servers like the Nokia IP series.

The things I consider to be true software firewalls are the ones that run on any old PC/server hardware. These would include things like Smoothwall and Microsoft ISA server. I wouldn't trade a PIX for either of 'em, though you could supplement the PIX with one as part of a "security in depth" approach. I once spoke to a Net Engineer for a Fortune 500 who deployed 3 layers of firewall: PIX, Checkpoint, and a 3rd solution he refused to share. This was because generally someone who could exploit a vulnerability in one of the three generally wouldn't be able to penetrate the other two.

Back to the beginning, what doesn't the PIX do for you?

Marco
New Member
Posts:
4
Joined:
Sun Feb 12, 2006 9:09 pm

Mon Feb 13, 2006 8:55 am

I love my PIX firewall and have no problems with it what so ever. I have been told to look at redoing my network to save on maintanence and costs. We currently have 2 PIX 515E, one in a cluster for my DMZ and the other for the Corporate side. I also have a Cisco 3550 multilayer switch that serves several VLANs with access lists. The developers have been on the war path since my last boss left, and he was very technical and security consious. My current boss a developer and is not technical at all. He wants all costs documented for maintanence on my PIX, cost for doing away with 2 PIX and going with one in a cluster, and cost for a whole new software firewall solution.

geko29
Ultimate Member
Posts:
952
Joined:
Mon Feb 06, 2006 5:11 pm

Mon Feb 13, 2006 9:37 am

Perhaps I'm daft, but what do you mean by "1 in a cluster"? I'm picturing failover, but that would require 2.

As for maintenance, I can't imagine your PIXes require much. Maybe a SmartNet contract to keep the software updated and guarantee replacement should there be hardware failure. That will run you about $750/year.

Checkpoint will run you $3-4k for the software, depending on what services you need, plus another couple grand for the hardware (haven't priced these out in a while, so I have no idea where they stand), plus at least $1,000 per year per box for a support contract.

Smoothwall prices run the gamut from a few hundred to several thousand for the software, depending on your requirements. Maintenance/upgrade assurance will likewise cost a few hundred to $1,000+/year depending on the options it's covering. Then you just have to buy a server to run it on, which again will vary based on your needs, but I'd guess about $2k.

Whereas with the PIX, all your major costs are sunk costs. There are no acquisition costs, no implementation costs (neither of which is insubstantial), and a modest maintenance fee. Definitely sounds like the best solution, but it also sounds like the least likely one. With your boss being a Dev and obviously wanting a change, I'd put $20 down that he's gonna want to use an MS ISA server as your firewall. Which is a Bad Idea (TM). ISA makes a pretty decent Proxy server, but I wouldn't trust any MS product as an internet-facing corporate firewall.

Marco
New Member
Posts:
4
Joined:
Sun Feb 12, 2006 9:09 pm

Mon Feb 13, 2006 9:57 am

Hey Geko thanks for the speedy replies, it is very much appreciated. By cluster, I do mean with failover. My MDZ has a PIX 515 with a failover and my coprorate PIX does not have failover. I have recomended to drop the Corp PIX and have the PIX with failover to handle the DMZ and the corp. This way he says on maintanence on the corp PIX and I now have a failover for the Corp as well.
I do appreciate the cost breakdown for switching to other solution, and I will be sure to let him the costs in doing so.

vivek283
CCIE #17621
Posts:
446
Joined:
Thu Oct 06, 2005 12:38 pm
Certs:
CCIE - Security, R&S. RHCE. CISSP

Tue Feb 14, 2006 10:20 am

Well to beat the cost factor you need to look at the security factor. I am sure your boss will lay his hands off PIX once he knows the downside of a s/w FW.

1. A software firewall sits on an OS. And we all know how secure Operating Systems can be.

2. A software firewall would be any day slower then a harware f/w because most Operating Systems would consume quite a bit of memory and other resources.

3. Every packet would travel up the stack and down the stack which isnt the case with PIX. Waste of resource and time (even if its in Milliseconds :P)

4. I dont think a Software firewall can given the kinf of throughput a hardware firewall can give.

5. Chances of Virus/Trojan/Worms on the OS of s/w firewall. Who ever heard of these on Pix ??

Hope this helps

-Vivek-

Marco
New Member
Posts:
4
Joined:
Sun Feb 12, 2006 9:09 pm

Wed Feb 15, 2006 10:25 am

Thanks for all your help guys. I wish it was that easy to tell my boss the points that you guys have mentioned, because I have been telling him and the developers this since last week. I am a t a point now that I will just repeat everything I have been saying along with your points, and I will say no more.
Thanks again guys,


Return to Home Networking

Who is online

Users browsing this forum: No registered users and 79 guests