Re: Hardware vs. Software firewall reliability

["Ryan Russell" <Ryan.Russell () sybase com>]

> I notice that more firewalls are of the hardware type.  It seems that over
> time the hardware firewalls have become more robust, and with the minimal
> configuration involved, lack of mechanical devices (disks)

Hardware with no disks, flash RAM, redundent hot swapable fans, power
supplies, and interface modules make network guys like me happy.

> and underlying OS
> to fiddle with,

They've all got an underlying OS, i.e. Something I Can Misconfigure (tm).
The closest to "no OS" are routers and the PIX firewall.  I think
the bulk of the "hardware" firewalls run a linux or *bsd variant.

> seem to have higher MTBF ratings than software firewalls.

The kind of MTBF you're referring to is strictly hardware dependent.
Meaning, you can slap together your own hardware set for your
"software" firewall and get the same result.

> Seems that many on the list have predicted the rise of the hardware firewall
> and 'death' of the software firewall.

There are lots of advantages to HW firewalls.  The are disadvantages, too.
I think the advantages match well with what sells firewalls, so yes they
will probably increase in marketshare.  Don't forget as well that you can
probably get your favorite "software" FW all bundled up as a HW
package.  I just bought several Nokia firewalls (running Firewall-1) to replace
my Solaris/Sparc boxes running Firewall-1.

> My specific interest is in protecting Internet service bureaus, with a
> limited set of published applications.  Therefore outbound proxies are not
> as critical.

The software feature set is about the same.  It's a packaging thing.

> BTW - Are there failover hardware firewalls available?

The Nokias will do that.  I'm sure lots of others will, too.

                              Ryan