What is a Hardware Firewall?

Even beginners tend to know that it’s part and parcel of a solid security concept, but what is a firewall exactly? Put simply, a firewall is a defense system that protects both in­di­vid­ual computers as well as entire computer networks from unau­tho­rized external access attempts.

Of course, there’s much more to these useful security systems than the short de­scrip­tion above. Firewall systems are based on software com­po­nents whose in­stal­la­tion discloses whether the firewall works as a personal firewall or an external firewall. The former, which is also referred to as a desktop firewall, offers the best known defense component for private computers, while the latter is most often used for securing entire networks. Find out how these two systems differ from one another and which methods they use to protect computer systems in the following para­graphs.

The main dif­fer­ence between these two firewall options can be seen in the different com­po­nents they use: a personal firewall (also known as a desktop firewall or software firewall) offers a pure software solution, which is installed on the computer that is to be protected. Once installed, this software then monitors the data traffic flowing between this computer and its cor­re­spond­ing network. Some operating systems, like Windows, include such options as a part of their software packages.

On the other end of the spectrum lies the external firewall. This option is comprised of a com­bi­na­tion of both software and hardware com­po­nents. These are located between various computer networks and monitor the data traffic flowing between them; this is why such systems are sometimes referred to as network firewalls or hardware firewalls. In other words, an external firewall is a stand-alone device that, with the help of in­te­grat­ed network in­ter­faces, connects different networks with one another. In order to control this data traffic, firewall programs, and in some cases operating systems, are installed on these devices.

Hardware firewalls are much more complex than personal firewalls, i.e. software firewalls. And while they’re clearly the more expensive option, they present a more robust security solution. What’s more, given that the software doesn’t actually run on the system it’s supposed to protect, it’s more difficult to ma­nip­u­late. By contrast, once a software firewall solution is de­ac­ti­vat­ed, the system is es­sen­tial­ly rendered de­fense­less, and often users remain unaware of po­ten­tial­ly dis­as­trous de­vel­op­ments. But a com­pa­ra­ble attack on a network firewall would lead to a complete system shutdown of the device, which would block both inward and outward data traffic until a reboot is carried out.

This increased security factor is the main reason that hardware firewalls are the preferred solution for both data centers as well as computer systems requiring extensive pro­tec­tion. For this reason, it’s not uncommon to have sensitive data traffic, such as company networks, to be monitored - with or without servers - by pro­fes­sion­al external firewalls. Choosing to install software firewalls for each and every computer system in­di­vid­u­al­ly instead would require much more effort, as all in­stal­la­tions also require further con­fig­u­ra­tion. Higher costs are another factor to consider, since each computer would need its own license for in­stal­la­tion. And as pre­vi­ous­ly mentioned, there is an increased security risk.

Given that they are both in­ex­pen­sive and easy to install, personal firewalls are es­pe­cial­ly well suited for private use on home PCs and can generally be easily con­fig­ured by in­ex­pe­ri­enced users. The needs of smaller companies with more straight­for­ward networks can also be met by software firewalls, provided they are correctly con­fig­ured. And if the necessary budget and know-how for in­stal­la­tion is available, this option can also make a useful addition to hardware firewalls.   As already mentioned, network firewalls are par­tic­u­lar­ly popular for pro­tect­ing the exchange of sensitive data. Often they protect networks that are connected to the internet. Con­nect­ing to an ad­di­tion­al, private network, which poses a potential security threat, is also possible. In principle, hardware firewalls can be in­di­vid­u­al­ly set up by in­stalling cor­re­spond­ing firewall software on a suitable device and hardening the operating system. These steps make the set-up virtually immune to external attacks. Hardening can only be achieved by using the programs that are required by the operating system. A much simpler option is to use a firewall appliance. This refers to a system made up of hardware, hardened operating systems, and specially designed firewall software. The key here is to be able to dif­fer­en­ti­ate between the following three types:

• Bridging firewall: two phys­i­cal­ly separated network segments are connected on the data-link layer (layer 2) of the OSI model, which makes the firewall virtually invisible and more resistant to attacks. Inbound and outbound data are only passed along if they are also located on this lower layer. The bridging firewall can also access higher protocol layers than typical bridges when filtering IP addresses and ports.

• Routing firewall: routing firewalls are the most common type of hardware firewall and are used for virtually all devices for private use, such as DSL routers. In com­par­i­son to bridging firewalls, this firewall type operates directly on the network layer (layer 3) or higher and directly filters IP address and ports, making it visible to anyone in the network and po­ten­tial­ly vul­ner­a­ble to attacks.

• Proxy firewall: here, the firewall works as a proxy between the source and des­ti­na­tion networks. Neither system on either side of the network es­tab­lish­es a direct con­nec­tion and so neither receive any packages directly created by the des­ti­na­tion system. This makes it difficult for hackers to find out where the protected company network is located. Given that proxy firewalls operate on the ap­pli­ca­tion layer (layer 7), they’re able to make much more specific security decisions than routing and bridging firewalls. Con­verse­ly, their use does lead to per­for­mances losses and requires a sub­stan­tial amount of know-how regarding con­fig­u­ra­tion.

Packet filtering plays the most important role when it comes to the cor­re­spond­ing functions of the different hardware firewall types. With this method, the firewall makes its decision based on a manually defined set of rules as to which data packages are to be forwarded and which aren’t. For this, the firewall operates on the OSI layers 3 and 4, i.e. the network and transport layers, and checks the packet for prop­er­ties located in the cor­re­spond­ing protocol header. Here, exact IP address or ports are possible that are either allowed or blocked by the rules and reg­u­la­tions.

With the help of the afore­men­tioned bridge or a switch, which is a bridge extension of sorts, packet filtering can be carried out on the OSI model’s data link layer (second layer). There, packet filtering isn’t done on the basis of the IP address; instead, it’s im­ple­ment­ed on the basis of MAC addresses, which are used for hardware ad­dress­ing.

Ad­di­tion­al­ly, after being expanded, firewalls can filter with state-oriented ver­i­fi­ca­tion methods (stateful packet in­spec­tion, SPI). For this purpose, the packet filtering, which is normally limited to layers 3 and 4, also in­cor­po­rates the ap­pli­ca­tion layer (layer 7) and the recorded ap­pli­ca­tion data found there. Unlike proxy firewalls, which also have access to this layer, SPI doesn’t allow this data to be changed.