4

Are there any security benefits to having a dedicated firewall rather than having a firewall established on a router? Thanks.

Sheldon
  • 183
  • 1
  • 5

6 Answers6

10

A lot of that depends on the router in question. For instance, an ASA Services Module in a Cisco Catalyst switch has a lot more functionality than some low end dedicated firewalls. But then, the argument here is, "is a blade a dedicated firewall?"

Dedicated hardware generally gives you better functionality for the Firewall role, and includes other perimeter services like:

  • IDS / IPS
  • More robust application-level gateways (make sure TCP/80 is really HTTP and not SSH, that kind of thing)
  • VPNs, IPSec and SSL.
  • Integration with authentication systems
  • Ability to proxy certain application traffic

There is also a strong argument to make about having a dedicated device handle your perimeter connection: Should an external attack take out your border device the only thing affected on your network is the connection to the outside world.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
6

I think you mean here by firewall a hardware-based firewall as opposed to software-based firewall like netfilter in Linux.

Most if not all routers support some type of access control list (ACL) which can act as a firewall. Dedicated hardware firewalls are better because they are more powerful (can process more traffic) and support stateful inspection and can have more advanced features like attack detection (IDS/IPS). At the end, this depends on your requirements and the chosen hardware.

Khaled
  • 36,533
  • 8
  • 72
  • 99
  • Also, if you experience an attack (eg. DDoS) from the outside, and flood protection is handled by a dedicated firewall, your router can continue to operate normally – Mathias R. Jessen Mar 03 '12 at 12:04
  • @MathiasR.Jessen: Yes, this is because the border firewall should block the traffic before reaching the internal router. – Khaled Mar 03 '12 at 12:09
2

There aren't really security benefits to it if you can specify roles in the router. However don't confuse ACL with a firewall.

A separate firewall is better because then your router only needs to use its resources to route, while your firewall does his bit with his own resources. If you put those two on one machine, they will share resources and one could start dominating the resources when things go bad (DDoS).

Also a separate firewall sometimes comes with neater features like IDS, deep packet inspection, etc... .

Another tip when buying a firewall, don't look at the bandwidth, but ask them how many packets a second it can process. Often they advertise high bandwidths of 1 Ggit, but this is calculated on 64 KB packets. So if someone wants to attack you they just need to send tons of 4 KB packets, which will make your throughput come to a screaming halt.

Lucas Kauffman
  • 16,880
  • 9
  • 58
  • 93
2

One of the key advantages of a dedicated firewall box, especially if you firewall-setup-in-a-router is a set of hand-made iptables rules (as mine is) is easy management and maintainability. This isn't a security benefit directly, but anything that makes keeping secure less hassle is an indirect but quantifiable benefit in that area.

Also dedicated firewall boxes tend to do far more than just packet filtering, good ones tend to offer certain types of DoS protection, more advanced packet inspection options (is connection via TCP port 80 really a HTTP stream?), and so forth.

While some routers also offer this sort of feature set too you will usually find they are not as good at it as a dedicated firewall designed for that job - for instance you might be surprised how much CPU time complex packet inspection rules can take and dedicated firewall boxes will have the processing power (via faster CPUs and/or some logic acceleration in dedicated special-purpose chips) to keep a 100Mbit or even Gbit line saturated where a router that has firewall features tacked on with software only (especially "consumer grade" routers) might not.

David Spillett
  • 22,754
  • 45
  • 67
0

Think about router and FW as about separate lines of defense against attacker. Two is better than one

Lazy Badger
  • 3,137
  • 15
  • 13
0

Think of a firewall as a sheep dip where everything is "cleansed' before information (because thats what data is) moves to the next stage of transmission.

If you can deal with the slight degradation of speed, base your network security on old fashioned store and forward philosophy. Everything, including email, are temporarily stored on the firewall, AV checked before forwarding to the destination (internal or external)

davidvpa
  • 1