Computer Help forum

General discussion

Pros and cons of using a hardware firewall

by maninplaid / March 3, 2007 11:21 PM PST

I have an 18 month old Compaq XP SR1614NX desktop and use dsl to access the internet. I am interested in internet security issues and am under the impression that it is advantageous to use a hardware firewall. My question is: does using a hardware firewall have a downside that would offset the advantages? Would the difficulty of setting up the firewall make me regret trying to use one? I am on the internet 3 or 4 hours per week, and I do not have a lot of time to devote to babysitting a temperamental piece of hardware. In other words I would like to be as secure as is practical, but do not want to devote my weekly computer time budget to just keeping the system functional and then have no time for using it for anything else. A related question: if I do get a hardware firewall, should I get a dsl router with firewall capability (i.e. NetGear RP614), or should I buy a strictly firewall appliance (i.e. NetGear FR114PNA). Is there any real difference between these 2 appliances, or is it basically the same thing marketed under 2 different model numbers? Footnote: I am not wireless, nor am I on any network. Any advice on this would be greatly appreciated.

Discussion is locked
You are posting a reply to: Pros and cons of using a hardware firewall
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Pros and cons of using a hardware firewall
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Short short answer.
by R. Proffitt Forum moderator / March 3, 2007 11:29 PM PST

A firewall is not a standard item that is defined. YOU have to provide the specifications.

This annoys people who are new to firewalls since they soon discover that there is no "standard" to adher to and they may run into an expert or pundit that will describe in deep detail STATEFUL PACKET INSPECTION or other deeper discussions.

Most will be fine with "a router" and "a software firewall." Then again those that run Windows need antivirus, antispyware and to practice safe computing such as not using Internet Explorer, Outlook or P2P apps.

In closing there will be someone that is looking for "best" which you can read about in our Virus/Security Forum. There is no product that can substitute for your safe computing practices.


Collapse -
More info
by jackson dougless / March 4, 2007 12:20 AM PST

Bob's post was excellent as always, but here's some supplementary info along the lines of your question.

The thing I like best about hardware firewalls, is that they have their own dedicated hardware. Meaning they aren't sucking up resources on my computer. I also have a small fleet of systems, with two computers, a laptop, 2 game consoles, and my PSP which all have network access. A hardware firewall allows me to set one policy that applies to all of these systems. No need to maintain at least three different sets of firewall settings. I also have the common LAN, so I can send files back and forth unfettered.

There's only one real way in which hardware firewalls are more secure than software firewalls. That being, they're much simpler than software firewalls, from a programming perspective. Zone Alarm, and every other software firewall, has to have a bunch of useless code (from a security standpoint) to create the GUI that people use to configure the program. The more code there is in a program, the more chances there are for bugs to be introduced. The more bugs, the higher the chance that one of those bugs will be remotely exploitable.

Hardware firewalls are largely just the firewall, and a very minimalistic web based interface to configure them. This allows developers to focus more on the security aspect of the firewall, and less code makes for an easier time finding and fixing any bugs that may be discovered later.

Other than that, the relative effectiveness of a firewall depends on how it is configured. Firewalls are kind of like customs at border crossings. They don't work really well if the guards on duty just keep waiving everyone through.

Of course, even then it's entirely possible to slip things past, which gets into Bob's comment about not using IE, Outlook, P2P, etc. You could think of them like a car/plane/boat favored by smugglers because of the number of places you can hide illicit goods. The analogy doesn't quite fit, but the point is, there are plenty of things a firewall will NOT protect you from.

Unfortunately, as Bob said, network security (since the Internet is a giant network) is a very complex subject, and there's no standard way of doing things. There's also no real easy way to explain these things, since even the most basic subjects of network security require a pretty high level of general networking knowledge, which in turn requires a pretty high level of general computing knowledge. It can also be REALLY boring to read about.

Aside from not using the programs Bob mentioned, the best rule of thumb to follow with firewalls is to deny access when in doubt. ONLY allow programs that you recognize and use to be allowed onto the Internet. If you use a hardware router, open ONLY the ports you absolutely need to to make things work. Avoid opening a range of ports if at all possible, and try to keep the total number of opened ports to a minimum. Security and usability are opposing forces, so the more you have of one, the less you have of the other. It's up to you to try and find a balance.

Collapse -
Thanks for the help
by maninplaid / March 11, 2007 12:34 AM PST
In reply to: More info

Thank all of you who responded to my question. Your descriptives helped me to visualize the lay of the land in this complicated landscape. Here's another question that just came up this week that is related to my original request: There was a brief info-ad in the local paper (and from Google I gather this was widely distributed) for a product called smart/RESTART from Centurion Technologies that somehow divides the computer into three zones: "a protected zone for permanent files, a keep zone for working files and user settings, and a temporary zone for unknown files and files downloaded by others". This is supposed to "allow computer users to surf the Internet, download files and make other changes without damaging a computer's hard drive". Question: just how does this work? Is this a gimmick? Are there other software programs that do the same thing only better? Would this software replace the need for a firewall? Again, thanks for your thoughts.

Collapse -
Would this software replace the need for a firewall? No.
by R. Proffitt Forum moderator / March 11, 2007 1:13 AM PST
In reply to: Thanks for the help

Windows needs a firewall period. Microsoft enabled services that can't be exposed to the internet and nothing can protect the machine from an user that clicks OK or views "bad" email.


Collapse -
by jackson dougless / March 11, 2007 1:38 AM PST
In reply to: Thanks for the help

Like Bob said, you simply NEED a firewall of some kind on Windows.

What you were describing was more of a local computer access restriction sort of thing. It's sort of like trying to add mainframe level partitioning onto a Windows PC. I highly doubt the product works all that well given the shaky Windows foundation it'd be working with, and again, is no substitute for a firewall.

There is no easy answer to the whole firewall issue, so anything claiming to be that, is probably not worth your time.

Collapse -
Another short answer. . .
by Coryphaeus / March 4, 2007 6:12 AM PST
Collapse -
Ooops, I forgot I changed it. . .
by Coryphaeus / March 4, 2007 6:30 AM PST
Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions

Does BMW or Volvo do it best?

Pint-size luxury and funky style

Shopping for a new car this weekend? See how the BMW X2 stacks up against the Volvo XC40 in our side-by-side comparison.