Well, you do get a speed and performance boost running some hardware firewalls.
What have you looked at besides PIX?

I work in the corporate world, so I have to eval this type of stuff all the time. I can probably provide some insight.

From an economic standpoint, I think IPCop and other variants do a very nice job for a home network. I have also been testing others as suggested by other members.
PFSense looks to be very promising for a home network and possibly even larger.

I would definitely recommend a hardware firewall.

With that being said, whats your price range? My other big question beyond that is, are you willing to build and configure your own Firewall (like OpenBSd with Pf) or would you rather by one from a vendor?

I have a running PFsense box, and at this current time I would definitely recommend people staying away from it. Once the developers get to the point where they will lockdown the features and move towards a beta then perhaps I will recommend it. But at this time it's still too flakey a project to recommend deploying it in any type of semi-hostile environment.

Yes. Consider that a firewall based on <insert major OS here> is ultimately dependent on that OS remaining invulnerable to itself remain invulnerable, and you've got a good argument for external firewalling. Of course, that doesn't mean that there won't be vulnerabilities in hardware routers' firmware... But the instances of that tend to be much lower.

Honestly, if this is the environment you're intending to protect you'd probably do fine with something like a Linksys WRT54G. Out of the box it supports port forwarding, one DMZ, external logging, PPPoE, and also provides DHCP for the internal network. There are also a LOT of options in terms of third-party firmware for them that add extra functionality; generic Google search is here. I've had one for over two years now and love it, though I do admit that it's no longer my border router/firewall.

These are all correct. The security they provide against attacks is obviously only as good as their configuration (and that of any machines they may be in front of), but they're certainly a major improvement over nothing at all.

Taking the points in order:

1) Whoever told you this should be shot. The whole point of a firewall is to *reduce* the number of holes in a network, not introduce them. Yes, a misconfigured firewall can be worse than none at all, but the generalisation doesn't hold.

2) Maybe. If it's deployed as shoddily as the rest of the network, sure. See 1) above.

3) Rocket scientist.

Yes, just don't go overboard if we're only talking domestic use.

I know it isn't important to most people, but you should also consider that hardware firewalls tend to use far less power than a full-blown PC. If you are worried about configurability, skroo's suggestion of the WRT54G is a good one because of the open-source firmware projects available.

That was going to be my point.
In the standard home situation, having a dedicated machine on 24/7 is:

* expensive (if its an old computer it will probably use a resonable amount of electricity)

* hot...well it will probably produce some heat...might be relevant/important in some situations

* take up space - seriously...its got to go somewhere...if its just a coverted old computer the case could be relatively large (compared to just a small router). People in small houses may just not have enough room.

* noise - computer fans can be noisy...maybe a problem?

Those are all just enrivonmental issues really, that in a coporate situation would just be overlooked as it would be put in a dedicated server room anyway probably.
In a coporate environment i would without a doubt go for a dedicated machine as the pros outway the cons by a large proportion in my mind.

At home though, I don't think I would bother. The routers suggested and other ones available off the shelf are much better I think. I have one and they are pretty cool.

Just stay away from anything linksys, netgear, d-link, etc's Home-grade stuff. Most of these companies have business class routers and are not that expensive either. Security is a joke for most of these -$100 routers.

I agree with that with one exception.
If he is indeed running a web server out of his home as stated, he should probably move the site to a hosting service if going the Linksys route. Just my opinion.
That is the main reason I recommended the IPCop variant.

Hang on... Hardware firewalls are dedicated devices - so unless I've missed something here, are you suggesting that corporate environments should run dedicated PCs (for example) as firewalls?

Disagreed. For home use, these devices work fine for 99.9% of users - and, more importantly, can actually be configured by home users. While it's true that out of the box they're fairly insecure, once configured and deployed they generally aren't much of a problem.

On a similar note, I would never, ever put any of these companies' 'business-class' stuff in a production environment; it's way too rinky-dink. Actually, I'll make one exception to that: Cisco owns Linksys, and I do use Cisco's enterprise-class hardware on a daily basis.

the .1% is hackers. -100 routers dont have ingress filtering which is very important to tech/hacker nerds & geeks. Your basic netgear will protect you from those stupid script kiddies who do port range scanning to find if netbios is up on any of the nodes, but if your attacker knows your IP address. Then you might as well throw it out, its useless. Dlink and Netgear's configuration I believe, you have to play with it a little and lock it down. Linksys is the better of the bunch with everything disabled.

Business grade routers do have the option for egress/ingress filtering and that's why I recommended it.

I meant to state that he should use the 'business-class' stuff for home use. If you want REAL business grade stuff, then go for Juniper or F5

Mmmm... The Linksys units are still in need of some TLC out of the box, same as the others. As for egress/ingress filtering, this is where the ability to change to a 3rd-party firmware comes in.

True, but not everyone has the budgetary constraints to run that hardware.

*Shrug* if wishes we're horses, I'd have some Maseratis and a helicopter.

Not much 3rd party firmware, most are WAP or WIFI-Router hacks.

Depends, You can get a linksys rv042 for about 150 bucks if you look hard. and since the thread starter has a network, and doesn't use the router/switch unit, then I assume he/she is using a standalone switch. buy that linksys router for 150 bucks and slap on the switch since he has 5 nodes, Router only handles 4 direct links. The router handles ingress/filtering and many other options. US robotics also has a pretty decent unit that can offer the same protection/options with around the same price if not a lil bit higher.

Listen, if you're replying to a post that is not the parent poster it's consider bad taste and confusing to not quote it. The reason for this is, I don't know if you're replying to my post in this thread or someone elses.

I've looked at very little in the vendor world to be honest, your advice would be invaluable. Random homebrew research has suggested IPCop, Smoothwall, Devil or just self-tweaked 2.6.x kernel stuff if time and motivation permitted.

No particular budget but being frugal helps me sleep at night. No preferences between homebrew/vendor, but I assume a homebrew solution gives a lot more control.

Thanks Skroo, some of the third-party firmware looks excellent. What made you change your setup from the WRT54G out of interest?

Sorry for starting a firewall war! My initial question is answered - Yes I should use a hardware firewall.