What is a Hardware Firewall?

Even beginners tend to know that it’s part and parcel of a solid security concept, but what is a firewall exactly? Put simply, a firewall is a defense system that protects both individual computers as well as entire computer networks from unauthorized external access attempts.

Of course, there’s much more to these useful security systems than the short description above. Firewall systems are based on software components whose installation discloses whether the firewall works as a personal firewall or an external firewall. The former, which is also referred to as a desktop firewall, offers the best known defense component for private computers, while the latter is most often used for securing entire networks. Find out how these two systems differ from one another and which methods they use to protect computer systems in the following paragraphs.

The main difference between these two firewall options can be seen in the different components they use: a personal firewall (also known as a desktop firewall or software firewall) offers a pure software solution, which is installed on the computer that is to be protected. Once installed, this software then monitors the data traffic flowing between this computer and its corresponding network. Some operating systems, like Windows, include such options as a part of their software packages.

On the other end of the spectrum lies the external firewall. This option is comprised of a combination of both software and hardware components. These are located between various computer networks and monitor the data traffic flowing between them; this is why such systems are sometimes referred to as network firewalls or hardware firewalls. In other words, an external firewall is a stand-alone device that, with the help of integrated network interfaces, connects different networks with one another. In order to control this data traffic, firewall programs, and in some cases operating systems, are installed on these devices.

Hardware firewalls are much more complex than personal firewalls, i.e. software firewalls. And while they’re clearly the more expensive option, they present a more robust security solution. What’s more, given that the software doesn’t actually run on the system it’s supposed to protect, it’s more difficult to manipulate. By contrast, once a software firewall solution is deactivated, the system is essentially rendered defenseless, and often users remain unaware of potentially disastrous developments. But a comparable attack on a network firewall would lead to a complete system shutdown of the device, which would block both inward and outward data traffic until a reboot is carried out.

This increased security factor is the main reason that hardware firewalls are the preferred solution for both data centers as well as computer systems requiring extensive protection. For this reason, it’s not uncommon to have sensitive data traffic, such as company networks, to be monitored - with or without servers - by professional external firewalls. Choosing to install software firewalls for each and every computer system individually instead would require much more effort, as all installations also require further configuration. Higher costs are another factor to consider, since each computer would need its own license for installation. And as previously mentioned, there is an increased security risk.

Given that they are both inexpensive and easy to install, personal firewalls are especially well suited for private use on home PCs and can generally be easily configured by inexperienced users. The needs of smaller companies with more straightforward networks can also be met by software firewalls, provided they are correctly configured. And if the necessary budget and know-how for installation is available, this option can also make a useful addition to hardware firewalls.  

As already mentioned, network firewalls are particularly popular for protecting the exchange of sensitive data. Often they protect networks that are connected to the internet. Connecting to an additional, private network, which poses a potential security threat, is also possible. In principle, hardware firewalls can be individually set up by installing corresponding firewall software on a suitable device and hardening the operating system. These steps make the set-up virtually immune to external attacks. Hardening can only be achieved by using the programs that are required by the operating system. A much simpler option is to use a firewall appliance. This refers to a system made up of hardware, hardened operating systems, and specially designed firewall software. The key here is to be able to differentiate between the following three types:

• Bridging firewall: two physically separated network segments are connected on the data-link layer (layer 2) of the OSI model, which makes the firewall virtually invisible and more resistant to attacks. Inbound and outbound data are only passed along if they are also located on this lower layer. The bridging firewall can also access higher protocol layers than typical bridges when filtering IP addresses and ports.

• Routing firewall: routing firewalls are the most common type of hardware firewall and are used for virtually all devices for private use, such as DSL routers. In comparison to bridging firewalls, this firewall type operates directly on the network layer (layer 3) or higher and directly filters IP address and ports, making it visible to anyone in the network and potentially vulnerable to attacks.

• Proxy firewall: here, the firewall works as a proxy between the source and destination networks. Neither system on either side of the network establishes a direct connection and so neither receive any packages directly created by the destination system. This makes it difficult for hackers to find out where the protected company network is located. Given that proxy firewalls operate on the application layer (layer 7), they’re able to make much more specific security decisions than routing and bridging firewalls. Conversely, their use does lead to performances losses and requires a substantial amount of know-how regarding configuration.

Packet filtering plays the most important role when it comes to the corresponding functions of the different hardware firewall types. With this method, the firewall makes its decision based on a manually defined set of rules as to which data packages are to be forwarded and which aren’t. For this, the firewall operates on the OSI layers 3 and 4, i.e. the network and transport layers, and checks the packet for properties located in the corresponding protocol header. Here, exact IP address or ports are possible that are either allowed or blocked by the rules and regulations.

With the help of the aforementioned bridge or a switch, which is a bridge extension of sorts, packet filtering can be carried out on the OSI model’s data link layer (second layer). There, packet filtering isn’t done on the basis of the IP address; instead, it’s implemented on the basis of MAC addresses, which are used for hardware addressing.

Additionally, after being expanded, firewalls can filter with state-oriented verification methods (stateful packet inspection, SPI). For this purpose, the packet filtering, which is normally limited to layers 3 and 4, also incorporates the application layer (layer 7) and the recorded application data found there. Unlike proxy firewalls, which also have access to this layer, SPI doesn’t allow this data to be changed.