Software vs Hardware Firewall

  • Dear All,
    I am using pfSense and i am very happy with that but one of colleague have higher certification in Cisco and he usually making arguments that Hardware FW is better than Software FW. is there any exact answer for this topic???

  • ofcourse hardware is better than software, but remind that he is missing one point. we're not running cheesy windows under pfsense. this should be count to hardware firewalls.

    Althought this is software which can run multiple different hardware, but this is much better than some wathcguard box where they try to run utm devices in so little boxes that it can't work well

  • Netgate Administrator


    this is much better than some wathcguard box

    Though those boxes do make a very nice platform to run pfSense!  ;)

    This is a bit of an odd question though. Comparing a Cisco firewall with, say, Zonealarm, obviously the Cisco box will win. Except on price maybe.
    However comparing Cisco with pfSense (a valid comparison) you should be comparing IOS with pfSense. Cisco's firewalls are only software running on an appliance, just like pfSense. Only much more expensive!

    Disclaimer: I've never used a Cisco firewall, too expensive.


  • You can have lot of features to cisco firewall, but it comes with pricetag
    Not to forgot, that pfsense doesn't cost if you are not willing to pay it

  • That's a common misperception of people who don't understand firewalls and what they run. There is no real difference between so-called "hardware" and so-called "software" firewalls. They all use hardware to run software. So-called "hardware" firewalls run a software operating system no different from anything else. In fact a number of "hardware firewall" vendors run the same underlying FreeBSD and other components as pfSense.

    The only time you run into a real difference is when you need tens of Gbps of firewall capacity and the highest end commercial boxes from Cisco (and a couple other vendors, that's out of the range of anything open source and most commercial vendors) can do that in specialized hardware. They'll also cost you more than a nice house, if you need that kind of capacity you better have a huge budget. That's what should really be called a hardware firewall since it can do processing in specialized hardware, but people tend to group in everything under the same product line including all the low to mid and low-high end range products that are nothing more than a custom built x86 PC with no special hardware capabilities.

  • Pretty much what CMB said.

    There used to be a number of firewalls in use that were something like this: take server hardware, install Windows 2000 or NT or Solaris, then install an expensive firewall application on top of it, and configure it.  This had a number of problems: hard drives could fail, the underlying OS was full of features that would never be used but nonetheless posed (at least a theoretical) security risk, they were expensive, etc.

    Then firewall manufacturers came along that sold appliance firewalls.  No hard drive, possibly no fan, a power supply that was much less likely to fail than those included in more traditional computers, etc.  These had stripped down operating systems so there were fewer services to secure, and hardware that was much less likely to die.  These were better choices than what had come previously – they were simpler to understand, easier to configure (mostly), less likely to break, and also became something of a profit center for the outfits selling them.

    Now we're in an era where you can buy solid state hardware (the stuff you can buy from Netgate is comparable to the stuff firewall appliances are made on as far as reliability goes, but offers a range of power levels, for instance) and run a software distribution like pfSense that's designed to only serve as a firewall.  It's a valid choice that's quite a bit less expensive than commercial offerings, won't need to be upgraded every few years to maintain your warranty plan, and so on.  The down-side is that it won't be ICSA certified so management might be disinclined to sign off on it if you're in particular industries where there's a strong need to CYA.

    If the question is deciding between Cisco/SonicWALL/Juniper appliance firewalls and something like a Dell R210 running pfSense, then there's a strong argument for the appliance from a reliability point of view.  If you're looking at pfSense on a hardware platform with no moving parts, however, then it's less of an argument.  If you're pricing a pair of firewalls (for failover) along with an intrusion detection system (which is a subscription from appliance providers) and the desire to use a certain number of VPNs or something then you can easily to a cost/benefit analysis.  Once you do, pfSense wins.

    There are factors that influence the decision that are un-technical though.  ICSA certification, for example.

  • Amen

  • @Derek:

    If the question is deciding between Cisco/SonicWALL/Juniper appliance firewalls and something like a Dell R210 running pfSense, then there's a strong argument for the appliance from a reliability point of view.

    That's debatable - the appliances with no moving parts, yes as a whole they're generally more reliable than anything that's reliant on moving parts (though many Cisco/Sonicwall/Juniper/etc. boxes do have fans and the boxes will quickly become unstable when those stop working). But, in a server-class machine you typically get redundancy in all your moving parts - redundant fans, redundant power supplies, and redundant drives. From what I've seen and heard, your most likely points of failure are your storage medium (whether HD, SSD, or CF) and power supply. Appliances, whether commercial or open source (it's basically the same hardware either way) usually don't offer any redundancy in power supply or storage medium, so an argument could easily be made that the server class hardware is more reliable as long as it has redundancy in all those components like most any server-class system.

    But that's all a moot point much of the time, as if you need high availability you're hopefully going to be running two of them w/HA (CARP in our case) to give you full hardware redundancy and the ability to do hardware or software maintenance/repairs without impacting the network.

  • Yeah, but when I picked the R210 I picked a server without hardware RAID or redundant power supplies as an option.  :)