Firewall and router - Antionline Forums

asegur · January 11th, 2010, 08:13 AM

I have a simple question. Why should it be necessary to put a firewall protecting a network, if the router is already closing the unnecessary ports?
Thanks

*CybertecOne* · January 11th, 2010, 11:00 AM

A simple answer in this case - the router IS the firewall.

The router is a hardware firewall, as opposed to a software firewall (application such as Sygate or Zonealarm).

I always prefer using a router or hardware firewall, unless a proxy/ISA is ideal (software running on a dedicated server). Such things are used after consideration of the existing/future network.

*instronics* · January 11th, 2010, 05:56 PM

Apart from that, a real firewall is SO MUCH MORE than just something that closes ports from the outside. It all comes down to what you want to protect, and how much time/effort your willing to invest. Whilst for a simple home network, a simple router with firewalling functions might suffice, it is far from being a real firewall with tighter security.

There are many different types of firewalls, that offers different types of security. Dont forget that a large risk in computer security happens also from the inside, and not only from the outside.

Cheers.

*keezel* · January 13th, 2010, 02:51 AM

Quote:

Dont forget that a large risk in computer security happens also from the inside, and not only from the outside.

I'll echo this. A software firewall will prompt and alert you to unusual/new inbound and outbound traffic. Awareness is key. Some decent routers also maintain logs, but they are harder to read. Software firewalls running on your own computer tend to be much more user friendly.

*D0pp139an93r* · January 20th, 2010, 03:56 AM

Firewall is nothing more than a network traffic light. It allows packets based on simple set of rules, and denies everything else.

The security of each host is dependant on the configuration of the individual host. My own thoughts on software firewalls and OS configurations are relatively well known and probably outside the scope of this thread, so I'll leave it as it is.

Software firewalls are useless, especially behind a hardware solution. By the time malicious traffic is outbound, you've already failed.

The attack vectors that you need to worry about are the ones that come through established connections. Messengers, browsers, and other networked applications.

By limiting those application's access and permissions within the system, you can create a system that doesn't need the possibly exploitable software nonsense that modern PCs are full of.

*MURACU* · January 28th, 2010, 10:31 AM

I would view it like this : A router needs to be configured to block traffic while a firewall needs to be configured to allow traffic. You can configure the router as a firewall but it tends to result in a fairly complicated configuration on the router. Also it can complicate troubleshooting network issues. Of course at the end of the day it will depend on the resources you have a vailable and the size of your network.
Cheers
Muracu

CyberB0b · January 29th, 2010, 07:30 AM

Software firewalls are far from useless. A software firewall is important to protect you from what is inside the network. NAT routers only protect you from what's outside. If you have an infected machine on your network or are using wifi hotspots you need a software firewall to protect you from intrusions coming from inside the LAN.

***nihil*** · January 29th, 2010, 08:07 PM

Hi,

As said above, but please consider this:

If you don't have it and things go wrong YOU are fired..............otherwise you did "industry standards"....

There are some on this site who might advise otherwise, from their self-perceived high and mighty positions....... I have seen them crap out in court.......... probably flipping burgers now

Sysadmin is basically middle management at best , and most know jack sh1t about management at that, at least the cutthroat nature of some of it

I can give you some case examples of your question.......... but I will leave them for the moment............

EDIT:

I realise that I probably sound somewhat defeatist, but I am a firm believer in "CYA" or "due diligence"............. whatever you like to call it.

I wouldn't like to explain to a CEO why I had decided against a firewall, when he has probably heard of those, but knows nothing about routers. It is a bit like the arguments for and against AV products.........sure, they may not do much for you, but they are an insurance policy for your job?

Quote:

if the router is already closing the unnecessary ports?

That still leaves you with the issue of what traffic is allowed through the ports you need to keep open?

OK, some quality routers also act as a hardware firewall as well, and at the risk of sounding pedantic, I would describe them as combo products rather than just a router.

Some very good points were made about the "enemy within"...............typically your router and hardware firewalls are at the perimeter. You may decide to deploy internal firewalls in certain circumstances...............possibly in a school or college environment?

*CybertecOne* · February 1st, 2010, 10:04 AM

To explore yet another view point, a router connects your LAN to the internet. A Firewall has the domain over traffic control.

Now, in a small SOHO network, a router is needed to connect the network to the internet, and due to the size and nature of the network, a single firewall at the LAN WAN interface is needed - the router would do fine here....

However, ideally you are wanting to firewall protect every segment of the network that is critical. In a large network, multiple firewalls would be utilised, and some to protect only a single server..... another firewall to protect the workstations (on the same physical or logical network) and yet another firewall to protect the file server, as well as a WAN LAN interface firewall....... and each would be configured uniquely depending on the requirements of communication between each 'firewall protected' segment of the network.

Ideally....

Anyway, my point is when exploring the debate from this point of view, a router is needed to translate between the LAN and WAN only, whilst a firewall will do the protecting and traffic flow at various points throughout the network. From this point of view, the router and the firewall roles cannot be interchanged.

*morganlefay* · February 4th, 2010, 01:59 PM

To quote an very wise ex AOer catch

"there is no such thing as a hardware firewall"

in essence because these devices are run by software :biggrin:

Use both....router to protect from external threats and the computer firewall to protect from internal.

MLF