When does a hardware firewall become justified?

By | September 14, 2013

Screen Shot 2013-09-14 at 7.28.27 PMIn a discussion some time ago, I had, the question was raised  “In a small business setup one server, lets say Server 2008 and anywhere from 4-12 client computers.”;   How many computers before you really need to fork over the cash, for a dedicated firewall appliance?

It seems to be commonly assumed that a dedicated firewall only provides enough benefits for a large network,  and that it is difficult to justify that for a small network.   Some people assume that small businesses don’t need a dedicated firewall;  or that a basic router,  or  offsite security service is adequate.    Given the inexpensive dedicated hardware firewall options,  and virtual appliances available…  today that assumption seems as flawwed as ever.

My contention;  is no network should be without one, even if there is just one PC.


To that my answer,   for several possible reasons,  a dedicated firewall unit can be justified: on the LAN

[1] When it comes to  Egress filtering  —  protection against internal intrusions,  for example filtering outbound traffic  to prevent an Employee  from leaking proprietary company information (data leak prevention), to control employee web surfing,  or to  prevent  Bob in IT  from IRC’ing while he should be working on the servers.     A dedicated firewall  managed and monitored with the help of an outside provider  or by a dedicated security team at arms length from workstation or server operators, can be a great thing.      There should be both a software and a dedicated hardware firewall;  for such environments —  security design should be determined by risks and possible impacts, not necessarily by the size of a network.

[2] The dedicated nature of an appliance based firewall helps reinforce that separation and deter internal attacks against it that might be attempted and succeed easily against a general purpose PC

[3] The cost to the business of a hacker intrusion can be significant, even if there are only 6 computers; it just takes one compromise for a hacker to obtain banking info.    Therefore;  it is not necessary to have a minimum count of workstations,  for a dedicated firewall unit to be appropriate.

[4]  Having a dedicated firewall unit offers a possibility for some measure of ‘Defense In-Depth’.  By having multiple layers of security you have a chance of minimising your exposure should one layer be compromised;  the idea is that the physical separation of the firewall reduces the chance that the firewall is compromised at the same time that a computer is compromised,  and if you configure two firewalls (one dedicated and one software firewall on each computer);  all the better —-  because you are less likely to make the same mistake twice:  or TWO people are less likely to make the same configuration mistake.     Therefore; a hardware firewall is appropriate,  even if all your windows computers come with software firewalls, or the Advanced Firewall feature.

[5] My next consideration is that most dedicated firewalls double up as a router by providing at the very least some NAT/PAT and port forwarding functionality;  which is needed to conserve IP addresses , or share the small number of IP addresses provided by the internet service provider  — that itself is nearly a firewall;   IPv4 addresses face exhaustion, and you are unlikely to avoid the requirement to have some device performing NAT at your boundary.  If you have to buy a router anyway then it makes a great deal of sense to pay up and have a device that contributes more to your security posture.

[6] Most modern dedicated firewalls (“Unified Threat Management” devices) provide filtering all the way up to the application layer.  This multi-layer filtering can be resource intensive and by offloading this filtering to a dedicated device it reduces possible performance impact and incompatibilities with the end user applications.

[7] Dedicated hardware firewalls are  often  ‘more secure’ than software firewalls, especially ones that run under minimalist hardware and with a hardened OS.



Leave a Reply

Your email address will not be published. Required fields are marked *