Re: Hardware vs. Software firewall reliability

[David Klann <dklann () berbee com>]

Hi Bill,

I've been working with firewalls for a couple years now. Although I don't 
consider myself an expert, I do have a bit of experience -- primarily with 
the Cisco PIX. So my reply is biased in that direction. This is primarily 
anecdotal...

I believe the hardware firewall does indeed incur a higher MTBF because of 
the lack of complexity. The integrated/embedded OS are getting more robust, 
the packet filtering is getting better, etc., etc. I prefer the hardware 
solution because there's nothing other than the firewall to configure.

Specifically to answer your question about failover: the Cisco PIX includes 
failover capability. Stateful connections are not preserved when the backup 
assumes responsibility, but the next release of the OS claims to correct 
this. Failover is attained using a serial cable between the two devices 
(yes, it's limited to a single backup unit). The backup unit "pings" the 
primary and assumes the active state when it gets no response. Stateful 
connection preservation will be accomplished with a network connection 
between the primary and the backup. The backup maintains the state of 
connections by continually polling the primary via the network connection.

My $.02 and a perspective on a future feature ...

-David Klann