Security+ - router security vs firewall?
-
I was watching the Security+ Network Security - Securing Network Devices episode. Around 31 minutes in they start talking about using routers as security devices. It confused me because it sounded like they were saying a router could do everything a firewall could do. Why would I want a separate firewall then? Ronnie said I might, but he doesn't say when I would or wouldn't.
I've never used a stand-alone router. The most advanced network device I manage is a pfSense box.
Can you please clarify the security function of a router, how it differs in security capabilities from a firewall, and when I'd want just a router vs when I'd want both?Thanks!
-
@Matthew-Horvay said in Security+ - router security vs firewall?:
I was watching the Security+ Network Security - Securing Network Devices episode. Around 31 minutes in they start talking about using routers as security devices. It confused me because it sounded like they were saying a router could do everything a firewall could do. Why would I want a separate firewall then? Ronnie said I might, but he doesn't say when I would or wouldn't.
I've never used a stand-alone router. The most advanced network device I manage is a pfSense box.
Can you please clarify the security function of a router, how it differs in security capabilities from a firewall, and when I'd want just a router vs when I'd want both?Thanks!
Let me start with your last question, first! This can be a little confusing because most of us work with just a single device to connected to internet connection but in a business you might find a couple of scenarios that you might want to use both.
Your company may have multiple departments that require not only a dedicated link outside but also need to provide it's own security due to differing security policies for each department. This is a perfect example, where you might setup a router as being a public interface to the ISP, then take the remaining ports and set them as each a dedicated connection to each separate departmental LAN. Depending on the router's capabilities you could the following if you chose:
-
One department may not have a firewall it wants to implements but you want to control traffic like a firewall. Some managed routers depending on the licensing and feature set may give you the ability to implement it's built in firewall support (e.g. Cisco IOS with
k9
at the end of the name usually has the firewall feature set.) You could set this up as being a firewall for that department. -
Your department may decide that it wants the connection but wants to manage all aspects of perimeter security using a pfSense firewall. You simply connect the router interface to your pfSense WAN interface and no additional security needed but the router segments traffic traffic not meant for your LAN is routed to the proper interfaces on the router.
There are others but this is a good start here. In this instance you have one department and your department. What if each department wants implement VPNs. Because you're in charge of your department and not the other, you cannot implement a VPN tunnel for them but you can do it for you. But they may request the network admin to implement it through the router interface. So a router can function as both firewall and vpn endpoint.
If the company chooses to block traffic coming from each department from directly accessing another department, you don't have to use the firewall feature set on the router but could also use ACLs (Access Control Lists) to block your department from accessing the other department but allow for both let's say to access the HR or Personnel department.
Usually the implementation of choosing just a router is when they don't really need any additional complexity but still need a device at the perimeter. If you're wanting to do some really fancy rules then a dedicated firewall is definitely the way to go. But if you need the meat and potatoes security be assured the router that has the security feature set implemented can really function that way if needed.
Let me know if you have any additional questions!
-
-
Thanks Ronnie.
I think the confusion came from the difference between physical devices and the functions they perform. I.e. a device we call a router usually performs the functions of both a router and a firewall. When someone says "router" do they mean a Cisco or pfSense box which is likely routing, firewalling, & doing other things or do they mean the actual routing function. When they say "firewall" do they mean a physical ASA or a firewalling function on a router? I thought you were talking about the security function of a routing-only appliance which had no firewalling features. I believe in that case its only security function would be to block certain IP ranges (such as private subnets coming in on the WAN interface). Is that correct? -
@Matthew-Horvay said in Security+ - router security vs firewall?:
I thought you were talking about the security function of a routing-only appliance which had no firewalling features. I believe in that case its only security function would be to block certain IP ranges (such as private subnets coming in on the WAN interface). Is that correct?
In this case it's a basic filtering based off of "source address and protocol" or "source and destination and protocol". Most routers would be able to create some sort of inbound/outbound access control list based off of the networking elements I just listed even without the firewall or additional feature sets. For example, on a Cisco router, you'll be able to create:
-
Standard ACLs (Based on Source IP and protocol)
-
Extended ACLs (Based on Source, Destination and protocol)
So if true? why do we need the firewall? It's because most if not all firewalls are STATEFUL firewalls whereas router ACLs are not stateful so every packet must be evaluated as "permitted" or "denied."
Hope this helps!
-
-
@Ronnie-Wong said in Security+ - router security vs firewall?:
In this case it's a basic filtering based off of "source address and protocol" or "source and destination and protocol". Most routers would be able to create some sort of inbound/outbound access control list based off of the networking elements I just listed even without the firewall or additional feature sets. For example, on a Cisco router, you'll be able to create:
-
Standard ACLs (Based on Source IP and protocol)
-
Extended ACLs (Based on Source, Destination and protocol)
So if true? why do we need the firewall? It's because most if not all firewalls are STATEFUL firewalls whereas router ACLs are not stateful so every packet must be evaluated as "permitted" or "denied."
Hope this helps!
That helped a lot!
When you say a router can filter based on protocol, are you referring to TCP, UDP, & ICMP, to port #s, or something else?
Thanks!
-
-
@Matthew-Horvay said in Security+ - router security vs firewall?:
When you say a router can filter based on protocol, are you referring to TCP, UDP, & ICMP, to port #s, or something else?
Thanks!
Yes the standard TCP/IP Protocols. The key here though is that ACLs are not stateful, so evaluation happens on a per packet basis rather than a per state basis. So the CPU can be taxed more if just using ACLs. But if you just need simple packet filtering it does a great job.