In an earlier installment of this series, I made the point that all firewalls are implemented in software and that a so-called:

"hardware" firewall is simply a discreet hardware device that is dedicated to the purpose of running firewall software.

"Software" firewalls typically run on the same device that they are protecting. This may seem like a small distinction, but hardware firewalls provide much more reliable security than software firewalls precisely because they are running on a separate device. This is because:

- A firewall running on a separate device is relatively inaccessible to any walware that may be running on computers on the inside network.

In contrast, if malware does make it onto a Windows XP workstation, it can easily disable the Windows Firewall with a couple of registry entries, opening the computer up to more infections**. The much-maligned User Access Control (UAC) feature of Vista makes it more difficult for malware to make registry changes without explicit user consent.

Third party software products can protect against system modifications as well. The problem with these is that they require users to make informed decisions about which changes are allowed. Most users do not have enough information to make these decisions, and get into the habit of allowing changes in order to keep things working.
- A hardware firewall can run a specially hardened operating system that is specifically designed for that purpose and that purpose alone. Hardware firewalls typically run on either a proprietary OS (such as the Cisco IOS) or a hardened version of Linux.

This is not to suggest that a hardware firewall is sufficient protection and software firewalls are not necessary. Just because there is a guard at the front gate does not mean that there should not be another one at the front door. Here are a couple reasons that we need to maintain software firewalls on each device, in addition to a hardware firewall protecting the network gateway:
- Software firewalls can be individually "tuned" for each computer. For instance, the FTP server will certainly need to allow connections on ports 20 and 21, but these ports should be closed on other computers.

- A hardware firewall may be protecting the gateway from incoming connections, but not all threats come from the outside. Software firewalls can regulate connections between computers on the inside network to prevent the spread of worms or other malware from one machine to another.

It is not a matter of choosing between hardware and software firewalls - they serve different purposes and a the best way to secure a network is to run both.

** Viruses sometimes disable the Windows XP firewall by adding the following keys. To enable the firewall, you can delete these two keys:

* HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall
\DomainProfile \EnableFirewall=0 (DWORD data type)
* HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall
\StandardProfile \EnableFirewall=0 (DWORD data type)

Next: Why a UTM is much more than a firewall

Dennis H in West Virginia, US

February 9 - 2009