Let’s start with hardware firewalls. They’re important because they provide a
first line of defense against common forms of attack coming from the outside world. Plus, they can generally be effective with little or no configuration, and they protect every machine on a local network.
The hardware firewall in a typical
broadband router uses a technique called packet filtering, which examines the header of a packet to determine its source and destination addresses. This information is compared to a set of predefined and/or user-created rules that determine whether the packet is legitimate or not, and thus whether it’s to be allowed in or thrown away.
A more advanced technique called Stateful Packet Inspection (
SPI), looks at additional characteristics such as a packet's nature and actual origin (i.e. did it come from the Internet or from the local network) and whether incoming traffic is a response to existing outgoing connections, such as a request for a Web page.
In a nutshell, the hardware firewall in a broadband router is primarily concerned with keeping bad stuff from the outside from getting in. The limitation of this type of firewall is that it typically treats any kind of traffic traveling from the local network out to the Internet as safe, which can sometimes be a problem.
Consider this scenario: You open an e-mail message or visit a website that contains a hidden malicious program that’s designed to secretly install itself on your machine (or fool you into installing it) and then proceed to send information out via the Internet -- perhaps to steal your personal data or act as a distributed denial of service (
DDoS) attack zombie. This is currently the most common method of infection.
Since the traffic generated by such programs would seem legitimate (it came from inside your network after all) it would generally be allowed to leave your network. The malicious traffic could be blocked if the hardware firewall was configured to block outgoing traffic on the particular
TCP/IP port(s) the program was using, but given that there are over 65,000 possible ports and there's no way to be sure which ports a program of this nature might use, the odds of the right ones being blocked are slim.
Plus, blocking ports also prevents legitimate programs running on any of your networked PCs from using them. For example, a piece of malware that was designed to generate and send spam e-mail from your machine could not be blocked by a hardware firewall without also blocking your ability to use Microsoft Outlook or Mozilla Thunderbird (all generate the same kind of traffic --
SMTP on port 25).
Advantages of Software Firewalls
This is where the benefits of a software firewall come into play. Because a software firewall is running directly on a computer, it’s in a position to know a lot more about network traffic than simply what port its using and where it’s going -- it will also know what program is trying to access the Internet and whether it’s legit or malicious (it consults a regularly updated database to determine this).
Based on this information, a software firewall can either allow or block a program’s ability to send and receive data. If the firewall isn’t sure about the nature the program, the user is prompted to provide confirmation before the traffic is allowed to pass.
In a nutshell, a software firewall is able to take a closer look at malicious traffic and intercept it before it leaves your computer.
The main downside to software firewalls is that they only protect the machine they're installed on, so to protect multiple computers with a software firewall you need to buy multiple copies (or licenses) l and install and configure them individually on each machine. This can get expensive and be difficult to manage, though many business-oriented firewall programs do offer centralized installation and administration.
It’s worth noting that the firewall built-in to Windows 7 (and Vista before that) doesn’t automatically block outgoing traffic by default -- only incoming. It’s one of the reasons to consider a third-party firewall, since they generally handle both out of the box. (You can manually configure the Windows firewall to block outgoing traffic, but not very user-friendly.)
Here’s a good way to sum up the difference between a hardware and software firewall. Think of a hardware firewall as a club bouncer who checks everyone coming in against a list to make sure they have an invitation. The software firewall, on the other hand, is like a security guard who makes sure nobody snuck in -- and is doing something untoward while inside -- and checks to make sure people aren’t stealing stuff on the way out.
