What are the advantages of getting a dedicated firewall instead of, or in addition to, using ACLs and ip inspection on a router?
I realize this might depend on the version of the router, are certain router versions basically a firewall and a router in unit?
I would say that they are not designed to do the same things. ASA have powerful CPU so that can handle large numbers of packets with very large/complex access-list. Newer version of IOS can do stateful inspection but it's cpu intensive.
ACL (used for ip filtering) on router were originally designed to filter network to network flow using only short access-list. This works on the ASIC and is very very fast. Today you can do more powerful filtering but it will need to be done on the CPU and a router's CPU tends to be less powerful than that in a firewall.
So I would use short ACLs on routers handling large amounts of traffic, which will run on the ASIC. I would use complex ACLs (CBAC & cie) on a router that will only have small amounts of traffic to filter. But I would use an ASA to filter traffic from one network to another because you will need large and complex ACLs that won't run on a router ASIC and will be passing too many packets for the router handle that with it's CPU.
Stateful filtering. Routers ACLs are (for the most part) stateless, which is a pita.
Now that Cisco is adding routing protocols to the ASA firewall, and fewer scenarios require fancier interfaces than Ethernet, the economics are pretty compelling for using a firewall instead of a router wherever it will do what you need, at least in Cisco's world.
Vastly more throughput per $.
On the other hand...Embedded Event Manager for programming custom responses is on the shrinking list of features you don't get...yet.
I have been using an ASA5520 for my security and Layer 3. All my switches are Layer 2. This environment handles perfect for 150-180 users. I added an additional layer 3 card in the back to give me a total of 8 layer 3 ports to my ASA. I am using a hybrid of router of a stick. I have 3 ports that are dedicated to VLANS (port 0 vlan 5-50) (port 1 vlan 60-100). Port 2 and 3 are dedicated to my primary internet and SIP internet trunk for my crapy PBX.
I was skeptical at first, but 3 years after implementing, it has been a total rock star. This setup saved my $$ on spending on a dedicated router. I think if my environment hits the 200 user mark, I'll up grade to a kick butt layer 3 router and core switches. I'll keep the ASA.
Or to expand on Cian's answer, with a proper firewall device you can get in and have a look at the data being passed.
Your regular router can restrict on source IP, destination IP and port which can help you block say all http traffic on port 80 coming from/to such and such.
But a full on firewall will let you look at the traffic passing though it on port 80 and block out specific content.
I can for instance block traffic with a content type of 'application/x-javascript' or 'audio/x-pn-realaudio'. All other HTTP based traffic can be accessed ok, but my users won't be able to download JavaScript and Real Audio content.
Add value to this by plumbing in a virus scanner on the Firewall itself (most manufacturers have some kind of subscription based offering these days) and your firewall device can give much greater protection than your router.
Nowadays (even Cisco's) firewalls are far more than a packet filter:
If you need raw packet filtering for high-bandwidth traffic between your VLANs, use ACLs in your backbone. But if it comes to connecting your network to another, you may want to control more than layer 4.
