Hardware firewall, vs. Software FW, vs. Router

[[JiF]Boo Radley]

Hi All,

Somebody here might know the answer to these questions:

I'm an IT auditor, but I don't have massive amounts of IT knowledge. I have departments who have no firewalls, but store very sensitve information on their servers. Some of these departments have software firewalls. Is that adequate? Anti-virus is installed everywhere and configured to automatically search for and install new definitions.

It's my understanding that routers do not limit OUTBOUND traffic, am I correct? Keep in mind that are departments have allowed the users administrator access, which I believe could allow somebody to install malware, which the routers would not detect. Is that correct?

I ask you all because I think gamers push the technology and run into issues that standard users would never see.

Thanks,

Boo Radley

[[JiF]Mike]

It's tough to give you a really good answer without knowing some more about you network setup. However you are correct in that most routers will not block outbound traffic unless they have some sort of firewall built into them and it's setup. One of the best ideas is to have a dedicated firewall at your internet connection and have everything (server/workstations) behind it. Then utilize the built in firewall in windows to minimize viruses possibly spreading if they ever make it into your network. Sure, it would be wonderful to have a robust software firewall installed on every pc at work, but it usually isn't cost effective and it could be a nightmare to administer! You really can't go wrong investing in a good quality hardware firewall. One I see used quite a bit is called SonicWall. They have many models with varying features including virus and spam protection built-in. It's usually best to have multiple layers of protection IMO rather than just one layer. That's my quick and dirty reply (gotta get back to work)....I'm sure someone will give you a more complete answer at some point.

[[JiF]Boo Radley]

Thanks for the replay. It's very helpful.

[[JiF]Sgt. hUTCHIE]

Hi Boo,

It's been a fair few years since I have been invloved in the sharp end of this topic, but for what it's worth here is my opinion:-

I would say that the order above is pretty much the priority in order of intrusion protection:-

1. Hardware firewall
2. Software firewall
3. Router

The hardware firewall is traditionally (but not exclusively) the hardest to hack. This is mainly because the operating system and its built in protection is the choice of the vendor and it has one main purpose. I would recommend this device is always between the internet router ( if not the same device) and any route to the internal network.

I agree with Mike in that SonicWall have a good reputation, also Watchguard as well. I have configured both these types of firewall in the past and been impressed with their performance. Cisco Pix have a high end reputation if you have a budget to match.

A software firewall of course has to operate on an 'open' operating system that has to perform many other functions. I would only rely on this sort of device for temporary periods ( laptop on the move running on wireless to the internet or hotel broadband). A while ago one called 'black ice' had a very good reputation until a poor vulnerability was exposed in it.

A router is pretty much a device that transfers packets from one subnet to another. You can however put rules on what traffic it transfers, these are usually explictly added and comparitively simplistic compared to firewalls.

A hardware firewall allows stateful packet inspection ( if I remember rightly). This means that if the PC behind the firewall initiated the traffic, then it is allowed to receive packets back from the device it is communicating with on any port. This technology allows hUTCHIE to play BF1942 from behind his hardware firewall - as I initiated the connection. The same technology means that even though there is an exciting BF1942 practice server at hUTCHIE's address you cannot 'see' or connect to it (even if I give you the address) because you would have to initiate the connection to the required port(s) which are all blocked automatically on my firewall. I would have to explicitly allow them for you to connect.

Sometimes a software firewall will prompt on first connection over a port ( it is asking you to confirm that this is a program that you know about that is communicating rather than a virus or malware that you don't know about). This is perhaps the only advantage that a software firewall has over a hardware one.

On an internal network it really depends how much you trust the other departments between each other as to what devices you put between them. My experience with software firewalls on every PC is that they are an administrative nightmare with software that operates over particular port ranges ( as is applicable in my area of consultancy - Progress databases) so I would tend to avoid them on permanent PCs behind a hardware firewall, unless there is a specific reason to have them.

You can get an idea as to how exposed you are by allowing the 'Shields Up' site to try and scan your IP address for vulnerabilities at https://www.grc.com/x/ne.dll?bh0bkyd2

They don't even know hUTCHIE is there becuase hUTCHIE always operates in stealth mode

hUTCHIE
MCSE BSc

[[JiF]Boo Radley]

hmmmm

[[JiF]Boo Radley]

Hi Boo,

It's been a fair few years since I have been invloved in the sharp end of this topic, but for what it's worth here is my opinion:-

I would say that the order above is pretty much the priority in order of intrusion protection:-

1. Hardware firewall
2. Software firewall
3. Router

The hardware firewall is traditionally (but not exclusively) the hardest to hack. This is mainly because the operating system and its built in protection is the choice of the vendor and it has one main purpose. I would recommend this device is always between the internet router ( if not the same device) and any route to the internal network.

I agree with Mike in that SonicWall have a good reputation, also Watchguard as well. I have configured both these types of firewall in the past and been impressed with their performance. Cisco Pix have a high end reputation if you have a budget to match.

A software firewall of course has to operate on an 'open' operating system that has to perform many other functions. I would only rely on this sort of device for temporary periods ( laptop on the move running on wireless to the internet or hotel broadband). A while ago one called 'black ice' had a very good reputation until a poor vulnerability was exposed in it.

A router is pretty much a device that transfers packets from one subnet to another. You can however put rules on what traffic it transfers, these are usually explictly added and comparitively simplistic compared to firewalls.

A hardware firewall allows stateful packet inspection ( if I remember rightly). This means that if the PC behind the firewall initiated the traffic, then it is allowed to receive packets back from the device it is communicating with on any port. This technology allows hUTCHIE to play BF1942 from behind his hardware firewall - as I initiated the connection. The same technology means that even though there is an exciting BF1942 practice server at hUTCHIE's address you cannot 'see' or connect to it (even if I give you the address) because you would have to initiate the connection to the required port(s) which are all blocked automatically on my firewall. I would have to explicitly allow them for you to connect.

Sometimes a software firewall will prompt on first connection over a port ( it is asking you to confirm that this is a program that you know about that is communicating rather than a virus or malware that you don't know about). This is perhaps the only advantage that a software firewall has over a hardware one.

On an internal network it really depends how much you trust the other departments between each other as to what devices you put between them. My experience with software firewalls on every PC is that they are an administrative nightmare with software that operates over particular port ranges ( as is applicable in my area of consultancy - Progress databases) so I would tend to avoid them on permanent PCs behind a hardware firewall, unless there is a specific reason to have them.

You can get an idea as to how exposed you are by allowing the 'Shields Up' site to try and scan your IP address for vulnerabilities at https://www.grc.com/x/ne.dll?bh0bkyd2

They don't even know hUTCHIE is there becuase hUTCHIE always operates in stealth mode

hUTCHIE
MCSE BSc

Thanks Hutchie,

First off, I am assuming that the software firewall would be/is installed on the server, not the PC, as we have about 68 - 80 users accessing the application via the network. Is this a reasonable assumption? I’m asking the department tomorrow.

three application provide highly sensitive data and transmits this information to and from vendors and other agencies around the geographical area. They connect via a standard internet connection.

The software firewall is Blackice, which is no longer sold, and after this September, will not be supported by their maker.

Would you say that this scenario poses some risks?

Your feedback is greatly appreciated!

[[JiF]Sgt. hUTCHIE]

Hi Boo,

The connection to the internet should be protected by a hardware firewall / router (they are almost always one unit) - get rid of the blackice.

It would be preferable to use industrial stength firewalls such as Sonicwall but if cost is a real issue then a 'home' firewall could be used for a small (100 or so) company. I use a one that is about £30 that passes all the shields up stealth / port scan / DOS tests.

If you have departments where it is critical that information cannot be intercepted, then these departments should be on their own subnet with a router connecting them to the rest of the internal network.
(or you could use a firewall as well but that may be overkill unless you want to guard against hackers IN the company).

The router should guard against people inside the company network (but not in the same department) using packet sniffers to read the sensitive information between sensitive department PC(s) and sensitive department server. It does this by keeping the traffic on that subnet local (rather than a hub which would broadcast all the traffic around the company). With a router the packet sniffer would have to be physically in the sensitive department or server room.

One other point - ask how the sensitive information is sent over the internet?
Is it encrypted via SSL (https) or similar?
If not then this is a big security risk as the sensitive information can be read from the packets sent and received to sites on the internet.

hUTCHIE