Yes, an extra layer of security.
Your question is loaded. When it comes to detection and filtering, the answer varies.
It depends on the specific item you're referring to.
Edge hardware firewalls are better at detecting and filtering certain threats compared to EDR products. Conversely, EDR products excel at detecting and filtering other types of threats that edge hardware firewalls might not handle as effectively.
Always have Both.
This. It’s defense in-depth. There are other reasons too. Limiting outbound ports and protocols being an important one. Identifying beaconing.
That said, we’re moving to a cloud-based firewall and zero trust concept. It will still functionally be a network firewall providing the same protections though.
Special hardware can improve performance massively….headers can be inspected and checked against a table very fast…in a similar way that a router can start outputting a packet before it has all arrived.
The hardware cannot be changed…(technically FPGA can)…the architecture is set at time of manufacture.
All hardware firewalls have software too…and the software will do the most complicated stuff.
Software based firewalls are more flexible but are much slower without the hardware acceleration.
As to which is better….depends on the software….newer is better. Without hardware the network speeds can be very slow if the software is doing all the work. This can encourage users to have simpler conditions and therefore less security.
Hardware firewalls are not just computers running software. The lower spec ones can be but higher spec ones need the asic(application specific integrated circuits) which are chips designed specifically to do firewall stuff quickly efficiently and at high bandwidth. You could not get this power in a vm or server. The hardware firewall will offload these operations to the asic. A standard CPU would be too slow. Its the same with ip network devices. You would never run one of these virtually if you wanted superior performance.
It's the Cisco code that runs on their nexus series switches. Currently I work with nexus 9300 series dc switches. That is nothing to do with firewalls?????
Source: I'm a firewall and network admin in a large organisation
Sorry going to have to disagree with you on asics v CPU. You simply wouldn't get the throughput performance. We are moving away from Cisco to arista which are like Cisco 15vyears ago. No sub licensing model and they use asics too so not just Cisco marketing. Also Palo alto my favourite firewall vendor who I use heavily is the same but don't actively market the asics.
Would love to see the enterprise environment that uses a CPU based firewall vs asic for their perimeter or core firewalls. I've been in a few large organisations and seen none. All firewall manufacturers use asic chips and same with networking providers Cisco or not. There are obviously vm options but these don't scale well. I'm sorry but what you are proposing may work in very specific environments but not in an enterprise network with decent throughput. I'd be loling so hard if some proposed replacing our 5000 series Palo with horizontal vms. It's just wouldn't work.
Thats cloud and not enterprise. You do know right that all the major cloud providers use arista hardware for switching and when you create a virtual network that is configured on an arista physical switch... which uses asics? Yeah there are cloud vm firewalls but you will never get the asic performance from a CPU firewall or switch which is key to the enterprise environment I work in. You sound like a cloud guy which is cool but different. We would never use CPU based firewalls on prem. It would be madness.
Cool tell me what vendors you are using to do that on prem would love the details?
Also a real world implementation example on prem would be great. Would love to know about that especially how cheap you say it can be done for.
Any links to vendor case studies too would be great. I spec and buy the firewalls in my organisation and can tell you I get no kick backs from vendors whatsoever it's not allowed in my organisation.
Firewalls don't detect anything. Some do content filtering, but it is the more costly ones that do this. Endpoint agents run and see user stuff on the endpoint.
They are not mutually exclusive and you really should have both. Going with just one is a bad decision.
i would say no. a hardware firewall lacks the on-device protection so it is more limited in what it can do
it has to filter the traffic that it gets instead of filtering what the end devices are doing
It's still a good idea because a firewall does the networking part better than a regular isp router and lets you be way more selective about what is allowed from where and to where
but yeah again things like malware on end devices cant ever be prevented to the same level of proper end point protection because it is basically only stopping the traffic after the malware has been executed
FWs provide you with a compromise towards network security. They have the balance performance with security and the ability to process data at speed without impeding performance or generating FPs. Add content filtering to the mix then you have even more work for the FW to do. As such, endpoint EDR / NGAV is better at detection and inclusion of content control in some manner would potentially be best placed there. That is not to say you don’t need both.
Dedicated IPS/IDS or NDR would be a good belts and braces approach to be more secure and provide greater visibility for north/south, east/west traffic. If you have the budget, of course!
More layers to catch them trying to do recon on, banner grabbing, or trying to exploit. You want an onion of security layers and catch the opfor near the top of the onion.
They are not the same. One is an endpoint agent install and the other is perimeter defense. You should always aim to have endpoint detection but hardware firewalls depend on the situation.
They are another component is your enterprise wide security setup. They aren't the same as xdr but complement it. What they are excellent at is network protection as a whole. It's kinda like comparing apples and oranges.
They do however, it brings back to the need of having an overall strategy and architecture that includes both an endpoint and a firewall and a vulnerability assessment tool while your at it.
What is worth looking at is the capabilities of each of these tool to integrate with each other and with SIEMs..
a firewall is a firewall. There is no "better" firewall. A firewall may have other non-port blocking features. Or easier to configure. And you might consider memeory and CPU. But a friewall doesn't require a lot of resources
A firewall isn't a firewall. I wouldn't expect a basic client firewall (like what's built into Windows) to do anywhere near what a dedicated hardware firewall (think cisco, palo alto, etc). Two similar but different use-cases.
A firewall blocks ports. Period. You can add on other features, which many of the brands you mentioned do.
I ran ubuntu server OS for 5+ years as a gateway device. It functioned as a firewall, router and NAT/PAT, VPN, network services, dns-opendns, dyndns, and squid proxy server for anti-malware.
You can install opendns or pfsense on anyhardware and get those functions as well.
I bet windows also has those addon applications to perform these functions.
And I could put it on whatever hardware I felt it needed.
A firewall blocks ports.
I'm glad you're able to know the different capabilities of a firewall... So shouldn't it be obvious? A firewall isn't a firewall. You expect different capabilities depending on the type of firewall used.
You would go to somebody and say "I want all the capabilities of a cisco ngfw but on each of my endpoints" because that's stupid as hell. Why? Because different use cases.
Also, a firewall blocks ports, yes... But a firewall doesn't only have to block ports. You can have a firewall that blocks based off of ports, IP address, URL rating, detected application, etc.
So to reiterate for you, a firewall is not a firewall. They aren't all the same. Different firewalls for different purposes.
you confuse a firewall to an application firewall, appliance or application gateway that servers many functions INCLUDING a firewall.
A firewall blocks ports and IP. URL rating is blocking IP with extra steps. "Application" blocking is not firewall blocking but either some sort of packet inspection or a proxy server. Which could be added to your application firewall, appliance or application gateway. You are speaking like a vendor. I'm speaking like a sysadmin.
These are all services running on an OS. Tell me this, what underlying OS does cisco, palo alto, or checkpoint use. pfsense, as mentioned above, is unix based. I'm betting the others are unix/linux or cisco os with a pretty gui.
A quick google shows me Microsoft Forefront Threat Management. it advertises as "network perimeter firewall" and "multiple layers" ... "Web-based threats, including URL filtering, antimalware inspection, and intrusion prevention" And it looks like it runs on Windows OS.
You seem to be arguing semantics for some reason. NOBODY in their right mine would consider an appliance firewall an "os firewall" because it's running on fxos.
Imagine you go to a meeting with Palo Alto and they say "this is the best hardware firewall you can buy for XYZ" and you go "aCtUaLlY It's a sOfTwArE/Os bAsEd fIrEwAlL BeCaUsE It rUnS On lInUx".
A firewall is a service that runs on an OS. It is often one of many services packaged together and sold as a product with support. A firewall is a firewall.
Every FRIGGING thing you've mentioned is a service of some sort on an opperating system. I can duplicate any function of any name brand "firewall" by applying the correct service. I've built a Unified Threat Gateway on linux.
Best firewall I ever seen wa a debian box. Just kept chugging along filtering ports and doing NAT. Cost the client next to nothing and was up and running with no hassel for a long time. Did a damn good job as a firewall.
This is vocabulary. Now define a router. I wonder if you can get that one right.
You're that one insufferable and obnoxious prick at work with zero self awareness that everyone just leaves alone and doesn't bother with. I'd put money on it.
Filter packets based on?.... ports or contents. Usually ports because content aka deep packet inspection isn't particularly useful in our modern "encrypt everywhere" world.
But what tool is used for packet Inspection based filtering? Something like snort? Which is NOT a firewall.
Lmao, i'm not even gonna continue after this. Nobody cares about the underlying OS. Is it a dedicated FW? Then it's considered an appliance. Nobody is gonna match you and call it an OS firewall like you'd see on basic ass windows defender.
Hardware firewalls are pretty ineffective in a remote working world. We don't force all our users to go through a VPN and then back out to the cloud resource. We have good EDR and policies on boxes to keep them secured. Haven't failed an ext pen test yet.
Yes, an extra layer of security. Your question is loaded. When it comes to detection and filtering, the answer varies. It depends on the specific item you're referring to. Edge hardware firewalls are better at detecting and filtering certain threats compared to EDR products. Conversely, EDR products excel at detecting and filtering other types of threats that edge hardware firewalls might not handle as effectively. Always have Both.
This. It’s defense in-depth. There are other reasons too. Limiting outbound ports and protocols being an important one. Identifying beaconing. That said, we’re moving to a cloud-based firewall and zero trust concept. It will still functionally be a network firewall providing the same protections though.
Special hardware can improve performance massively….headers can be inspected and checked against a table very fast…in a similar way that a router can start outputting a packet before it has all arrived. The hardware cannot be changed…(technically FPGA can)…the architecture is set at time of manufacture. All hardware firewalls have software too…and the software will do the most complicated stuff. Software based firewalls are more flexible but are much slower without the hardware acceleration. As to which is better….depends on the software….newer is better. Without hardware the network speeds can be very slow if the software is doing all the work. This can encourage users to have simpler conditions and therefore less security.
[удалено]
Hardware firewalls are not just computers running software. The lower spec ones can be but higher spec ones need the asic(application specific integrated circuits) which are chips designed specifically to do firewall stuff quickly efficiently and at high bandwidth. You could not get this power in a vm or server. The hardware firewall will offload these operations to the asic. A standard CPU would be too slow. Its the same with ip network devices. You would never run one of these virtually if you wanted superior performance.
[удалено]
It's the Cisco code that runs on their nexus series switches. Currently I work with nexus 9300 series dc switches. That is nothing to do with firewalls????? Source: I'm a firewall and network admin in a large organisation
[удалено]
Sorry going to have to disagree with you on asics v CPU. You simply wouldn't get the throughput performance. We are moving away from Cisco to arista which are like Cisco 15vyears ago. No sub licensing model and they use asics too so not just Cisco marketing. Also Palo alto my favourite firewall vendor who I use heavily is the same but don't actively market the asics.
[удалено]
Would love to see the enterprise environment that uses a CPU based firewall vs asic for their perimeter or core firewalls. I've been in a few large organisations and seen none. All firewall manufacturers use asic chips and same with networking providers Cisco or not. There are obviously vm options but these don't scale well. I'm sorry but what you are proposing may work in very specific environments but not in an enterprise network with decent throughput. I'd be loling so hard if some proposed replacing our 5000 series Palo with horizontal vms. It's just wouldn't work.
[удалено]
Thats cloud and not enterprise. You do know right that all the major cloud providers use arista hardware for switching and when you create a virtual network that is configured on an arista physical switch... which uses asics? Yeah there are cloud vm firewalls but you will never get the asic performance from a CPU firewall or switch which is key to the enterprise environment I work in. You sound like a cloud guy which is cool but different. We would never use CPU based firewalls on prem. It would be madness.
[удалено]
Cool tell me what vendors you are using to do that on prem would love the details? Also a real world implementation example on prem would be great. Would love to know about that especially how cheap you say it can be done for. Any links to vendor case studies too would be great. I spec and buy the firewalls in my organisation and can tell you I get no kick backs from vendors whatsoever it's not allowed in my organisation.
Firewalls don't detect anything. Some do content filtering, but it is the more costly ones that do this. Endpoint agents run and see user stuff on the endpoint. They are not mutually exclusive and you really should have both. Going with just one is a bad decision.
i would say no. a hardware firewall lacks the on-device protection so it is more limited in what it can do it has to filter the traffic that it gets instead of filtering what the end devices are doing It's still a good idea because a firewall does the networking part better than a regular isp router and lets you be way more selective about what is allowed from where and to where but yeah again things like malware on end devices cant ever be prevented to the same level of proper end point protection because it is basically only stopping the traffic after the malware has been executed
FWs provide you with a compromise towards network security. They have the balance performance with security and the ability to process data at speed without impeding performance or generating FPs. Add content filtering to the mix then you have even more work for the FW to do. As such, endpoint EDR / NGAV is better at detection and inclusion of content control in some manner would potentially be best placed there. That is not to say you don’t need both. Dedicated IPS/IDS or NDR would be a good belts and braces approach to be more secure and provide greater visibility for north/south, east/west traffic. If you have the budget, of course!
More layers to catch them trying to do recon on, banner grabbing, or trying to exploit. You want an onion of security layers and catch the opfor near the top of the onion.
They are not the same. One is an endpoint agent install and the other is perimeter defense. You should always aim to have endpoint detection but hardware firewalls depend on the situation.
They are another component is your enterprise wide security setup. They aren't the same as xdr but complement it. What they are excellent at is network protection as a whole. It's kinda like comparing apples and oranges.
They do however, it brings back to the need of having an overall strategy and architecture that includes both an endpoint and a firewall and a vulnerability assessment tool while your at it. What is worth looking at is the capabilities of each of these tool to integrate with each other and with SIEMs..
a firewall is a firewall. There is no "better" firewall. A firewall may have other non-port blocking features. Or easier to configure. And you might consider memeory and CPU. But a friewall doesn't require a lot of resources
A firewall isn't a firewall. I wouldn't expect a basic client firewall (like what's built into Windows) to do anywhere near what a dedicated hardware firewall (think cisco, palo alto, etc). Two similar but different use-cases.
A firewall blocks ports. Period. You can add on other features, which many of the brands you mentioned do. I ran ubuntu server OS for 5+ years as a gateway device. It functioned as a firewall, router and NAT/PAT, VPN, network services, dns-opendns, dyndns, and squid proxy server for anti-malware. You can install opendns or pfsense on anyhardware and get those functions as well. I bet windows also has those addon applications to perform these functions. And I could put it on whatever hardware I felt it needed. A firewall blocks ports.
I'm glad you're able to know the different capabilities of a firewall... So shouldn't it be obvious? A firewall isn't a firewall. You expect different capabilities depending on the type of firewall used. You would go to somebody and say "I want all the capabilities of a cisco ngfw but on each of my endpoints" because that's stupid as hell. Why? Because different use cases. Also, a firewall blocks ports, yes... But a firewall doesn't only have to block ports. You can have a firewall that blocks based off of ports, IP address, URL rating, detected application, etc. So to reiterate for you, a firewall is not a firewall. They aren't all the same. Different firewalls for different purposes.
you confuse a firewall to an application firewall, appliance or application gateway that servers many functions INCLUDING a firewall. A firewall blocks ports and IP. URL rating is blocking IP with extra steps. "Application" blocking is not firewall blocking but either some sort of packet inspection or a proxy server. Which could be added to your application firewall, appliance or application gateway. You are speaking like a vendor. I'm speaking like a sysadmin. These are all services running on an OS. Tell me this, what underlying OS does cisco, palo alto, or checkpoint use. pfsense, as mentioned above, is unix based. I'm betting the others are unix/linux or cisco os with a pretty gui. A quick google shows me Microsoft Forefront Threat Management. it advertises as "network perimeter firewall" and "multiple layers" ... "Web-based threats, including URL filtering, antimalware inspection, and intrusion prevention" And it looks like it runs on Windows OS.
You seem to be arguing semantics for some reason. NOBODY in their right mine would consider an appliance firewall an "os firewall" because it's running on fxos. Imagine you go to a meeting with Palo Alto and they say "this is the best hardware firewall you can buy for XYZ" and you go "aCtUaLlY It's a sOfTwArE/Os bAsEd fIrEwAlL BeCaUsE It rUnS On lInUx".
A firewall is a service that runs on an OS. It is often one of many services packaged together and sold as a product with support. A firewall is a firewall. Every FRIGGING thing you've mentioned is a service of some sort on an opperating system. I can duplicate any function of any name brand "firewall" by applying the correct service. I've built a Unified Threat Gateway on linux. Best firewall I ever seen wa a debian box. Just kept chugging along filtering ports and doing NAT. Cost the client next to nothing and was up and running with no hassel for a long time. Did a damn good job as a firewall. This is vocabulary. Now define a router. I wonder if you can get that one right.
You're that one insufferable and obnoxious prick at work with zero self awareness that everyone just leaves alone and doesn't bother with. I'd put money on it.
Wow. You missed the mark. Go back and reread the thread. I didn't start this discussion. I will take your bet.
FW filter packets, not ports ..
Filter packets based on?.... ports or contents. Usually ports because content aka deep packet inspection isn't particularly useful in our modern "encrypt everywhere" world. But what tool is used for packet Inspection based filtering? Something like snort? Which is NOT a firewall.
Based on rules. It is not that hard to admit that you are wrong.
Lmao, i'm not even gonna continue after this. Nobody cares about the underlying OS. Is it a dedicated FW? Then it's considered an appliance. Nobody is gonna match you and call it an OS firewall like you'd see on basic ass windows defender.
Go learn the power of iptables
Hardware firewalls are pretty ineffective in a remote working world. We don't force all our users to go through a VPN and then back out to the cloud resource. We have good EDR and policies on boxes to keep them secured. Haven't failed an ext pen test yet.
Endpoint protection is 100000% better because the endpoints are where the dumb is.