Are there any compelling reasons to protect a dedicated server (Windows 2008 R2 in my case) with a hardware firewall? What security concerns would a hardware firewall cover better than the built-in software firwall?
Thanks,
Adrian
Edit: To clarify: I am referring to a server running an SaaS website run by a Micro-ISV that are used by clients on a regular basis. I am not referring to a multi-million business.
2nd Edit:: Server load is not an issue in my case. The server is never running at more than 20% CPU or more than 50% memory load. Nor is centralized administration - there is only one windows server.
Obviously "professional-grade" isn't an official term with definite properties, but if we assume it to generally mean the best-case configuration, then yes, a hardware firewall is preferred in my experience. While hardware and software firewalls can theoretically perform the same functions, a hardware firewall allows you to offload that work to a dedicated device. "Professional-grade" firewalls also have features that most software firewalls do not, and allow for much more advanced management. Also, any "professional-grade" configuration will generally include strong vendor support, which is generally superior for hardware firewalls.
Edited to add: More specifically, it runs on dedicated hardware, so it doesn't rob performance from your boxes. It sets at the border of your network, so that you have the "vault door" approach that @jowqwerty noted. It provides centralized management of firewall rules, NAT translations, etc for multiple servers. It may allow more advanced NAT/PAT configurations or other options than a typical software firewall. It typically has stronger professional vendor support.
If you have only a single server, then I think it's OK to rely on the built-in software firewall if you know what you are doing.
However, when you have 2, 3, 4 ... 10 servers, this becomes rather complex to manage, and you're better off with a hardware firewall you can manage in one place instead.
(you'll still want software and hardware firewalls for the whole "defense in depth" theory, though, so you can't get out of running the software firewalls on each server in any case. In my experience, Windows Server 2008 and beyond have excellent software firewalls and we used them exclusively on Stack Overflow for 2 years.)
"Hardware" firewalls are just dedicated devices running firewall software. They aren't actually implemented solely in hardware. That said, most hardware firewalls are thoroughly bulletproofed against script-kiddies, malware, and various exploits that might exist in a full Windows PC. For high value sites I would never trust Windows Software to be secure enough on it's own.
We don't have a firewall protecting any of our servers. Here's why:
Host-based security says that any open port is a potential vulnerability (including, but not limited to, the ports you're intentionally making available to the public). If your servers simply do not have any open ports but the ones that you want to make available to the public, that's almost the same protection as a firewall will give you. The only added benefit that a firewall will bring is that you can easily control which IP addresses on the internet are (or are not) allowed to access the otherwise publicly-available ports. However, many servers have this functionality built in anyway. One other benefit is that a hardware firewall can be configured to use only one public IP address for many machines - which is mostly what they're used for these days.
Also, if there are ports open and servers running that you don't want to make publicly available because you know they're vulnerable somehow (and thus, need the protection of a separate firewall), security doctrine says that's little protection against attackers, because there's several ways to circumvent the firewall anyway. Say you have an SSH or HTTP server behind a firewall, and several vulnerable windows machines on the same network. Should someone break into the server, they have access to the entire internal network. Likewise, should someone download a virus, that computer could attack your server from inside the network.
You're better off using the firewall software on the server and not bothering with the "hardware" firewall. That is, if you even need a firewall to begin with. Secure your web server such that the only software it's running is IIS, and only IIS will be vulnerable to attack. Which would be true whether you have a firewall or not.
Edited to add:
I also originally wanted to point out that a hardware firewall also adds a single point of failure to the network. This issue is also one of the major reasons we don't have a firewall protecting our servers. While it centralizes administration, it also centralizes outages caused by administration. It's also worth noting that all the servers run Debian, and vulnerabilities in the kernel and libraries are patched in a reasonable amount of time.
While hardware firewalls ensure that the holes don't line up, attackers are mostly interested in where the holes do line up: like in the ports that are specifically open in the firewall. If there's a vulnerability in a service that you provide, that is where they will attack. And get through your firewall(s). And attack the rest of the network, looking for the easier vulnerabilities that the firewall was supposedly protecting.
FYI, we haven't had any servers exploited since switching to Debian and using the Debsecan software, save for a few webmail accounts that fell victim to phishing attacks.
It should be behind a firewall however not much of a difference between which type. A hardware firewall is just a proprietary OS usually Linux built into an enclosure and includes a support agreement that provide assistance when you have questions on the product. All do the same thing and unless price and or support are an issue, either will work fine.
Security comes in layers, like onions. You want both perimeter protection and host protection and all you can get in-between and inside the host protection (application and so on).
Hardware isn't as most answers indicate really any different today, it's just software in appliance form. I wouldn't hesitate to put a Microsoft TMG on the perimeter defense and then use the built-in firewalls for host defense but generally there's some additional feel of safety (and increased maintenance burden) by mixing different firewall systems like a Cisco appliance and/or a Linux-based perimeter firewall.
To be pedantic: It should be noted that some high-end commercial firewall appliances feature custom-designed ASIC chips which do some of the work in dedicated silicon, and not on the main CPU. Such beasts are generally not needed unless you're dealing with big traffic and big crypto. As others have noted, in casual usage "hardware firewall" means a device running a minimized, hardened OS and firewall software, with a support contract from the vendor.
To the original question: All complex systems have flaws. To mitigate the risk of exploit, we build layered systems, so that the holes don't line up.
Exhibit A: "The target area is only two meters wide. It's a small thermal exhaust port, right below the main port. The shaft leads directly to the reactor system."
I know I'm coming in after an answer has been accepted, but my perspective is you go with a hardware firewall, too. Even in your given situation, the low-end hardware firewalls (< US$1000) would do you good. Defense in depth is part of it. But part of it is that the hardware firewalls have specialized chips to handle the network load. Meaning they handle the traffic better. Also, by allowing the firewall to handle all the nonsense (and if you ever put an IDS on the edge you'll see what I mean by nonsense), you offload that from your servers, thereby allowing them to function better. Their memory and CPU isn't being tied up discarding invalid traffic. The hardware firewall is doing it for them. Also, if you can pay a bit more, a lot of hardware firewalls are coming with built-in IDS/IPS functionality, meaning it can alert you if something is coming down the pipe that is cause for alarm.
Instead of thinking about as a sys admin and comparing the cost of doing it, think about it as a business person and ask 'what is the cost of not having a hardware firewall?' What would happen to your business if your servers went offline for X hours? or data was stolen? How many customers would you lose? what would happen to your business reputation?
Are you hosted in your office or in a data center? Most data centers offer a hardware firewall service with redundancy/failover/management for a monthly fee. Or get your own firewall. Several years ago we bought a little Cisco Pix for about $600 and it has been great.