http://www.matousec.com/projects/proactive-security-challenge/results.php

Some high-flyers are not flying so high.

CB

Good thing I have a hardware firewall. I have never used any of the software ones...

Love to see a comparison of the hardware firewall devices.

Good thing I have a hardware firewall. I have never used any of the software ones...

Love to see a comparison of the hardware firewall devices.

+1. I'm sure someone has done a comparison...

Good thing I have a hardware firewall. I have never used any of the software ones...

Love to see a comparison of the hardware firewall devices.

Terry,

Out of interest what do you use?

I am setting up a bridged router to a dedicated box this weekend and was thinking of going with IPCOP but am wondering about smoothwall.

Matthew

I would also be interested in seeing a review of hardware firewalls, I know little about them and have wondered about their superiority to software.

I would also be interested in seeing a review of hardware firewalls, I know little about them and have wondered about their superiority to software.

Your wish is granted .. doesn't include specialised Linux distro's installed on old boxes but most of these appliances are probably Linux based.

EDIT: no it isn't page won't load /// keep looking

http://www.zdnet.com.au/insight/hardware/soa/The-best-firewall-is-/0,139023759,339296782,00.htm

CB

What's the difference between hardware and software firewalls? Aren't hardware firewalls just hardware with software installed? Isn't that basically what software firewalls are? lol

It probably has something to do with having a dedicated firewall I'm guessing?

Anyways, just curious to know if hardware firewalls are really that much better than software. On a consumer level anyways.

I think there is something wrong with that webpage, all of the links at the bottom to the other sections just lead back to the intro page.

Jon .. yep .. that's what the edit says. I left the link in in case it just wasn't working for me.


What's the difference between hardware and software firewalls? Aren't hardware firewalls just hardware with software installed? Isn't that basically what software firewalls are? lol.....

Interesting article here: http://www.synergymx.com/page.php?Title=Review_-_IPCop_Firewall_1.4/

Some of the comments:


I tend to prefer speciazed hardware firewall over software firewall.. Most people will tell me that there is no such thing as a hardware firewall, and yes, it'S true, all firewall runs under an OS, even hardware ones.. What we call an hardware firewall are the ones that runs under a specialized OS, like the Cisco PIX. the advantage with these are that they are not affected by the underlying OS security flaws and configuration issues that plagues most popular OSes. Yes, they are more expensive (a pix 525 is worth around 12000CND$), but they are well worth the money.
...any corporation that spends money on a firewall while paying IT staff is throwing money away. Sure, open source might take time to configure, that's what the network guy gets paid to do. As far as security goes,.... hahah I run coyote firewall on a bootable floppy on my home network. I dare you to try and get in.
yeah have to agree IP cop is definently a life saver. We had been trialing ISAS to run on a windows 2000 box and for the money we would have had to pay to turn it into a fully licensed box, we may aswell just thrown cash down the toilet. V 1.4, running on a PIII677mhz with 384mb of ram, 16gb disk, 2gb cache, hasn't failed, serving 50+ users.
If there's other programs out there that are free, as easy to setup as this, and as reliable, that's great, but if it aint broke.. why fix it....
CB

Oh shi-... Avira is crap? That sucks. The free antivirus is pretty much the only thing I've been using.

Oh shi-... Avira is crap? That sucks. The free antivirus is pretty much the only thing I've been using.

It's the firewall functions being tested here. Avira and Avast are the best two free AV's in terms of detection rates.

CB

Ahh, alright. Well I got Comodo Firewall and Antivirus a moment ago and installed it. Guess it doesn't hurt to have extra protection, lol.

Ahh, alright. Well I got Comodo Firewall and Antivirus a moment ago and installed it. Guess it doesn't hurt to have extra protection, lol.

You run the risk of possible system slowdown running two AV suites. In fact, some AV suites will not play well with others, but I cannot remember which ones.

Ahh, alright. Well I got Comodo Firewall and Antivirus a moment ago and installed it. Guess it doesn't hurt to have extra protection, lol.

That antivirus is a 30 day trial unless you paid $39 for it .... Comodo Firewall and Antivir or Avast plus 2 or 3 malware scanners and your fixed.

CB

Terry,

Out of interest what do you use?

I am setting up a bridged router to a dedicated box this weekend and was thinking of going with IPCOP but am wondering about smoothwall.

Matthew

I have a Juniper Networks Netscreen firewall vpn. Not sure of the exact model, it was a freebie I got a while back for attending a tech conference. Actually I won it in a raffle drawing. Gotta love those conferences. Not that I think of it I have not even looked at that thing since I installed it. Maybe it is time to investigate it's functions a little more. When I have time I will check it out.

No power at my house right now so I can not even log into it. We had a wicked storm pass through here yesterday. 12" of rain in less than 24 hours and 70mph gusts took down a lot of trees and power poles. I have the top of a power pole sitting in the middle of my street right now so I can not even get home. Estimated time of power restoration? Sometime before Friday... Had to come into work today so I could get my TBCS fix...

Well it didn't say anything about the antivirus being a trial, it was just this other tech support sort of thing or something that wasn't free after 30 days.

When looking at the results, make sure you remember that this is only a test of their firewall capabilities, and most of the well-known products are AV that happen to have a firewall/etc thrown in; it's not their real intended purpose, and so personally I don't really find the results that surprising.

BTW, xRyokenx, the free version of Avira doesn't include their firewall, so this has no bearing on that version whatsoever. (free Avira is my person preference for AV too, btw)


Ahh, alright. Well I got Comodo Firewall and Antivirus a moment ago and installed it. Guess it doesn't hurt to have extra protection, lol.

Actually, yes, it can. This is especially true with AV software, since a lot of newer (last 5-7 years) products hook themselves deep into the OS so that they can actually detect and kill stuff. If you have two pieces of software trying to do that, they'll often kill the other, and you end up with no protection.


As for hardware vs software hardware, it is correct that 'hardware' firewalls are just software running on dedicated hardware; most 'hardware firewalls' are just an embedded system running a stripped-down version of Linux or BSD, plus proprietary software. The reason that hardware devices provide better protection is that a) they protect the entire network, and b) they deal with the traffic at the protocol layer instead of the application layer (what software firewalls usually do). Additionally, software (or client) firewalls run on top of the OS, so they can be compromised relatively easily if the OS is compromised.

I'll go ahead and get rid of Comodo's AV then.

When looking at the results, make sure you remember that this is only a test of their firewall capabilities, and most of the well-known products are AV that happen to have a firewall/etc thrown in; it's not their real intended purpose, ......

I think the title of the thread makes the first bit plain "Check out your firewall".

Norton Internet Security Suite and McAfee Security Suite are both well established all-round protection suites that have had firewalling for years - and been advertised as such. I don't count them as AV and not having firewalling as a primary purpose and neither do they.

These two results in particular were very interesting and shockingly poor. Especially when compared with Kaspersky Internet Security Suite. The three are in similar market positions in terms of longevity and fame.

Kaspersky would seem to be the only rounded product of the three. Not only that but it also has a lighter foorprint on the O/S than either of the other two.

Norton has been a known machine killer for years in terms of performance hit and Mcafee sadly caught up on that score pretty much. That their firewalling is so leaky makes one wonder whether they have overcomplicated their builds or missed some basic tricks - or a bit of both since their confirmed status as bloatware implies the first.

I was also surprised to see Zonealarm do so poorly although I don't recommend it any longer particularly, preferring Comodo for those who want a free firewall.

The other product that shocked me was Threatfire - a lot of people tout this and the very low rate of success in these tests means I will be pointing this research out to the people I know who are relying on it.

To imply that products advertising themselves with all round capabilities they do not have should be given a break, in essence, because firewalling "is not their real intended purpose" is a bit misleading really. If it says it's a fish and it looks like a fish and smells like a fish ..... but turns out to be crabsticks, there's no excuse.

The third solution between an purchased hardware firewall and a software f/w on the local machine is to build a dedicated box yourself.

If you do this using IPCOP or one of the similar Linux based distros and configure it correctly with the right plug ins you get as good as an off the shelf box:

- stripped down and hardened Linux OS as the base O/S
- firewalling built into the Kernel not sitting on top
- a full range of higher end capabilities - VPN, QOS, anti-DOS, Packet filtering, web proxy, AV at the firewall (with Clam)
- prototcol layer and application layer control
- protects the whole network

Given that IPCOP can run off a PIII with low ram and a 10G hard drive and the software is GPL you are looking at a homebrew hardware firewall with the capabilities of dedicated machines costing into the thousands of dollars but costing zero ... or at a fraction of the price (if you don't have some of that hardware laying around like most of us).

The OP in this article linked above (http://www.synergymx.com/page.php?Title=Review_-_IPCop_Firewall_1.4/) had this to say:



I know that I need the following features to work:

Traffic Routing
DHCP
VPNLike any good internet junkie I turned to Google. I did a quick search for firewall routers and came up with an assorted list of possible replacements. From DLink to Linksys to Symantec – everyone seemed to be in the market. Only problem was each would take days to get and the cheapest would run the company just over $300. To put that into perspective the most expensive of ones with the features I needed was $6,800.

So I modified my search to include open source projects. Right away I got a number of Linux alternatives. High on the list was one that was a little familiar – I remember reading an article about this great little firewall called IPCop.

Now let me just get out of the way how easy this thing was to get up and running. The solution took under an hour to get entirely setup, as apposed to the over 8 hours I spent on the SonicWall – and over that on the old Symantec I had before that. Here’s how it went:

Download the ISO (CD Image) of IPCop 1.4.1
Burn it to a CD
Pull old PC out of trash (Celeron 400 w/128 MB Ram and 4 GB hard drive)
Take out an old PC add a 10/100 NIC card (so there would be two instead of one)
Put IPCop CD in old PC
Turn on computer
IPCop config loads
Configure IPCop
Firewall Working
Configure all access rules.
Finished
OK – so I have a working firewall with all of the features I want. They have pretty good documentation, but the real gold is in the ease of which everything was configured. Had I purchase a firewall that had the same features – it would have run me about $3,800. So far I have spent $1.00 on the CDR. Lets talk about what the software does.
A secure, stable and highly configurable Linux based firewall
Easy administration through the built in web server
Lots of great reports, logs and graphs
A DHCP client that allows IPCop to, optionally, obtain its IP address from your ISP
A DHCP server that can help configure machines on your internal network
A caching DNS proxy, to help speed up Domain Name queries
A web caching proxy, to speed up web access
An intrusion detection system to detect external attacks on your network
The ability to partition your network into a GREEN, safe, network protected from the Internet, a BLUE network for your wireless LAN and a DMZ or ORANGE network containing publicly accessible servers, partially protected from the Internet
A VPN facility that allows you to connect your internal network to another network across the Internet, forming a single logical network or to securely connect PCs on your BLUE, wireless, network to the wired GREEN network
Traffic shaping capabilities to give highest priority to interactive services such as ssh and telnet, high priority to web browsing, and lower priority to bulk services such as FTP.
Improved VPN support with x509 certificates.
Built from the ground up with ProPolice (http://www.research.ibm.com/trl/projects/security/ssp/) to prevent stack smashing attacks in all applications.
A choice of four kernel configurations, allowing you to choose an optimum configuration for your circumstances.
An appendix of this manual discusses running IPCop from a flash disk. (http://www.ipcop.org/1.4.0/en/install/html/mkflash.html)It is a Linux based operating system, but it is not meant to be a general-purpose system. The firewall design attempts to eliminate as many features from the system as possible. The central idea is that the more code that runs on the firewall, the more places there are that are vulnerable to attacks.
and



All I have to say is spread the word and try this out. Not only was it really really easy to set up, but these guys have the best firewall I have ever used. This would be an excellent firewall for any small to medium sized business. We highly recommend it.

It would be interesting to see devices based on IPCOP and other such Linux based distro's tested against out of the box solutions if anyone can dig anything up. The real down dirty coders and network people commenting were seemingly of the view that to pay for a Network device is a sin when the GPL based ones are so damn good.

CB

I am setting up a bridged router to a dedicated box this weekend and was thinking of going with IPCOP but am wondering about smoothwall.

There is no real difference in the 2 releases. They both use IPchains, so it just boils down to which web based interface you prefer. I have used both, and they both work fine. Personally I think that Smoothwall has a slightly nicer interface. You could also just load up any linux distro and accomplish the same thing from the command line if you are familiar with the packages and commands.

Another one to look into is M0n0Wall (http://m0n0.ch/wall/) which has a BSD backend. Some feel that with it being rooted in BSD its more secure then any linux firewall. I have used it as well, and it works fine.


What's the difference between hardware and software firewalls? Aren't hardware firewalls just hardware with software installed? Isn't that basically what software firewalls are?

Basically you have the gist of it with the difference between a hardware and software firewall, and yes a hardware firewall is basically a dedicated device running software. With a software firewall loaded on a machine connected to the internet, the machine still receives the packets before the software is able to reject them. So technically they are still interacting with the OS, and thus pose a potential threat. With a hardware firewall the packets are rejected at the firewall. They never have a chance to make it into the network and on to your machine, so there is an extra level of protection. It also provides this extra protection for your whole network, and not just one machine at a time.

@Crazy Buddhist: My point was just that all aspect of a product should not be judged based on the poor performance of one aspect. For example, both ESET and Avira are stellar AVs, but apparently pretty mediocre-to-bad firewalls; and both of these products have just recently been expanded to have security-center version.

Thanks for bringing up diy hardware firewalls, I forgot to mention those. I've never seen a straight comparison between them and appliance devices (ex, Juniper, Cisco, etc stuff), but in my experience the diy ones offer stellar performance and protection, and of course are WAY cheaper. A couple other ones to look at are pfSense and untangle. Or of course, you could go really down deep and roll your own with [insert *nix distro of choice here], IPTables (IPChains successor btw, IPChains has been deprecated for a few years), and Squid (if you want advanced proxying capabilities). :D

@Crazy Buddhist: My point was just that all aspect of a product should not be judged based on the poor performance of one aspect. For example, both ESET and Avira are stellar AVs, but apparently pretty mediocre-to-bad firewalls; and both of these products have just recently been expanded to have security-center version.

Thanks for bringing up diy hardware firewalls, I forgot to mention those. I've never seen a straight comparison between them and appliance devices (ex, Juniper, Cisco, etc stuff), but in my experience the diy ones offer stellar performance and protection, and of course are WAY cheaper. A couple other ones to look at are pfSense and untangle. Or of course, you could go really down deep and roll your own with [insert *nix distro of choice here], IPTables (IPChains successor btw, IPChains has been deprecated for a few years), and Squid (if you want advanced proxying capabilities). :D

Understood ... one should indeed look at all aspects of software performance. Hence my absolute shock at Norton and McAfee in those tests. Really not up to it for two of the industries "leaders" - and two companies with big market share ....

Re the diy hardware vs off the shelf comparisons ... I don't suppose people selling $3,000 boxes particularly want them put up against IPCOP or the like ... may have something to do with the lack of comparison but reading around the net I get the sense that the network guys who really know what they are doing see IPCOP as an equal in all but price or are likely to build their own FW using IPtables whilst the younger hot blooded types want to buy the $3,000 box and play with it ... even if it takes 8 times as long to set up to do the same job.

I'm not feeling geeky enough to get down and dirty with the OS and IPtables right now .. the main driver behind this is wanting to improve the performance of my router by not using it except as a modem. The stupid thing is badly designed with the cooling vents on the bottom of the box ... Thompson seem to have forgotten that heat rises. This way it will be doing a lot less work and stay cooler. (plus it will be upside down)

Going to go with IPCOP because of the out of the box functionality, add-ons, strong user base, community support etc. Will be using Squid, Clam AV and a few other things to get a very nice tight setup. The week after next all my machines roll over to Windows 7 with clean installs. Got enough copies of the full E version pre-ordered at £50 each for that.

So it's IPCOP being installed on a headless, fanless, PIII system with 512M ram and a 10g hard drive and a USRobotics Wireless Maxg access point for the wifi side of the network.

I share my wifi with my neighbour and I can't control what gets on his system but this way I can allow access to my internal ethernet only via a VPN tunnel through the blue(wifi) interface for my own wireless machines.

CB

I share my wifi with my neighbour and I can't control what gets on his system but this way I can allow access to my internal ethernet only via a VPN tunnel through the blue(wifi) interface for my own wireless machines.

Another thing you could do is grab another wireless access point, and have completely segregated open and secure wifi. That way you could just dump the open wifi into a DMZ and be done with it :D

Nice idea but .... no .. I share with one neighbour as a favour and live in an apartment block ... if I did that my entire B/width would be leeched.

I use WPA2/AES for security on the wifi ... and I don't want to buy and pay the electricity on another access point just for my neighbour so the VPN route with Blue/wifi being effectively a separate network will do just fine.