In the days of the "hardware firewall", there was a lot of talk about the performance advantages of having a dedicated piece of hardware working with dedicated software to enhance performance characteristics.
There was something to be said for the argument. Dedicated hardware with dedicated services could indeed push packets faster than a firewall running on a general purpose operating system that wasn't designed specifically to support the firewall software. Although the hardware firewall wasn't typically as secure as a "software" based firewall, it could push exploits much faster than a non-dedicated solution, such as the ISA firewall.
However, the world has changed due to 64bit computing. Hardware support for 64bit computing now allows you to provision hardware, at commodity prices, that can far outstrip anything you could get from a dedicated "hardware" firewall solution. Why do I say this? Check this out:
Given that real security must focus on application layer inspection -- the ASIC approach to firewalling is ancient history, and something that no modern organization should depend on as a security solution. With the hardware support you see in the above chart, it's clear that TMG firewalls can now be provisioned to provide the level of performance that traditional hardware firewalls could provide, with the enhanced security that only a blended stateful packet and application layer inspection firewall brings to the plate.
Indeed, the future is bright for the TMG firewall.
(Props to Yuri Diogenes for bringing this to my attention)
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer