Better Protection - Hardware or Software Firewall?

A firewall is a specialised computer which has but one purpose - to prevent bad network traffic from passing between an untrusted network, like the Internet, and a trusted network, like your LAN, your computers, and the programs that you run on them.

A hardware, or appliance, firewall runs on a separate piece of equipment, and provides perimeter protection, to a group of computers. A software, or personal, firewall runs on a host computer, and protects only that computer. There are variations which may use the hardware of a personal computer, and provide perimeter protection.

Please don't confuse the concept of a firewall with that of a router - NAT router, or enterprise network router. A firewall is neither of those.

Both hardware and software firewalls require an operating system, or some interface between the user and the hardware.

The hardware firewall contains a stripped down operating system or code processor of some type, that provides the ability to examine, filter, and / or pass packets between the interfaces (WAN and LAN). It may also contain a small web server or configuration processor, so the user can change the filtering. The software firewall runs under an external operating system, that also lets you use your computer for non-firewall purposes, and lets you change how you use your computer.

There are advantages and disadvantages to both. Saying that one is better than the other is like saying Coke is better than Pepsi, or Chevrolet better than Ford. You can only compare the two, when considering the specific environment where protection is needed.

Hardware Firewall


  • A hardware firewall filters malicious incoming traffic, before it hits the protected computers. This lessens the load on the protected computers, and their filtering and logging software.
  • A hardware firewall has a dedicated processor, and dedicated storage. This further reduces the load on the protected computers.
  • A hardware firewall is smaller and more efficient. It contains just the code to filter network traffic, and to let the administrator make changes to the filtering. If it uses a web interface for changes, it needs only network connections, no video, keyboard, or mouse connections.
  • A hardware firewall contains minimal code that can be misused. It does not contain a web browser, word processor, multimedia player, or other accessory that can be exploited by malware.


  • A hardware firewall filters malicious network traffic only, and only at the perimeter. If your LAN uses only perimeter protection, any malicious activity that gets onto the LAN in any way will be unstoppable. All computers on the LAN are vulnerable.
  • A hardware firewall, and its dedicated processor, and dedicated storage, is finite in capacity, and must be carefully chosen for the intended workload. If the firewall is overloaded, it can do only one of two things:

    • Fail closed. When overloaded, the firewall may simply pass traffic, unfiltered.
    • Fail open. When overloaded, the firewall may simply drop traffic.

    Neither of these solutions are desirable. Any specialised hardware protection, such as a hardware firewall, MUST br carefully chaosen to fit your network. It must provide the capacity, and the functionality, needed, by YOUR network.
  • A hardware firewall can't effectively filter outgoing traffic, as it has no knowledge of what programs are running on the protected computers.
  • A hardware firewall requires one more power connection, and one more network cable. If you have limited resources, space or power, you may find this a problem.
  • A hardware firewall may not be easily upgradable, except by replacing the firewall itself. Capacity upgrades may require a different model device. Code changes may require replacement of internal components. Firmware upgrades must be done when the network is offline.

Software Firewall


  • A software firewall is more configurable. Since it sits on your desktop, you can make changes to its filtering, at will.
  • A software firewall installs components into the operating system, so it knows what programs are running there, and can protect you accordingly.
  • A software firewall provides individual protection to its host. If one computer in the LAN gets infected with malware, all computers running a software firewall are protected.
  • A software firewall is easily upgraded. Any necessary capacity upgrades can be made, by adding hardware to the host computer. Any necessary code changes can be made by reinstallation of its drivers, or other components.


  • A software firewall is more configurable. Since it sits on your desktop, you can make changes to its filtering, at will. A CKI Fault can make you instantly vulnerable, as Mark Russinovich discovered, when he busted Sony.
  • A software firewall can be exploited, thru its many features. Since you control it, bad advice can cause you to disable one or more filters, leaving the host computer unprotected against exploits.
  • A software firewall filters malicious incoming traffic only after it hits the host computer, and the operating system.
  • A software firewall uses processor power, and storage, which may compete with use of the host computer. This causes tuning needs, and the temptation to disable various features.

Now none of these points are 100% significant by themselves. Some hardware firewalls are more versatile, and more configurable in hardware and software. And there are hooks in software firewalls that restrict exploits, and make them less vulnerable. But these are the key differences between the two classes of protection.

Hybrid Solutions
There are variations in the distinction between hardware and software. Some security experts like to promote a third model, which they call a software firewall. They will take a surplus desktop computer, add a second network card, remove all non-essential accessories like a sound system, and make a perimeter protection device out of it.

The experts who like to build these custom perimeter protection devices claim that they have the advantages of both a personal and perimeter firewall, and none of the disadvantages. But examine these custom devices more closely, and you will find subtle disadvantages.

There is also the possibility of a hardware firewall, sitting inside your computer. The nVidia nForce is probably the first, but surely not the last, device of this type.

A well designed security strategy uses both perimeter and personal protection, and more.