From TechRepublic's recent "10 Things" blog:
6: Deploy a hardware-based firewall
Let’s face it: The built-in Windows firewall is simply not sufficient.
If you want real security, you need a dedicated firewall on your
network. This firewall will be a single point of entry that will stop
many more attempted breaches than the standard software-based firewall
will. Besides, the hardware-based fire will be far more flexible and
customizable. Look at a Cisco, Sonicwall, or Fortinet hardware firewall
as your primary protection.
This is an excellent, excellent, (did I say excellent?) recommendation. If you or your business is connected straight to your modem without any border protection from the external world then you're in jeopardy and by jeopardy I don't mean the game show, I mean trouble. Why? Because your PC or group of PCs have an external IP. Your device doesn't have a bouncer to keep the bad guys and crap out of your house. You don't have that extra layer of protection that a connected device needs to operate more securely. Now, don't think a hardware firewall will make you invincible. I don't want to paint the wrong picture. I do mean to say that a hardware based firewall along with other security measures can make you more secure.
What are the benefits of a hardware based firewall?
*cue hissing* Some techs don't think NAT is a security feature, but I do. There is some mystery regarding NAT. Was it meant for security? Was it not meant for security? I think it's up in the air. Even so, I think it's fair to say that NAT gives *some* security in that it gives your device a local IP instead of your public, external IP. Intruders, the green ones conservatively speaking, won't know your device's IP which does help. No, it's not a super excellent security feature, but it's just another layer of protection that is nice to have while we're still mostly in a IPv4 world.
With a hardware based firewall, you can make firewall rules which are rules that you create to allow the traffic you want coming in and leaving your network. You can make as many or as little rules as you like. Don't want RDP sessions coming in to your network? Block it. Don't like WMI packets coming in? Block those too. It's customizable. Some techs start by blocking everything then slowly unblocking ports as the days progress. For example, a tech had most ports blocked. He downloaded WoW was able to run some of it, then realized he needed to open certain ports for the game, so he did. That's what I mean by some techs block everything, then slowly open ports when the situation occurs. You don't need everything open right out of the gate. Only open ports that you need open.
Yeah, Windows and other OSs have log views, they're limited to your system though. With a hardware firewall you'll have logs informing you who and what was trying to access your network. You'll see your rules working. You'll see intrusions prevented, this app allowed, another app blocked and so on. It's helpful. It's encouraging. You can see your firewall at work or not at work. You'll see what's getting in, out, and blocked.
Those are three reasons I can think of right away for getting a hardware firewall. You don't have to spend hundreds of dollars on a hardware firewall either. Routers come equipped with firewalls. For my home I use a Netgear wireless router that is excellent for my home setup. The firewall provides good protection, customization, and it's easy to use. Buy one.
Netgear WNR3500L this link gives you the specs and has links to the stores it's sold at.
* I didn't make the image used in this blog post. I found it in a google search from this website.