1. Home
  2. Cisco Systems
  3. Firewall vs. router

Firewall vs. router

Hi,

I looked on the Net, but I did not find quite a good answer on the question I have. I need something to protect my network. I have worked with both routers and firewalls and generally know what they are for, however I don't have in-depth knowledge about that. Is there a good explanation and comparisons of the features that routers and firewalls provide? E.g. Cisco PIX vs Cisco 1800. It's not a "vs" exactly, since this would be comparing two things that are not comparable - what I am looking for is "what the routers are for" and "what the firewalls are for" and whether one can be exchanged for another in a specific situation. I think I understand this basically, but I am sure I am missing something. If someone could elaborate on this or, better, save the time by providing a link where this is explained and where I can read this...

Reply to
dt
Loading thread data ...

The simple answer is very simple. Just look at the names of devices:

Router is for ROUTING packets. Firewall is for FIREWALLING (protecting) networks.

Both devices can be a little bit more "cross-functional" - i.e. router can include some simple or even sophisticated firewalling functions, however it' primary function is to ROUTE packets. At the same time firewall can have some simple routing function, however the whole purpose of the firewall is to protect networks.

When you compare what each device CAN do, you will see more differences between them. For example, router can connect dissimilar medias (for example, T1, ADSL, Frame Relay, PPP, ATM, etc), while firewalls cannot. However firewalls can do more in-depth security monitoring and intrusion detection/prevention, which is not really available in a routers.

So, my preference in a network design - let each device does whatever it does the best. If I need to communicate to ISP through BGP protocol, I will install a router. If I need to protect my network, I will install a firewall. If I need to see if someone is trying to hack me, I will install IDS, etc.

Good luck,

Mike CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, etc. CCIE R&S (in progress), CCIE Voice (in progress)

------ Headset Adapters for Cisco IP Phones

formatting link
formatting link

Reply to
headsetadapter.com

...

If you look outside the Cisco realm, you start to see products that can be full routers and firewalls at the same time that are marketed as firewalls. Including doing BGP/OSPF etc. etc. Much like Cisco is bringing up the ISR line up to.

So, its not quite so simple as this.

In alot of cases where people would have spec'd routers before, I'd suggest a firewall instead, for the throughput and pps handling. Several traditional firewalls are getting WAN style interfaces as well, with plugin modules and being modular.

There's still some areas where you'd really want a router, and many cases where you don't need your firewall to route.. But more and more those areas are crossing together now for alot of the edge market..

Reply to
Doug McIntyre

Mike, thanks for the reply!

I think what you said is what I generally thought of these - wasn't sure enough. I thought - OK, you have a firewall which can do routing and a router which can do firewalling. However, for example, 1812 router has 2+8 ports, while PIX 506e has 1+1 ports. You get a switch for nothing. Of course, there must have been a catch, which I probably recognized reading some things like:

Provides protection from more than 55 different types of popular network-based attacks ranging from malformed packet attacks to DoS attacks =B7 Integrates with Cisco Network Intrusion Detection System (IDS) sensors to identify and dynamically block/shun hostile network nodes

(from

formatting link
such.

Thanks for the confirmation - firewall is better then a firewalling router, router is better then a routing firewall. One quick question - how would you rate the difference on scale 1-10? I.e. would using a firewalling router be much worse then using a pure firewall? Thanks again!

Reply to
dt

Doug, thank you also for a reply! What is one of the devices you mentioned as a good router/firewall combination? Also, the same question - how would you rate the difference on scale 1-10 between a firewall and firewalling router (and/or vice-versa)?

Reply to
dt

It all depends on your budget and your needs. Be aware, that to get "advanced security features" you may need to pay more for IOS licensing, plus, the IOS image may require more memory and flash, plus, your router's CPU may not keep up under stress, etc. Also, I discovered just recently, that, for example, Advanced Security feature set does not have BGP, so, we had to "downgrade" our Internet routers.

And speaking about comparison... Again, it all depends on your needs and budget. For small office of 3-5 people, without any critical applications, VPNs, internal WEB servers, and no business certification, the 1812 would be fine. However if you need to do DMZ, build a couple VPN tunnels, and you need to meet NERC or ISO9000 certification, then you cannot survive with just a router. So, check your security policies, regulations, your valet, and you will find an answer yourself. :-)))

Good luck,

Mike CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, etc. CCIE R&S (in progress), CCIE Voice (in progress)

------ Headset Adapters for Cisco IP Phones

formatting link
formatting link

I think what you said is what I generally thought of these - wasn't sure enough. I thought - OK, you have a firewall which can do routing and a router which can do firewalling. However, for example, 1812 router has 2+8 ports, while PIX 506e has 1+1 ports. You get a switch for nothing. Of course, there must have been a catch, which I probably recognized reading some things like:

Provides protection from more than 55 different types of popular network-based attacks ranging from malformed packet attacks to DoS attacks · Integrates with Cisco Network Intrusion Detection System (IDS) sensors to identify and dynamically block/shun hostile network nodes

(from

formatting link
such.

Thanks for the confirmation - firewall is better then a firewalling router, router is better then a routing firewall. One quick question - how would you rate the difference on scale 1-10? I.e. would using a firewalling router be much worse then using a pure firewall? Thanks again!

Reply to
headsetadapter.com

Some other brands that are firewalls and routers at the same time would be Juniper's Netscreen line (they tend to be pushing their mid-range one and letting the smaller ones slide now?), as well as Fortinet's Fortigate line, as well as Cisco's ISRs, (1800, 2800, 3800).

There's no scale comparison, all companies have different sized boxes for what your network environment needs.

Reply to
Doug McIntyre

It's not a Cisco device, but I have had very good luck with an old watchguard firewall in my home lab as a multi-function device. Not only does it have the tight security of a firewall, but it is very capable of routing between 3 different subnets on my home network. I have my primary network, test network, and a seperate wireless segment all working fine at the moment through that one device without problems. Mine is rather old so I imagine that the newer models have even better throughput and possibly more capabilities.

Reply to
selixd

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.