Why are hardware security features preferred over software security features?
A.
They lock in a particular implementation.
B.
They have a lower meantime to failure.
C.
Firmware has fever software bugs.
D.
They permit higher performance.
Explanation:
This is a sort of iffy question. Hardware allows faster performance then software and
does not need to utilize an underlying OS to make the security software operate. (An example is
PIX firewall vs checkpoint). The meantime to failure answer to me is ok but the hardware that the
software security also has a MTFF. A few people looked over this question and had no problem
with the answer of B (meantime to failure question) but as I looked into it I have picked D. MTTF is
typical the time to failure. “MTFF is the expected typical functional lifetime of the device given a
specific operating environment” (- Ed Tittle CISSP Study Guide (sybex) pg 657). This leads me to
think that this question says hardware has a SHORTER lifespan then software. Thus I am going to
have to go with D (higher performance). This can be because of ASICs. As always uses your best
judgment, knowledge and experience on this question. Below are some points of view.
Few things to consider when deploying software based firewall:
Patching OS or firewall software could bring down firewall or open additional holes
OS Expertise vs. firewall expertise (you may need two administrators).
Support contract (One for hardware, one for OS, one for firewall), who do you call?
Administration (One for OS and one for firewall). If your not an expert in both then forget it.
High-availability (Stateful failover) (usually requires additional software and costs a lot of money).
As a result it adds to support costs.
Is software firewalls a bad idea it depends. Every situation is different. -Bob
http://www.securityfocus.com/archive/105/322401/2003-05-22/2003-05-28/2
A software firewall application is designed to be installed onto an existing operating system
running on generic server or desktop hardware. The application may or may not ‘harden’ the
underlying operating system by replacing core components. Typical host operating systems
include Windows NT, 2000 server or Solaris.
Software firewall applications all suffer from the following key disadvantages:
They run on a generic operating system that may or may not be hardened by the Firewall
installation itself.
A generic operating system is non-specialized and more complex than is necessary to operate the
firewall. This leads to reliability problems and hacking opportunities were peripheral/unnecessary
services are kept running.
Generic operating systems have their own CPU and memory overheads making software based
firewalls slower than their dedicated hardware counterparts.
If the software firewalls uses PC hardware as the host platform, then there may be additional
reliability problems with the hardware itself. Sub-optimal performance of generic hardware also
affects software applications bundled with their own operating systems.There is no physical or topological separation of the firewalling activity.
A dedicated hardware firewall is a software firewall application and operating system running on
dedicated hardware. This means the hardware used is optimized for the task, perhaps including
digital signal processors (DSPs) and several network interfaces. There may also be special
hardware used to accelerate the encryption/decryption of VPN data. It may be rack mounted for
easy installation into a comms’ cabinet.
We recommend dedicated hardware firewalls as they offer several key advantages over software
applications:
Dedicated hardware is typically more reliable.
Hardware firewalls are simpler, hence more secure.
Hardware firewalls are more efficient and offer superior performance, especially in support of
VPNs.
The firewalling activity is physically and topologically distinct.
http://www.zensecurity.co.uk/default.asp?URL=hardware%20software%20firewall