Router ACL vs PIX Firewall

[zillah]

What is the difference between a Router ACL and a PIX Firewall, I have searched through google, all links that I found were not rich of informations.

http://honor.icsalabs.com/pipermail/...er/003710.html

http://networking.ittoolbox.com/grou...urity-l/700225

http://honor.icsalabs.com/pipermail/...er/003731.html

http://www.experts-exchange.com/Hard..._21648038.html

Any resources shows us comparison ?

[d0pp]

...


Ummm...


An ACL is just a rule used by a router or firewall to allow or deny a packet.


Unless I'm missing something?


Maybe you wanto compare a checkpoint firewall with cisco pix?

[Nokia]

An ACL will filter out a specified type of data packet, destined for a certain port/IP address and/or coming from a certain port/IP address.

It is something that you manually type into a router. If you want to block another type of data packet etc you need to type another rule in - In a nut shell! The problem with this is that the data packets are already on the network unless the router is the default gateway.

A PIX firewall will filter out many different types of data packet destined for the entire network from many different ports etc and usually sits on/near to the "outside" of the network to prevent the traffic getting on the network in the first place.

Normally a firewall and ACL's work hand-in-hand.

[The_Captain]

What is the difference between a Router ACL and a PIX Firewall, I have searched through google, all links that I found were not rich of informations.

Ok, well.. lets talk firewalls v. routers. and then we can talk about the differences between their access lists.

A router is designed to do two things in a network, path determination and switching of packets. The router will do this within its network anywhere it knows to send the information and is trusting in nature, that is to say that unless you implicitly deny the flow of packets based on something like port number or source ip address then the router will always forward the data.

A PIX firewall, which is Cisco proprietary, stands for packet internetwork exchange and is indeed designed to be an edge device between autonomous networks. The PIX firewall acts using a trusted inside interface and an external untrusted interface (now this is simplified I know. but using just simply a two interfact pix as an example) The internal traffic will always be allowed out and traffic generated by the remote host that coincides with the leaving traffic will be allowed in by a technology known as dynamic access lists.

The access lists on a Firewall then perform a completely different function. They are designed to stop traffic on the inside from being trusted or to implicitly allow traffic on the outside that would normally be untrusted.

Think of a router like a traffic light it's going to let everything go through it if it knows how to unless you say otherwise. You can think of a firewall as a bouncer, you can not come in the club unless you have proper authorization or if you were already in the club they'll just let you in because of the stamp on your hand. If that analogy makes any sense.


So, to make sense of it all a Firewall is going to allow traffic to flow from trusted to untrusted interfaces only unless you use an access list as a rule to allow or deny information, but a router is going to trust all information unless you use the access list to filter information.

Something universally true about designing access lists though is that you really need to think about their implementation. They are applied rule by rule from the top down and if you don't really really really check your logic you're asking for a lot of networking problems on implementation. Always backup your config before making the change and if this didn't make any coherent sense I'll try to explain it more clearly.

[d0pp]

Like I said, it's a rule or set of rules that tells the device to allow or deny a packet.

Damn yer wordy...

[The_Captain]

Ha ha, sorry about that... trying to be thorough

[d0pp]

I on the other hadn. Am trying to be an ass.

[zillah]

Thanks The_captain

differences between their access lists.

I am looking to find what is the difference bewteen a router when it do the job of a pix firewall (router do the job of a firewall when we configure an ACL , stabdard, extended, reflexsive,,,etc) and pix firewall itself ? (i.e if we have been asked can we use a router instaed of pixfirewall ? what should be our answer ?)

1- One of difference I have been told ( not sure) that pix firewall has a feature of IDS, while router does not have that feature.

2- Yes I knew that ACL is one (ou of many) of the router's feature (it has many other features) while PIX is dedicated to be a firewall,,,,but this does not mean that router can not do the job of a PIX.

3- Yes PIX has trusted and untrusted ports (like other firewall for exampel NetScreen), while router does not have ,,,,Can we consider this as difference ? (I am not quite sure).

Off topic: Is there any email notification when there is reply to the thread, because I have not received any email notification, through I have enabled every thing within my profile!!!

[mkofron]

Originally posted here by zillah
Thanks The_captain

I am looking to find what is the difference bewteen a router when it do the job of a pix firewall (router do the job of a firewall when we configure an ACL , stabdard, extended, reflexsive,,,etc) and pix firewall itself ? (i.e if we have been asked can we use a router instaed of pixfirewall ? what should be our answer ?)

A router with an ACL examines the source IP address, destination IP address and protocol or protocol range. If the packet matches a rule, it is permitted or denied as determined by the ACL. All it is doing is simple packet filtering.

A PIX firewall performs stateful packet inspection and has some application awareness for a few protocols. This offers a higher level of protection than simple packet filtering. The PIX firewall also pays attention to the state of the connection. It mantains a table of connections and from this knows if return packets are to be allowed or denied.

As an example, with simple packet filtering it is simple to bypass the ACL by sending crafted packets with the ACK flag set. This will trick the packet filter on the router into believing it is part of an already established connection and forward the packet through. A PIX firewall with stateful packet inspection will see that there is no such connection since it maintains a state table, and will drop that packet.

So, no a router cannot be used in place of a firewall.

Do a Google search for a comparison between packet filtering, stateful packet inspection, and application proxies. Then you'll get a better idea of the differences between router's doing simple packet filtering and what various firewalls are capable of...

[Nokia]

You can use a router as a form of Firewall but you need to know a lot of things in advance. If you just want to stop a certain type of packet coming from a known IP address, yes you can construct and ACL to prevent this - but as has been mentioned in the above post - it is not terribley hard to circumvent an ACL.

ACL's come in handy as "internal firewalls" to filter out certain types of packet etc on your network but if you are lookjing for something to put out as your border defense for the entire network - get a firewall!

An example of an ACL is:

Code:

access-list 101 deny tcp any any eq 31337

This will deny TCP traffic from any host to any host directed towards port 31337.

This is just one rule - but can you see the problem with using ACL's instead of a fire wall? All this rule has done in prevent TCP traffic destined for one port - 31337.

So you now have one port secure!
Only another 65535 acl's to write and you can have all your ports filtered!