Hardware network firewalls are generally pretty good, but unfortunately they have no way of knowing what application software is sending/seeking a particular packet.
Software firewalls have better ability than hardware firewalls to determine what application is trying to communicate, but unfortunately can be bypassed in a number of ways.
My proposal would be to have a software firewall that communicates with a hardware firewall via an encrypted method (user-settable) so that even if the software firewall is bypassed, the software bypassing it still won't be able to get outside network access (unless the user physically pushes a button on the hardware firewall to allow such access, as he might do if he needs to do a safe-mode boot).
To provide protection against application spoofing, the software firewall would use an encrypted hash function for application code using random 'salt' supplied by the firewall. Only the firewall would keep a list of what application signatures were valid--not the computer--so malware authors would have no way of knowing what signatures to spoof. To avoid having malware pop up phony 'authorization' boxes, the firewall would come with a small stick-on-keyboard assembly with a small display and 3-5 buttons. It would thus be entirely impossible for an application fake "approve" keypresses for the firewall unless it controlled a mechanical robot that could physically push its buttons.-- supercat, Nov 17 2005 Your details are confusing but I think the concept is solid. Obviously for consumer marketing there's the issue of convenience, but personally I'd like some hands-on control of my software. [+]-- Darkelfan, Nov 17 2005 This would make sense if hardware firewalls were always better than software ones. Other than performance advantages there is no reason why a software firewall should not be as good as - or better than a hardware firewall.-- ixnaum, Nov 18 2005 One problem with software firewalls is that, at least under Windows, it is possible for rogue software to bypass them. Having a combination hardware/software firewall would make such bypass more difficult, because the rogue software would have to be set up to deal with the particular encryption used for firewall/PC communications.
If one particular combination hardware/software firewall became overly dominant in the marketplace, attackers might be able to find a vulnerability in the PC side. But if different companies' products use different methods, and none is too dominant in the marketplace, it would be harder for hackers to come up with a really good exploit.-- supercat, Nov 19 2005 random, halfbakery