Hardware vs. Software Firewalls
There are a lot of firewall options out there, and deciding which is best for your home or network is a daunting task filled with advertising, reviews, and annual commitments. It is very time consuming trying to pick the best solution for any given home or home network.
The first decision that you have to make is whether you want a hardware firewall or a software firewall. A hardware firewall is a physical device that is attached to your network while a software firewall is installed on each of your computers, phones, or tablets.
You can have both a hardware firewall and a software firewall at the same time for increased security at the cost of increased maintenance as well as a possible performance penalty. More on that later.
A hardware firewall is a lot like a router, but with many more features. Indeed many routers have a hardware firewall built in, but the vast majority of them are severely lacking in their depth of control and features.
Hardware firewalls are great because they allow you to protect your entire network with a single device. They are physically installed on your network and can be made very tamper proof by physically locating them somewhere that is difficult to access. Installing a hardware firewall is usually accomplished by disconnecting a network cable between your cable modem and your router and putting the hardware firewall in between. That way the hardware firewall forms a physical barrier between your home network and the internet able to block both incoming and outgoing packets as needed. Since a hardware firewall is a dedicated networking device it is usually very fast at passing network data and should not have any negative performance impact on the speed of your network.
However, since hardware firewalls are not installed on your computer or phone they are not able to actually inspect the traffic that is flowing through them. As more and more sites move to HTTPS most internet traffic is highly encrypted, which means that a hardware firewall is not able to examine the content that is being pulled. This means that while a hardware firewall is excellent at blocking certain sites based on a blacklist it is usually a very poor choice for filtering traffic based on the actual content.
- Can a hardware firewall block all of facebook.com? Yes.
- Can a hardware firewall block pages that contain the word facebook? No.
If your primary concern for a firewall is to prevent snooping by modern Smart TVs or other nefarious little monitoring devices that seem to be showing up everywhere then a hardware firewall is an excellent choice. Since the firewall sits between your network and the internet it is able to block connections from any device you own without any modifications to that device. You can setup allowed and disallowed devices and rest in peace knowing that there is no way that your smart refrigerator is sharing your seedy kitchen banter with the NSA.
Another feature of hardware firewalls is that they are frequently free to use after the initial purchase. This does depend on the feature set that you are looking for. The more complex hardware firewalls come with a variety of online components and updates that will usually have an annual or monthly fee, but the more simple devices that offer basic whole network protection do not have a monthly fee since there is no real service integration.
This lack of a monthly fee can be a good thing and it can be a bad thing. Of course it’s a great thing that there’s no monthly fee, but it might be easy to forget about the firewall and have the rules get out of date. A firewall that was setup a few years ago may not be aware of today’s threats. A firewall service agreement ensures that your hardware firewall is kept up to date without any maintenance on your part.
When it comes to protecting kids by limiting their access on the internet a hardware firewall is a bit of a challenge to use correctly. While it’s easy to block certain websites it’s impossible to block all restricted content due to the nature of encrypted traffic. A hardware firewall offers excellent time of day blocking and total daily access limits to individual devices, but not to individual users.
In addition, more creative kids are able to bypass a hardware firewall by either disabling their Wi-Fi or switching to cellular data, or by hoping on a neighbors open Wi-Fi connection. If protecting your kids is highest on your list for a firewall feature, then a hardware firewall is most likely not the right choice.
Here’s a rundown of what a hardware firewall is good and bad at:
Hardware Firewalls - The Good
- In control of 100% of the traffic on your network.
- Excellent at blocking entire websites and categories of websites.
- Able to restrict access on gaming consoles, phones, Smart TV, and your kitchen refrigerator if you have that fancy of a kitchen refrigerator.
- Relatively easy to install since there is a single device that needs to be physically added to your network.
- Possibly cheaper because they frequently do not have monthly or annual fees.
- Almost impossible to hack or disable if physically located in a secure spot.
- Exceptionally fast and should not affect network performance at all.
- Very good at limiting a devices total internet time or traffic.
- A single point of installation means less overall maintenance in the long run.
- Can also function as a whole house ad block.
Hardware Firewalls - The Bad
- Not able to filter network traffic based on content.
- Not able to restrict access based on user, only based on device.
- While usually easy to install some networks may be setup in a way that prevents installation challenges since the devices physical location must be between the internet and the home network.
- Easy to bypass on roaming devices like tablets and phones.
- Usually offer very limited logs and very limited instant alerts based on user activity.
Remember that a router does not count as a hardware firewall.
The vast majority of the time a router is not a proper hardware firewall. It is a common misconception that just because you have a router on your network you do not need a firewall. This is not true. All routers are very good at preventing unwanted incoming connections due to the way that implement routing in a process called NAT, or Network Address Translation. While this is not truly considered a firewall it is an exception piece of automatic security that your network gets when you add a router.
A software firewall is a product that is installed on your computer, phone, or tablet. Since it is installed locally on the device it has much better access and control over what your device can and cannot do.
While hardware firewalls block traffic that attempts to leave your network software firewalls block traffic that attempts to leave your device. This means that software firewalls can be used to prevent certain users or devices from accessing devices on your network, not just devices on the internet. If you want to limit access to a printer then a software firewall might be the best choice.
Windows 7 and later and Mac OS X all contain a built in software firewall that is very capable of blocking software from accessing the internet based on time of day, which user is logged in, or which application program is attempting to talk on the network. These built in firewalls lack many of the advanced features that people need for managing their home network so it is common to supplement or replace them with aftermarket solutions.
More advanced, and usually expensive, software firewalls are able to offer a significantly greater granularity of control over what kind of access a device or user is allowed. Since they are located on the device they are able to inspect all traffic, including encrypted HTTPS traffic, and filter which data is allowed through based on content. Where a hardware firewall is only capable of blocking by website or domain name, a software firewall can block offending content based on keywords contained in that content.
- Can a software firewall block all of facebook.com: Yes.
- Can a software firewall block pages that contain the word facebook: Yes.
If your primary concern for a firewall is cyber security for yourself or your kids then a software firewall makes an excellent choice. They almost always come with a subscription service that renews either monthly or annually, and many of them come with a family pack option that allows you to install them on up 10 or more computers.
Most cyber security suites offer a great web portal to manage all of your users, devices, and rules either from home or abroad. This makes it pretty easy to manage the protection on your devices once the software has been installed and setup properly. Many of these packages include excellent log analysis and user monitoring, including features like sending an alert to your phone when an attempted access is blocked. The sense of connectivity and awareness in a full cyber security suite is certainly one of the bestselling points for this type of firewall setup.
However, if you are interested in blocking access to the internet for gaming consoles, Smart TV, or other connected devices then a software firewall simply is not able to help with that. Since a device on your network contacts the internet directly through your router there is no way for software on your computer to block that access. The software would have to be installed on the device that you want to block and that’s just not available on most devices.
In addition many software firewall products are not compatible with Windows, Mac, Android, Chrome Os, Kindle, and iOS devices. This means that if you have a variety of devices in your house, which many people do, you might have to install different products on different devices which can get not only costly but quite inconvenient to maintain. Imagine rounding up all of your kid’s phones, tablets, Chromebooks, and laptops and installing or updating their firewall software, rules, and settings for multiple products. It’s a very large time commitment to keep everything working. Hardware firewalls are starting to look a lot better all of a sudden.
Many software firewalls are resource intensive and can have a huge performance penalty on your device. Fast computers and laptops may not notice as much but the limited resources of Android and iOS devices are especially susceptible to slowdowns after installing a software firewall.
You are not going to find any good software firewalls with cyber security type features built in for free. If you go the software firewall route then plan on a monthly or annual fee. The most expensive packages are in the $10 / month range, while the cheapest are going to set you back about $30 / year. This fee is for maintain the rules and definitions that your firewall needs to know what sites and content to block, as well as offering the web based portal to manage all of your devices from a central location.
Here’s a brief summary of the good and bad parts of a software firewall:
Software Firewalls - The Good
- Much greater granularity of control because it is installed on each device.
- Has ability to block based on not only site name but also content.
- Usually has excellent reporting and alerts.
- Much better for cyber security with kids.
Software Firewalls - The Bad
- Needs to be installed on every single device you own.
- May not be supported on every device.
- Not available for gaming consoles, Smart TV, or other network devices.
- Can make your computer or device run slower, sometimes much slower.
- Tend to be more costly in the long run.
Which Firewall is the Best
Now that you have an idea of what each type of firewall does best at you are ready to decide which firewall is right for you. For that head over to our guide How to Choose a Firewall for more information on what type of firewall is the best choice for your network.
One more thing to keep in mind is that you can always run both a hardware firewall and a software firewall at the same time. The hardware firewall will not slow your computer down at all, and it will add protection to gaming consoles and other network devices, as well as provide a whole house ad blocker. Each computer, tablet, or phone can add on its own dedicated software firewall to offer content based protection. This is a popular option for parents who may not need or want much filtering on their own devices but feel the need to protect their children from various dangers on the internet.