The most obvious answer is, of course, to use both, since they don’t exclude one another and they CAN work together. But using both at the same time might not be necessary. To understand what configuration better fits which scenario, let’s first take a look at both firewall types and see their strong and weak points.
This is the firewall that is present inside a physical device, and is the one typically found inside broadband routers. This firewall makes use of packet filtering, a process that looks at a packet’s header to collect information about it, like its source and its destination. It then compares this information with its in-build database (or with a user designated rule set) to determine whether the incoming internet traffic contains any threats.
A more elaborate analysis can be done by hardware firewalls that employ Stateful Packet Inspection, which also investigate a packet’s nature and origin. By determining whether the packet is coming from the internet or form a local network, and if it responds to an existing outgoing connection (like a request from a Web page you are accessing,) it can better understand the true nature of your incoming internet traffic and decide if it poses a threat or not.
The advantage of the hardware firewall is that it’s very easy to use, as it requires a minimum of user configuration and it can also protect all the workstations on your local network.
The downside, however, is that it does not handle outgoing traffic. This means that you are very susceptible to security data leaks – vulnerable to having sensitive information leaving your computer without your knowledge or permission. Collecting information from your computer and using your own internet connection to distribute it to a specific third party is exactly what trojan viruses and key loggers do. This kind of attack is devastating for a bank, or for any company that has a client database, that stores personal and sensitive information, which today is pretty much any company that sells a product.
This firewall can equally handle both incoming and outgoing traffic. Because it’s present on the actual machine, it can collect a lot more information regarding your internet traffic, your incoming and outgoing packets. Aside from the origin, destination and the used internet port, it can also analyze what application is trying to access the internet and generates traffic. Software firewalls are also more flexible when it comes to the rules that they can enforce on traffic and have a larger database that is constantly being updated by antivirus companies via online updates.
So it would seem that the software firewall is a superior product to the hardware alternative, but unfortunately it does come with one major downside: Cost. Because it can only protect individual computers, it means that you need a software copy for every machine present on your network. And this can prove to be very expensive for a company.
One thing that needs to be known is that the standard Windows Firewall does not handle outgoing traffic, and could, in a way, be compared to a hardware firewall. Specific rules can be set for it regarding outgoing traffic, via the Advanced Security tab, but it’s difficult to use, cluttered and cumbersome. Rules need to be send manually and it’s a complicated process unless you know exactly what every process and protocol does.