Broadband Tech > Networking > router & firewall comparison

router & firewall comparison

By default, a router has no security restrictions in place in comparison with a firewall. A router will forward anything that it has a matching route for in its routing table. In other words, everything is turned on by default on a router. However, you can set a router up to be nearly as secure as a firewall in terms of port filtering. You just have to implement your own security filters like access lists on a Cisco router. I always advise everyone to follow the NSA security guideline for Cisco routers at

»www.nsa.gov/snac/cisco/index.html

Additionally, Cisco includes Context Based Access Control in the Firewall feature set which allows you to secure application protocols, as well. You can also use reflexive access lists which gives internal users more flexibility with outbound access. Most routers do not offer this level of security which is included with most firewall products that maintain stateful inspection etc.
--
Remember what they say: "There are 10 types of people in the world.. those who understand binary, and those who don't."

I apologize...I should have more explicitly stated my question. When I say routers, I mean SOHO routers that have NAT enabled. So everyone on the LAN side has private addresses and on the WAN side has the public address. With those you have to explicily forward ports to whatever private address you want to have that service (for example http, Instant message file transfers, hosting of games etc). Would those routers be basically as secure as a firewall?

NAT has firewall-like properties in the WAN-LAN direction, but is definitely not a firewall (no matter what the marketing guys tell you).

NAT has:
• No detailed logging.
• No complex firewall policies, e.g. based on source IP.
• No control over outgoing connections (e.g. trojans).
• No policies for forwarded ports.
• No DoS protection, etc.

reply to ahuebel
You are kinda safe behind a NAT router, all though not as safe as behind a firewall. Lets say someone does a port scan against your IP address looking for open port
tcp-137. They are really scanning your router, because that's the interface that sits on the internet. Unless you tell your router to forward port 137 to one of your machines inside, it will drop the packet, so the hacker doesn't get a positive response about that IP address.

This is not to say that there are not ways around NAT, but if your inside IP address scheme is using non-routeable IP numbers like 192.168.x.x, then they would have a hard time getting at your machine unless there was some sort of trojan already installed and making calls to the outside. Thats where a firewall would come in handy, to help control this kind of activity.

Thanks army dude, and thanks to the other replies. That is what I thought, I just wanted to get some confirmation on that and hear other people's opinions.

Agreed a SOHO NAT router is plenty safe. I stopped running Zonealarm once I went to a SOHO router.

I was only using Zonelabs to block inbound requests, and the router does that just fine.

-Mao
--
Let's kick the tires and light the fires.

Disagree totally Maondas. The Soho router is an addition to the core functionality of zone alarms, a more complete solution. What happens when you forward ports on your router for any reason.....big holes!! ZoneAlarm will help make sure only authorized applications get through them.
What happens to any nasties that get onto your system, and believe me no one is immune to that. Well these nasties phone home and guess what, since the request originated on the LAN, routers let the traffic go out AND WORSE, let the response back in no questions asked!!... Zonealarms will detect these nasties trying to get out as unauthorized programs trying to reach the net.

Basically, soho routers and even SPI firewall routers, deal with IP addresses, packet types, ports etc... but only the SW firewall is currently application specific.

Also useful for us that do much testing (switching routers, direct connecting, or use dial backup on occassion - without SW firewall, these days it can take literally minutes to be hit by worms etc...

As I stated SW fireall IMHO is to be considered a core item much like an up2date AV proggie. The soho nat box was designed to share internet and create the infrastructure for a LAN, it helpfully as a side note creates an Inbound layer of defence. Most noted as zone alarm hits go from kazillion to basically none. This is only one part of the security equation!!
--
Ain't nuthin but the blues! "Albert Collins". Leave your troubles at the door! "Pepe Peregil". Just Don't Wifi without WPA, "Yul Brenner"

I agree. Use a router AND a firewall for best defense. One problem with application firewalls....what if I manage to get joe user to download my nasty, and I named my nasty iexplore.exe. If ZA asks joe user if he wants to allow "iexplore.exe" to access the internet, what answer do you think joe user will tell ZA?

Well, internet explorer attempting to get out is also blocked initially. Most people permit IE all the time so it does not keep coming up. I for one would be very suspicious of an OUT of the BLUE request from zone alarms for a new IE access........
--
Ain't nuthin but the blues! "Albert Collins". Leave your troubles at the door! "Pepe Peregil". Just Don't Wifi without WPA, "Yul Brenner"

Sure, YOU would, but not Joe User....

Besides, I don't think I could trick you into downloading it in the first place, but there are a lot of point and click suckers out there...

reply to ahuebel
Kerio PF would report that IE was replaced with another program. Unless one had just updated IE from MS Update, he should be very suspicious of such a message. Anyone not sufficiently suspicious is likely too uninformed to install the firewall in the first place.

kirby

reply to army dude

said by army dude:

---

....what if I manage to get joe user to download my nasty, and I named my nasty iexplore.exe. If ZA asks joe user if he wants to allow "iexplore.exe" to access the internet, what answer do you think joe user will tell ZA?

---