Lower Level Hardware Help

Aug 21 '01

The Bottom Line A hardware firewall is a hardware routing device with specialized configurations for packet and connection checking. Is it right for you?

Over the past several years, there has been a huge upsurge in the trend of hacking attempts with the numbers growing exponentially as the internet grows in size and reach. New tools are coming out for shady computer users that make it faster and easier than ever before to break in to other peoples computers. Many of these new tools are fast and are targeted towards high bandwidth connections, T3 and greater.

While software firewalls have been sufficient for corporations in the past, they are now more suitable for the use of home based broadband consumers, persons who are limited to a specific amount of bandwidth, say 10Mbps or less. Now that corporations are moving from ISDN lines and T1s to OC-3s and OC-12s, the bandwidth that a software firewall would have to monitor just becomes too large and the number of packets begins to overwhelm the capabilities of an application running at normal priorities. It is for that reason that more and more companies and particularly large businesses are turning to hardware firewalls as part of thier protection scheme.

If you have not yet done so, please read my epinion on "What is a Software firewall" if you are not familiar with the OSI model as it relates to firewall operations. I will only briefly summarize that explanation here. It is neccessary to understand firewall operation. Please also note that I will use Cisco firewalls as the basis of this epinion and I realize that there are hybrids etc out there but I will use Cisco because it is an accepted example.

The reference model for network equipment, applications, protocols, and standards is a seven layered pyramid. The first layer is the phsyical layer, the layer that actually sends and carries the electrical signals. The second is the data link layer which deals with hardware addressing and sending a signal via the physical layer. The third is the network layer which handles IP addressing and routing to get data where it needs to go. The fourth deals with connection based transmissions and data flow control. Each layer relys on the services of the one under it to function properly in sending or recieving data. Layers 5, 6, and 7 are unimportant when you are looking at hardware firewalls as hardware firewalls operate mostly on layers 4 and 5.

A hardware firewall is, essentially, a specialized router that has been configured with a mix of hardware and pre-loaded software specifically to accomodate network security. The difference between it and a software firewall is that this is a device that was built specifically with certain technologies integrated into the equipment to facilitate the single purpose of providing high speed routing services while checking packets and transmissions through the firewall engine.

A hardware firewalls usually follows the following operation pattern, simplified and written out here:
1) Packets enter via a restricted port. They are stripped of thier header at the data link layer, then forwarded up to the network layer processes.
2) The IP header is checked for IP address destination and port connection. These statistics are checked against the rules list which follows the process of denied, allowed, rules (in other words, check to see if explicitly denied, check to see if the IP/port the transmission is coming from is specifically trusted, then check to see if there are any rules about protocol forwarding e.g. If traffic is on TCP port 25, it goes to the mail gate located at address 192.168.10.1 only. No other addresses are permitted.)
3) If it passes this step, hardware and software algorythms are enacted to process the packet, examining the packet and comparing it agains known hacking traffic and packet signatures.
4) If the packet is still clear, It is passed on to its destination or at least the next step in the perimeter network.

Because the firewall never goes above the fourth layer (it has no graphical user interface, no code presentation for viewing, nothing of that nature), it is able to devote all of the devices resources to processing packets especially at high traffic times. This application of resources combined with the specifically constructed hardware provides fast and comprehensive network protection.

Hardware firewalls are not fool-proof, however, and they are much more difficult to set up than a software firewall. In addition, they cost much more than a software firewall would. Because a hardware firewall (at least cisco and some other major competitors)is essentially a special-purpose router, it requires an experienced information technology trained person in order to properly install and configure the firewall for enterprise use. In addition, there is much more that can go wrong with a hardware firewall. If your software firewall is blocking access you need or is causing problems, you just turn off the firewall engine and do your thing and then restart it. Because a hardware firewall is a router and firewall, any number of problems can occur from bad static routes, routing protocol misconfigurations, port problems, any number of things which a skilled technician must come back and fix.

Also, a hardware firewall is not just a $1000+ plug and paly device. It must be configured which can take several painstaking hours to load denied addresses, allowed traffic, traffic rules, setting up routing protocols, setting up IP and any other protocols on each port, doing password and IOS configuration. There are more and more options that must be set as a firewall becomes more comprehensive and the cost of the advanced fatureset is high both in money and in configuration time.

All in all, a hardware firewall is an advanced business tool which requires a proper information technology team with the applicable expertise and experience required to configure and maintain it. Though the hardware firewall can accept more traffic than a software firewall, thos cost is often very high both in money and configuration time. For large businesses, however, there is no other option.

Comments on this Review

Write the first comment on this review!

Epinions.com ID:
clocks

Member: Wayne Frazee

Location: Panama City Beach, FL

Reviews written: 100

Trusted by: 50 members

About Me:
I am an IT Manager for a game development company in Panama City Beach, FL.

View all reviews by clocks

View clocks's profile

Ads by Google

McAfee � FirewallThe Latest McAfee Security Software for 2009. Now Save 50% Instantly!.www.McAfee.com/OfficialSite

Network IPSIntrusion Prevention w/ integrated Security Info & Event Management.NitroSecurity.com

FirewallDesign, Implementation, Maintenance Consulting/Support in Southern Cal.www.CiscoByRaetech.com

Network FirewallCatch hackers red handed! Intrusion detection via event log monitoring.www.gfi.com

The Leading DDoS SolutionHardware Firewall+DDOS Mitigation Globally Renowned,High Performance..www.intruguard.com/HardwareFirewall

Epinions | Shopping.com | Rent.com | Free Classifieds | Price Comparison UK

Epinions.com periodically updates pricing and product information from third-party sources,
so some information may be slightly out-of-date. You should confirm all information before relying on it.