+ Post New Thread
Results 1 to 9 of 9
Wireless Networks Thread, Hardware vs Software firewall in Technical; Hi, New NM wants to have a Firewall (we don't currently have one so fair enough (I'm new too!)). We've ...
  1. #1
    eean's Avatar
    Join Date
    May 2006
    Location
    Kuala Lumpur
    Posts
    559
    Thank Post
    65
    Thanked 52 Times in 37 Posts
    Rep Power
    29

    Hardware vs Software firewall

    Hi,
    New NM wants to have a Firewall (we don't currently have one so fair enough (I'm new too!)). We've had lots of problems with viruses, so one with scanning options is a must.
    He thinks that Hardware firewall is best. I want to ensure that we have the flexibility of something like ISA server, where we can say that these active directory users, can use these websites, on these computers at this time.
    We also need filtering and antivirus. Are there Hardware firewalls that can meet these requirements? esp. Active Directory integration.

    In the future we'd also need RADIUS for wireless authentication. ISA has this built in.
    Thanks

  2. #2

    mattx's Avatar
    Join Date
    Jan 2007
    Posts
    9,240
    Thank Post
    1,058
    Thanked 1,068 Times in 625 Posts
    Rep Power
    740
    How much money have you got to spend ?

  3. #3
    eean's Avatar
    Join Date
    May 2006
    Location
    Kuala Lumpur
    Posts
    559
    Thank Post
    65
    Thanked 52 Times in 37 Posts
    Rep Power
    29
    Quote Originally Posted by mattx View Post
    How much money have you got to spend ?
    Not sure. I suppose it's the classic answer "as little as possible" but, as viruses have caused havoc recently I'd say management would spend whatever they were told on it. (Whether it was going to solve the problem or not! Personally, I think our virus issues are caused by poor network setup in the first place)

  4. #4
    eean's Avatar
    Join Date
    May 2006
    Location
    Kuala Lumpur
    Posts
    559
    Thank Post
    65
    Thanked 52 Times in 37 Posts
    Rep Power
    29
    Just a thought - could we have our cake and eat it? I.e. use a hardware and software firewall?
    It is likely that we are going to want to host our own web/Exchange servers. Could we:
    |
    |
    ==========
    Hardware firewall
    ==========

    DMZ With Webservers in

    ==========
    Software Proxy Server (Say ISA)
    ==========
    |
    |
    I don't really understand DMZ, so please correct me if I'm wrong!

  5. #5

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,846
    Thank Post
    877
    Thanked 1,680 Times in 1,460 Posts
    Blog Entries
    12
    Rep Power
    444
    Have you looked at smoothwall express?

    You can make the DMZ easy and it has a built in proxy.

    And its free!

  6. Thanks to FN-GM from:

    eean (10th October 2008)

  7. #6


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,463
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    mattx's reply is very insightful, though without background

    Until you spend a LOT of money - 4-zeros plus - there is bog all difference, as most modern hardware firewalls are the same software running on commodity h/w. Some of the real cheapies run on low-end embedded CPUs of course, but the mid range are largely intel. There's a couple of exceptions, but you are not going to get ASIC based firewalling into a "regular" budget, and really, why should you - the advantages are not great unless you are shifting huge amounts of traffic.

    Now - the difference between (most) software and hardware firewalls in terms of performance and security, as I have said, is minimal. BUT - a h/w firewall is likely to come in a nicer form factor - with more NICs, ports on the front, etc. Also, the h/w will be optimised for firewall duty. That said, you will pay more for your hardware. Dell or HP will always whup us on their hardware buying power, so our UTM hardware costs more than the same HP (though getting as many NICs in the HP would be nigh on impossible, and they may not be all PCIx). A h/w firewall is also likely to have more pre-configuration out of the box.

    Please don't let arguments of performance or security sway you, go for the firewall you think will suit your needs best.

    Being (fairly) impartial... there's not many "software firewalls" which will give you content filtering, AV etc. SmoothWall is one of them. ISA you will have to add 3rd party components. No bad thing, but worth remembering. Hardware firewalls... there's a bunch of UTMs out there. Again, we do one, as do many others like watchguard. Not sure of your requirements, but most schools I think want a lot out of their content filter, and rarely push the firewall past its limits. I'd say pick a content filter, and work from there. So if you pick websense, you'd probably go with ISA. If you wanted a SmoothWall filter, well, you might go with our UTM or with one of our software offerings. I'm assuming here, you want to do content filtering and firewalling in the one box. If you don't... well that expands your options.

    Sorry for the brain-dump... it is too early in the morning for me to make a huge amount of sense ;-P

  8. Thanks to tom_newton from:

    eean (10th October 2008)

  9. #7


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,463
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    Quote Originally Posted by eean View Post
    Just a thought - could we have our cake and eat it? I.e. use a hardware and software firewall?
    It is likely that we are going to want to host our own web/Exchange servers. Could we:
    |
    |
    ==========
    Hardware firewall
    ==========

    DMZ With Webservers in

    ==========
    Software Proxy Server (Say ISA)
    ==========
    |
    |
    I don't really understand DMZ, so please correct me if I'm wrong!
    As I mention in my rambling response above... yes, that's a bit of a "cake & eat it" scenario, and you can do it. In terms of AV... where you put that depends on your needs. If your email is already AV'd, you can happily put it on the proxy server.

    There are advantages and disadvantages to the "split" method...
    Combined, it costs less, and you have less hardware. Also, transparent filtering is easier if you are filtering at the gateway. By and large, when you are talking split setup, you have 2 interfaces, and 2 products to learn.

    Split, of course, gives you flexibility. It is harder to set up, but if the proxy fails, it does not take everything else with it. Then again, you have 2 bits of tin to fail OTOH, if you have a BIG school you may want to do 1 firewall & 2 proxies. Especially with AV, which can be quite intensive.

    Sorry to burden you with loads of choice. If you or your NM want to talk it through with someone feel free to gimme a bell. Worth noting (again) that I am biased, but I do try to give as fair an opinion as possible!

    Tom

  10. Thanks to tom_newton from:

    eean (10th October 2008)

  11. #8
    danrhodes's Avatar
    Join Date
    Sep 2008
    Location
    Wath Upon Dearne
    Posts
    1,513
    Thank Post
    157
    Thanked 181 Times in 150 Posts
    Rep Power
    67

    Cool Smoothwall

    Hi,

    I would definatly go for using smoothwall!

    This is an excellent program, it comes as ISO, burn it to a CD, install and off you go.

    All you need is an old workstation of basically any spec with 2 network cards. one RED and one GREEN for you External and Internal Networks.

    It can be configured in anyway you like and because its open source you get full access to all the files if you want to change anything.

    Excellent Program!

    Dan

  12. #9

    Join Date
    Mar 2007
    Location
    Devon
    Posts
    1,042
    Thank Post
    226
    Thanked 63 Times in 56 Posts
    Rep Power
    29
    We run schoolguardian and well it copes with 100 full time boarders trying to get through it so cant be all bad

  13. Thanks to dave.81 from:

    tom_newton (10th October 2008)

SHARE:
+ Post New Thread

Similar Threads

  1. Hardware & Software Audit erm software for education?
    By intrigue in forum How do you do....it?
    Replies: 7
    Last Post: 16th October 2007, 07:11 PM
  2. no firewall etc
    By ptrainor1 in forum Wireless Networks
    Replies: 15
    Last Post: 22nd October 2006, 09:34 PM
  3. Windows Firewall
    By Mintsoft in forum Windows
    Replies: 3
    Last Post: 22nd March 2006, 09:59 AM
  4. Replies: 10
    Last Post: 1st February 2006, 01:02 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •