Choosing the right Firewall: Hardware or Software Firewall

On the way on choosing the right firewall, I got this invitation from IDC “”Battling Sophisticated Threats: Security Strategies For The Resilient Enterprise” IDC’s Asia/Pacific Security and Continuity Conference 2007″. I see list of many interesting vendor like Cisco, Shopos and Fortinet. What a fortune, just what I needed. Maybe after I attend the invitation, I can have more knowledge about the right firewall.

Hardware or Software?

I and my boss have different opinions about firewall. I’m not sure who is more right. My boss want simply a hardware firewall like Firebox, Cisco Pix, WatchGuard etc while I want software based firewall, specially the open source one, like Ipcop or Smoothwall.

He want a hardware firewall because of simplicity, while I can show him that software firewall can be also be simplicity, but he’s not convinced enough.

While I want software firewall because I want flexibility. I can choose my own hardware (processor, memory, hard disk, network card etc), and software. Free, and not limited with only one vendor.

So, I think this event can and may give me some new perspectives about hardware firewall.

One of the many interesting vendor is Fortinet.


Fortinet is a good hardware and software’s. In one single device that can protect your network almost from anything.

It have:

  • Firewall
  • VPN
  • Anti spam
  • Anti viruses, spyware and malware
  • Support chat applications like Yahoo messenger, MSN, ICQ
  • Support peer to peer file sharing like LimeWire
  • And many others

The price is reasonable but we also need to pay subscription every year to get the latest update of their softwares.

The presentation is also excellent and very selling.
But, it has no hard disk.

No hard disk, so there is no log, no log mean no reports, no reports mean hated by my management.

Fortinet also offer another device for logs and reports purpose, but then I have to have two devices. One device is for firewall and the other device is for logs and reports. I like to show this to my boss and see if he like it or not 🙂 .


Hardware firewall is good, but somewhat limited. That’s why my first option is to use software firewall. But maybe, different people have different opinions, just like me and my boss.

For simplicity, choose hardware firewall.

For flexibility, choose software firewall.


7 thoughts on “Choosing the right Firewall: Hardware or Software Firewall

  1. Erv Kosch says:

    In my experience a hardware firewalls have always been best. Mainly because a decent PIX has a remarkable amount of flexibility in it settings and has a company to stand behind it. You can’t say that with most open source software.

  2. Robert says:

    Hi, I work for a competitive company to Fortinet (our product are better 🙂 ) but that’s not the point of the post.

    Most large company firewalls with UTM (Unified Threat Management) services offer logging. The logging can be done either on the appliance if it has a hard disk (but the price goes up) or the logging can be directed to a nominated server on the network.

    Any sophistacted device will offer this feature.

    Good luck. My view, go with the hardware and not the software protection.

  3. The whole “hardware vs. software firewall” argument is bunk. First the entire terminology is wrong. All firewalls have software! Cisco PIX firewalls are nothing more than standard PC hardware with software on a flash card. Every so-called “hardware” firewall is essentially the same.

    Just because Cisco (and similar vendors) package a piece of hardware and software and sell it to you doesn’t make it some magically better solution. It’s still a piece of hardware and it’s still running software.

    If you’d like open source with commercial support, check out the BSD options, m0n0wall and PFSense. Both are vastly superior in many ways to the typical Linux solutions (there are several new PFSense users on the forum every day ditching IPCop and swearing to never go back), and both are also commercially supported (I won’t go into depth on that, but if you watch the project websites you’ll see full info on that soon).

    I love Cisco gear, and PIX’s are great firewalls. But I’ll also take a PFSense box any day. For most networks it’s just as good and in some instances better. IMO the Linux firewall distributions don’t compare.

  4. Ronald says:

    when your at it , have a look at pfsense firewall. It is one of the best software firewalls i know.
    It is a fork of M0n0wall.


  5. bfebrian says:

    Thanks you all for sharing.

    @Erv Kosch
    Thanks for the info, in the event there is Cisco representative, but they not helping that much. They can answer a simply question like how much is the price.

    Fortinet can also dump all the log to syslog server, but then I have to look for another software to create report from that log. I know that there are many software for that, but for paid Firewall I want simplicty, event the price is reasonable.

    I use hardware and software firewall terminolgy to just simplyfy things. For Cisco the event mention the processor and memory they used for their Firewall, like PIII and 256 MB Ram. They just nicely packed in 1U or 2U chasing.

    @Chris and Ronald
    Thanks for the info of m0n0wall and pfSense.

  6. Ubuntu says:

    Overall this is a reasonable article and I am glad I found it.
    It seems to be pushing one product though.
    For home users ( not it depts) software firewalls seem to cause nothing but trouble with nubes-the main purpose seems to be to reasure the buyer and remove cash from their pockets.
    The new IPCop seems to have some advanced features especially with wireless traffic.
    It should be interesting to see the real world hardware requirements.

Leave a Reply