Originally posted here by zillah
Thanks The_captain

I am looking to find what is the difference bewteen a router when it do the job of a pix firewall (router do the job of a firewall when we configure an ACL , stabdard, extended, reflexsive,,,etc) and pix firewall itself ? (i.e if we have been asked can we use a router instaed of pixfirewall ? what should be our answer ?)
A router with an ACL examines the source IP address, destination IP address and protocol or protocol range. If the packet matches a rule, it is permitted or denied as determined by the ACL. All it is doing is simple packet filtering.

A PIX firewall performs stateful packet inspection and has some application awareness for a few protocols. This offers a higher level of protection than simple packet filtering. The PIX firewall also pays attention to the state of the connection. It mantains a table of connections and from this knows if return packets are to be allowed or denied.

As an example, with simple packet filtering it is simple to bypass the ACL by sending crafted packets with the ACK flag set. This will trick the packet filter on the router into believing it is part of an already established connection and forward the packet through. A PIX firewall with stateful packet inspection will see that there is no such connection since it maintains a state table, and will drop that packet.

So, no a router cannot be used in place of a firewall.

Do a Google search for a comparison between packet filtering, stateful packet inspection, and application proxies. Then you'll get a better idea of the differences between router's doing simple packet filtering and what various firewalls are capable of...