Features of software and hardware firewalls
Creating a secure system is a complex task. One of the security measures is the use of firewalls (they are firewalls and firewalls). As we all know, firewalls are software and hardware. The possibilities of the first and second are not limitless. In this article, we will try to figure out what firewalls of both types can do and what they cannot do.
First of all, you need to talk about what is software and what is a hardware solution. We are all used to the fact that if you buy some kind of hardware, this solution is called hardware, and if a software box, then this is a sign of a software solution. In our opinion, the difference between a hardware and software solution is rather arbitrary. What is an iron box? In fact, this is the same computer, albeit with a different architecture, albeit with slightly limited capabilities (you cannot connect a keyboard and a monitor to it, it is “sharpened” for the performance of one function) to which the software is installed. Software is some kind of UNIX system with a “web-muzzle”. The functions of the hardware firewall depend on the packet filter used (again, this is software) and the “web muzzle” itself. All hardware firewalls can be “reflashed”, that is, in fact, just replace the software. Yes, and with this firmware (which in the good old days was performed using the programmer), the process of updating the “firmware” on modern devices has little in common. Just on the "flash drive" inside the "glands" is written new software. A software firewall is software that is installed on an already existing most ordinary computer, but in the case of a hardware firewall, there is no software at all, and in the case of a software firewall, there is no hardware. That is why the line between these types of firewalls is very conditional.
The biggest difference between software and hardware firewall is not even functionality. No one bothers to choose a hardware firewall with the necessary functions. The difference is in the way of use. As a rule, a software firewall is installed on each PC of the network (on each server and on each workstation), and a hardware firewall protects not the individual PC, but the entire network at once. Of course, no one will prevent you from installing a hardware firewall for each PC, but it all comes down to money. Given the cost of hardware, you are unlikely to want to protect every PC hardware with a firewall.
The “iron” firewalls have the following advantages:
')
The advantages of software solutions include:
We will not write about the shortcomings - they follow from the advantages. The advantages of one type of firewall are usually disadvantages of another type. For example, the disadvantages of hardware solutions include the cost and impossibility of protecting the local network from the inside, and the disadvantages of software solutions include the complexity of deployment and use (although, as noted, everything is relative).
True, there is one drawback to hardware firewalls that is worth mentioning. As a rule, all hardware firewalls have a reset button, by clicking which you can return the default settings. To press this button you do not need to have any special qualifications. But in order to change the parameters of the software firewall, you need to at least get administrator rights. By pressing one button, a disgruntled employee may compromise the security of the entire enterprise (or leave the enterprise without access to the Internet, which is even better). Therefore, when using hardware solutions, you need to take a more responsible approach to the physical security issues of the devices themselves.
Next, we will try to understand which firewall provides the best protection: software or hardware. The firewall integrated into the TP-Link router will act as the hardware. As a software - Cyber ​​saves Firewall .
To test firewalls, we will use utilities from www.testmypcsecurity.com , namely Jumper, DNStester and CPIL Suite (developed by Comodo). Immediately we warn you: unlike certified tools like XSpider, these utilities use the same methods as malware, which they simulate. That is why at the time of testing (if you want to repeat the results) all anti-virus protection products must be deactivated.
One could, of course, consider the XSpider, but this test would be too boring and uninteresting for the end reader. And who can imagine an intruder who uses a certified scanner?
Briefly about utilities:
All these utilities will be launched from the inside, that is, directly from the computers being tested. But outside we will scan the good old nmap.
So, we have two computers. Both are connected to the Internet. One is connected through a hardware firewall (running on the TP-Link router base) and neither a software firewall nor an antivirus is installed on it. The second computer is connected to the Internet directly and is protected by the CyberSafe software firewall. The first computer is running Windows 7, and the second is Windows Server 2008 R2.
Jumper, running as an administrator (to be honest, many users work with such rights), successfully completed its task in Windows 7 (Fig. 1). Nothing could prevent him - after all, on our system not one security tool was installed, no antivirus, no firewall, no IDS / IPS, and the hardware firewall didn’t care what happened on client computers. He can not affect what is happening.
Fig. 1. Jumper in Windows 7
For the sake of justice, it should be noted that if the user was not working as an administrator, then Jumper would have failed.
In Windows Server 2008, Jumper did not even start, but this is not the merit of the firewall, but of the operating system itself. Therefore, here between the firewalls - parity, since protection against this vulnerability can be provided by the means of the operating system itself.
The purpose of this test is to send a recursive DNS request. By default, starting with Windows 2000, the Windows DNS Client accepts requests for all DNS queries and manages them. Thus, all DNS requests from all applications in the system will be sent to the DNS client (SVCHOST.EXE). The DNS query itself makes the DNS client directly. DNStester uses a recursive DNS query to bypass the firewall, in other words, the service refers to itself.
Fig. 2. Test failed
If you leave the default settings for the firewall, then neither the software nor the hardware firewall failed to cope with this test. It is clear that the hardware firewall does not care what happens at the workstation, so it’s impossible to expect that it will protect the system from this vulnerability. In any case, with default settings (and they practically did not change).
But this does not mean that the Cybersafe Firewall is a bad firewall. When the security level increased to the third, the test was fully passed (see Fig. 3). The program reported an error in the DNS request. To make sure that this is not the merit of Windows Server 2008, the test was repeated on a Windows 7 machine.
Fig. 3. Test passed (DNStest)
For the sake of fairness, it should be noted that if an antivirus is installed on the computer, then most likely this application will be quarantined, but it will still be able to send one request (Fig. 4).
Fig. 4. Comodo Anti-Virus blocks unwanted application.
So, a hardware firewall with default settings failed all three CPIL tests (if you click on Tell me more about Test, a window will appear explaining the principle of the test). But he failed them in some strange way. Passing the test involves the following sequence of actions:
Fig. 5. CPIL Test Suite
After this, the browser should have opened with the test results. In addition to the message that the test failed, the results page should have displayed the value we entered, which was passed to the script as a GET parameter (see Figure 6). It can be seen that the value (2 in the address bar) was transmitted, but the script did not display it. Error in Comodo Script? Of course, everyone is mistaken, but our confidence in this test has diminished.
Fig. 6. Test result (hardware firewall)
But when using a software firewall tests CPIL did not even run. When you press buttons 1 - 3, nothing happened (Fig. 7). Is it really the merit of Windows Server 2008, and not the firewall? We decided to check it out. Therefore, on a computer with Windows 7, protected by a hardware firewall, CyberSafe Firewall was installed. But in Windows 7, the utility managed to break through the firewall defense. The first and third tests were passed, but when we clicked Test 2, we had to contemplate a Chrome browser window, similar to that shown in Figure. 6
Fig. 7. When you click a button, nothing happens (it is clear that the antivirus is disabled)
Fig. 8. Tests 1 and 3 passed
Before that, we tried to break through the firewall from the inside. Now let's try to scan the system protected by the firewall. Scan will be a nmap scanner. No one doubted the results of the hardware firewall - everything is closed and it is impossible to even determine the type of the system being tested (Fig. 9 and 10). In all the following illustrations, the IP addresses are hidden because they are permanent — so that no one has any desire to repeat the test on our addresses.
Fig. 9. Scan hardware firewall
Fig. 10. Hardware Firewall Scan (host details)
Now we will try to scan the system protected by a software firewall. Understandably, by default, the software firewall will skip everything and everyone (Fig. 11).
Fig. 11. Open ports (software firewall, default settings)
Fig. 12. Defined system type (software firewall, default settings)
When the rules are set, everything falls into place (Fig. 13). As you can see, the software firewall ensures the security of the protected system is no worse than its “iron” counterpart.
Fig. 13. No open ports.
Why is it so important to provide protection inside the local network? Many administrators mistakenly do not pay attention to protection from within, but in vain. Indeed, inside the local network, you can implement a lot of attacks. Consider some of them.
Before connecting to the network, the computer sends an ARP request to let you know if the computer’s IP address is not busy. When there are several Windows-machines with one IP-address in the local network, the user sees a window with the message that the IP-address is busy (used by another computer). Windows learns about the busy IP address using the ARP protocol.
ARP-attack is that the attacker floods machines that are running Windows. And hundreds of requests will be sent to each computer, as a result, the user will not be able to close the constantly pop-up windows and will be forced to at least restart the computer.
The situation is a little pleasant. But the presence of a firewall at the workstation will allow to negate all the efforts of the attacker.
DoS-attacks (attacks on failure) are possible not only on the Internet, but also in local networks. Only methods of such attacks differ. The nature of DoS attacks can be anyone, however, it is impossible to fight with them without a firewall that would be installed on each local network machine.
One type of DoS attack that can be successfully used on a local network is ICMP flood. Firewall CyberSafe Firewall contains dedicated funds to combat this type of attack (Fig. 14). It also contains means of balancing the load on the server , which can also help in the fight against DoS attacks.
Fig. 14. ICMP Security (CyberSafe Firewall)
You can read more about DOS attacks in the article “How to protect yourself from DoS / DDoS attacks” .
In a local network, computers are identified not only by IP address, but also by MAC address. Some administrators allow access to certain resources by MAC address, since IP addresses are usually dynamic and are issued by DHCP. This decision is not very justified, since the MAC address is very easy to change. Unfortunately, it is not always possible to protect yourself from changing the MAC address using a firewall. Not every firewall tracks the change of the MAC address, as it is usually associated with IP addresses. Here the most effective solution is to use a switch that allows you to bind a MAC address to a specific physical port of the switch. It is almost impossible to deceive such a defense, but it also costs a lot. True, there are software ways to deal with changing the MAC-address , but they are less effective. If you are interested in a firewall that can recognize the substitution of a MAC address, then pay attention to Kaspersky Internet Security 8.0 . True, the latter is able to recognize the substitution of the MAC address of the gateway only. But he fully recognizes the substitution of the IP address of the computer and the IP flood.
In networks where access to resources is restricted by IP addresses, an attacker can change the IP address and gain access to the protected resource. When using the Firewall Cybersafe Firewall, such a scenario is impossible, since there is no binding to IP addresses even at the firewall itself. Even if you change the IP address of the computer, it still will not become part of the ISPDn into which the attacker seeks to penetrate.
This type of attack is based on sending a victim of “fake” ICMP packets. The essence of this attack is in the substitution of the gateway address - the ICMP packet is sent to the victim, reporting a shorter route. But in fact, the packets will not pass through the new router, but through the attacker's computer. As noted earlier, CyberSafe Firewall provides ICMP security. Similarly, other firewalls can be used.
There are many other attacks in local networks - both sniffers and various attacks using DNS. Whatever it was, and the use of software firewalls installed on each workstation, can significantly improve security.
The protection of an information system must be complex - this includes software and hardware firewalls, antiviruses, and the correct setting of the system itself. As for our confrontation between software and hardware firewalls, the former are effectively used to protect each network node, and the latter - to protect the entire network. The hardware firewall cannot protect each individual workstation, is powerless in case of attacks within the network, and cannot differentiate an ISPD, which must be performed in the context of personal data protection.
Software and hardware firewalls
First of all, you need to talk about what is software and what is a hardware solution. We are all used to the fact that if you buy some kind of hardware, this solution is called hardware, and if a software box, then this is a sign of a software solution. In our opinion, the difference between a hardware and software solution is rather arbitrary. What is an iron box? In fact, this is the same computer, albeit with a different architecture, albeit with slightly limited capabilities (you cannot connect a keyboard and a monitor to it, it is “sharpened” for the performance of one function) to which the software is installed. Software is some kind of UNIX system with a “web-muzzle”. The functions of the hardware firewall depend on the packet filter used (again, this is software) and the “web muzzle” itself. All hardware firewalls can be “reflashed”, that is, in fact, just replace the software. Yes, and with this firmware (which in the good old days was performed using the programmer), the process of updating the “firmware” on modern devices has little in common. Just on the "flash drive" inside the "glands" is written new software. A software firewall is software that is installed on an already existing most ordinary computer, but in the case of a hardware firewall, there is no software at all, and in the case of a software firewall, there is no hardware. That is why the line between these types of firewalls is very conditional.
The biggest difference between software and hardware firewall is not even functionality. No one bothers to choose a hardware firewall with the necessary functions. The difference is in the way of use. As a rule, a software firewall is installed on each PC of the network (on each server and on each workstation), and a hardware firewall protects not the individual PC, but the entire network at once. Of course, no one will prevent you from installing a hardware firewall for each PC, but it all comes down to money. Given the cost of hardware, you are unlikely to want to protect every PC hardware with a firewall.
Advantages of hardware firewalls
The “iron” firewalls have the following advantages:
- Relative ease of deployment and use . I connected, turned on, set the parameters via the web interface and forgot about its existence. However, modern software firewalls support deployment through ActiveDirectory , which also does not take much time. But, firstly, not all firewalls support ActiveDirectory, and, secondly, Windows is not always used in the enterprise.
- Dimensions and power consumption . As a rule, hardware firewalls have more modest size and lower power consumption. True, energy consumption does not always play a role, but dimensions are important. One thing is a small compact box, another - a huge "sistemnik."
- Performance . Typically, the performance of the hardware solution is higher. If only because the hardware firewall is engaged only in its immediate function - packet filtering. It does not run any third-party processes and services, as is often the case with software firewalls. Just imagine that you organized a software gateway (with firewall and NAT functions) based on a server running Windows Server. It is unlikely that you will allocate a whole server only for firewall and NAT. It is irrational. Most likely, other services will be running on it - the same AD, DNS, etc. Already silent about the database and postal services.
- Reliability It is believed that hardware solutions are more reliable (precisely because they rarely run third-party services). But no one bothers you to select a separate system integrator (even if not the most modern), install the same FreeBSD (one of the most reliable operating systems in the world) on it, and configure firewall rules. I think the reliability of such a solution will not be lower than in the case of a hardware firewall. But such a task requires advanced administrator skills, which is why it was previously noted that hardware solutions are easier to use.
')
Benefits of Software Firewalls
The advantages of software solutions include:
- Cost The price of a software firewall is usually lower than the hardware. For the price of an average hardware solution, you can protect the entire network with a software firewall.
- Ability to protect the network from the inside . Threats do not always come from the outside. Inside the local network there are many threats. Attacks can come from internal computers. Any LAN user, for example, dissatisfied with a company, can initiate an attack. As already noted, you can, of course, use a separate hardware router to protect each individual node, but in practice we have not encountered such solutions. Painfully they are irrational.
- The ability to distinguish the local network segments without subnetting . In most cases, computers of different departments, for example, accounting, finance, IT, etc., are connected to the local network. These computers do not always have to interact with each other. How to perform the delimitation of ISPDn? The first solution is to create multiple subnets (for example, 192.168.1.0, 192.168.2.0, etc.) and set up proper routing between these subnets. It cannot be said that the solution is very complicated, but still more difficult than using a software firewall. And it is not always possible to select subnets for one reason or another. The second solution is to use a firewall designed specifically to protect ISPD (not all software firewalls easily distinguish ISPD ). In this case, even in the largest network, you can make an ISPD demarcation in a matter of minutes, and you do not have to bother with setting up routing.
- Ability to deploy on existing servers . It makes no sense to buy another "piece of iron" if there is an adequate computer park. It is enough to deploy a firewall on one of the servers and configure NAT and routing. Usually both of these operations are performed through the graphical interface of the firewall and are implemented with a few mouse clicks in the right places.
- Advanced functionality . As a rule, the functionality of software firewalls is wider than that of their hardware counterparts. For example , some firewalls provide load balancing functions, IDS / IPS, and other similar useful things that help improve the overall security of the data processing system. Yes, not all software firewalls have such functions, but nothing and no one bothers you to choose a firewall that meets your needs. Of course, some hardware complexes have such functions. For example, StoneGate IPS - provides the functionality of an intrusion prevention system, but the cost of such solutions will not always please the management of the enterprise. There are also hardware load balancers, but they are even more expensive than hardware IPS.
We will not write about the shortcomings - they follow from the advantages. The advantages of one type of firewall are usually disadvantages of another type. For example, the disadvantages of hardware solutions include the cost and impossibility of protecting the local network from the inside, and the disadvantages of software solutions include the complexity of deployment and use (although, as noted, everything is relative).
True, there is one drawback to hardware firewalls that is worth mentioning. As a rule, all hardware firewalls have a reset button, by clicking which you can return the default settings. To press this button you do not need to have any special qualifications. But in order to change the parameters of the software firewall, you need to at least get administrator rights. By pressing one button, a disgruntled employee may compromise the security of the entire enterprise (or leave the enterprise without access to the Internet, which is even better). Therefore, when using hardware solutions, you need to take a more responsible approach to the physical security issues of the devices themselves.
Battle firewalls
Next, we will try to understand which firewall provides the best protection: software or hardware. The firewall integrated into the TP-Link router will act as the hardware. As a software - Cyber ​​saves Firewall .
To test firewalls, we will use utilities from www.testmypcsecurity.com , namely Jumper, DNStester and CPIL Suite (developed by Comodo). Immediately we warn you: unlike certified tools like XSpider, these utilities use the same methods as malware, which they simulate. That is why at the time of testing (if you want to repeat the results) all anti-virus protection products must be deactivated.
One could, of course, consider the XSpider, but this test would be too boring and uninteresting for the end reader. And who can imagine an intruder who uses a certified scanner?
Briefly about utilities:
- Jumper - allows you to bypass the firewall using the methods of "DLL injection" and "thread injection".
- DNS Tester - uses a recursive DNS query to bypass the firewall.
- CPIL Suite - a set of tests (3 tests) from the company Comodo.
All these utilities will be launched from the inside, that is, directly from the computers being tested. But outside we will scan the good old nmap.
So, we have two computers. Both are connected to the Internet. One is connected through a hardware firewall (running on the TP-Link router base) and neither a software firewall nor an antivirus is installed on it. The second computer is connected to the Internet directly and is protected by the CyberSafe software firewall. The first computer is running Windows 7, and the second is Windows Server 2008 R2.
Test 1: Jumper
Jumper, running as an administrator (to be honest, many users work with such rights), successfully completed its task in Windows 7 (Fig. 1). Nothing could prevent him - after all, on our system not one security tool was installed, no antivirus, no firewall, no IDS / IPS, and the hardware firewall didn’t care what happened on client computers. He can not affect what is happening.
Fig. 1. Jumper in Windows 7
For the sake of justice, it should be noted that if the user was not working as an administrator, then Jumper would have failed.
In Windows Server 2008, Jumper did not even start, but this is not the merit of the firewall, but of the operating system itself. Therefore, here between the firewalls - parity, since protection against this vulnerability can be provided by the means of the operating system itself.
Test 2. DNStester
The purpose of this test is to send a recursive DNS request. By default, starting with Windows 2000, the Windows DNS Client accepts requests for all DNS queries and manages them. Thus, all DNS requests from all applications in the system will be sent to the DNS client (SVCHOST.EXE). The DNS query itself makes the DNS client directly. DNStester uses a recursive DNS query to bypass the firewall, in other words, the service refers to itself.
Fig. 2. Test failed
If you leave the default settings for the firewall, then neither the software nor the hardware firewall failed to cope with this test. It is clear that the hardware firewall does not care what happens at the workstation, so it’s impossible to expect that it will protect the system from this vulnerability. In any case, with default settings (and they practically did not change).
But this does not mean that the Cybersafe Firewall is a bad firewall. When the security level increased to the third, the test was fully passed (see Fig. 3). The program reported an error in the DNS request. To make sure that this is not the merit of Windows Server 2008, the test was repeated on a Windows 7 machine.
Fig. 3. Test passed (DNStest)
For the sake of fairness, it should be noted that if an antivirus is installed on the computer, then most likely this application will be quarantined, but it will still be able to send one request (Fig. 4).
Fig. 4. Comodo Anti-Virus blocks unwanted application.
Test 3. Comodo Test Suite (CPIL)
So, a hardware firewall with default settings failed all three CPIL tests (if you click on Tell me more about Test, a window will appear explaining the principle of the test). But he failed them in some strange way. Passing the test involves the following sequence of actions:
- You need to enter the transmitted data. We entered the values ​​1, 2, 3 for tests 1, 2 and 3, respectively.
- Then press one of the test call buttons (Fig. 5)
Fig. 5. CPIL Test Suite
After this, the browser should have opened with the test results. In addition to the message that the test failed, the results page should have displayed the value we entered, which was passed to the script as a GET parameter (see Figure 6). It can be seen that the value (2 in the address bar) was transmitted, but the script did not display it. Error in Comodo Script? Of course, everyone is mistaken, but our confidence in this test has diminished.
Fig. 6. Test result (hardware firewall)
But when using a software firewall tests CPIL did not even run. When you press buttons 1 - 3, nothing happened (Fig. 7). Is it really the merit of Windows Server 2008, and not the firewall? We decided to check it out. Therefore, on a computer with Windows 7, protected by a hardware firewall, CyberSafe Firewall was installed. But in Windows 7, the utility managed to break through the firewall defense. The first and third tests were passed, but when we clicked Test 2, we had to contemplate a Chrome browser window, similar to that shown in Figure. 6
Fig. 7. When you click a button, nothing happens (it is clear that the antivirus is disabled)
Fig. 8. Tests 1 and 3 passed
Test 4. Scan from the outside
Before that, we tried to break through the firewall from the inside. Now let's try to scan the system protected by the firewall. Scan will be a nmap scanner. No one doubted the results of the hardware firewall - everything is closed and it is impossible to even determine the type of the system being tested (Fig. 9 and 10). In all the following illustrations, the IP addresses are hidden because they are permanent — so that no one has any desire to repeat the test on our addresses.
Fig. 9. Scan hardware firewall
Fig. 10. Hardware Firewall Scan (host details)
Now we will try to scan the system protected by a software firewall. Understandably, by default, the software firewall will skip everything and everyone (Fig. 11).
Fig. 11. Open ports (software firewall, default settings)
Fig. 12. Defined system type (software firewall, default settings)
When the rules are set, everything falls into place (Fig. 13). As you can see, the software firewall ensures the security of the protected system is no worse than its “iron” counterpart.
Fig. 13. No open ports.
LAN attacks
Why is it so important to provide protection inside the local network? Many administrators mistakenly do not pay attention to protection from within, but in vain. Indeed, inside the local network, you can implement a lot of attacks. Consider some of them.
ARP attack
Before connecting to the network, the computer sends an ARP request to let you know if the computer’s IP address is not busy. When there are several Windows-machines with one IP-address in the local network, the user sees a window with the message that the IP-address is busy (used by another computer). Windows learns about the busy IP address using the ARP protocol.
ARP-attack is that the attacker floods machines that are running Windows. And hundreds of requests will be sent to each computer, as a result, the user will not be able to close the constantly pop-up windows and will be forced to at least restart the computer.
The situation is a little pleasant. But the presence of a firewall at the workstation will allow to negate all the efforts of the attacker.
DoS attacks, including various flood attacks
DoS-attacks (attacks on failure) are possible not only on the Internet, but also in local networks. Only methods of such attacks differ. The nature of DoS attacks can be anyone, however, it is impossible to fight with them without a firewall that would be installed on each local network machine.
One type of DoS attack that can be successfully used on a local network is ICMP flood. Firewall CyberSafe Firewall contains dedicated funds to combat this type of attack (Fig. 14). It also contains means of balancing the load on the server , which can also help in the fight against DoS attacks.
Fig. 14. ICMP Security (CyberSafe Firewall)
You can read more about DOS attacks in the article “How to protect yourself from DoS / DDoS attacks” .
Change MAC-address
In a local network, computers are identified not only by IP address, but also by MAC address. Some administrators allow access to certain resources by MAC address, since IP addresses are usually dynamic and are issued by DHCP. This decision is not very justified, since the MAC address is very easy to change. Unfortunately, it is not always possible to protect yourself from changing the MAC address using a firewall. Not every firewall tracks the change of the MAC address, as it is usually associated with IP addresses. Here the most effective solution is to use a switch that allows you to bind a MAC address to a specific physical port of the switch. It is almost impossible to deceive such a defense, but it also costs a lot. True, there are software ways to deal with changing the MAC-address , but they are less effective. If you are interested in a firewall that can recognize the substitution of a MAC address, then pay attention to Kaspersky Internet Security 8.0 . True, the latter is able to recognize the substitution of the MAC address of the gateway only. But he fully recognizes the substitution of the IP address of the computer and the IP flood.
IP address spoofing
In networks where access to resources is restricted by IP addresses, an attacker can change the IP address and gain access to the protected resource. When using the Firewall Cybersafe Firewall, such a scenario is impossible, since there is no binding to IP addresses even at the firewall itself. Even if you change the IP address of the computer, it still will not become part of the ISPDn into which the attacker seeks to penetrate.
Routing attacks
This type of attack is based on sending a victim of “fake” ICMP packets. The essence of this attack is in the substitution of the gateway address - the ICMP packet is sent to the victim, reporting a shorter route. But in fact, the packets will not pass through the new router, but through the attacker's computer. As noted earlier, CyberSafe Firewall provides ICMP security. Similarly, other firewalls can be used.
There are many other attacks in local networks - both sniffers and various attacks using DNS. Whatever it was, and the use of software firewalls installed on each workstation, can significantly improve security.
findings
The protection of an information system must be complex - this includes software and hardware firewalls, antiviruses, and the correct setting of the system itself. As for our confrontation between software and hardware firewalls, the former are effectively used to protect each network node, and the latter - to protect the entire network. The hardware firewall cannot protect each individual workstation, is powerless in case of attacks within the network, and cannot differentiate an ISPD, which must be performed in the context of personal data protection.
Source: https://habr.com/ru/post/268787/
All Articles