Sign in with
Sign up | Sign in
Your question
Solved

Routers w/ firewall capability vs. Firewall Appliance

Last response: in Networking
Share
February 24, 2011 7:33:24 PM

Hello,

I have a Belkin router at home, Verizon included it in thier FIOS subscription. It comes with a built in firewall, can control which ports are open through browser by acessing router IP address. I ran ShieldsUP! against my router and only port 80 is open, to route HTTP requests to a computer hosting a website.

So my question:
Why can't someone purchase a gigabit router w/ firewall capability to use in a production environment vs. a CISCO Firewall appliance?

Router is cheaper and can operate on both Layer2 and Layer3 of the osi model. Just curious, but can a firewall operate on Layer2, full duplex data transfers like a switch?
Both are capable of NAT, the only problem is the number of concurrent sessions...don't think a router can support 100,000+ hits at once. Please refer any firewall appliances, or routers w/ firewall built in that perform well.
February 25, 2011 3:05:34 AM

Well you have to remember that the line many times is pretty gray between the two. While both can perform the task of routing and firewalling it comes down to the products intended focus.

In your example for a standard "home user", a standard gigabit router vs a Cisco ASA (Adaptive Security Appliance) appliance (firewall), the home user would probably never know or understand the difference. They are both able to route and firewall packets very effectively at a high speed.

Where the specializations start coming in are in their intended purpose:

A dedicated router has the ability to learn and propagate routes to neighboring routers using protocols such as BGP and RIP, and perform these functions at very high throughput.

A firewall or security appliance focuses on security and may not support advanced routing protocols especially in larger environments. They will focus on connection and state tracking over throughput or routing. Many firewalls offer two modes: "routed" and "transparent", transparent being like a switch at layer 2. A security appliance may also focus on VPN connections including remote access clients; it may also add functionality to include additional features like content filtering, Intrusion Prevention, antivirus, etc.

Now to answer the question of "why spend thousands on a Cisco ASA vs a Linksys with gigabit ports?"... the answers there are simple: stability, capacity, support, and feature sets.

For example, an enterprise Cisco ASA has hardware crypto accelerators capable of terminating 3000+ VPN tunnels concurrently, providing SSL based VPN services to end users authenticated against active directory, handing URL's off to Websense for URL filtering, high availability in the event of hardware failure, firewall access lists with hundred's of lines, the ability to parse vlan tags for interfaces (might have 50 different networks coming in over 1 physical cable), the ability to create multiple contexts which allow you to create a separate virtual firewalls each of which may have it's own admin users... best part is that it can do much of this all at the same time. (not all of it though, there are limitations with some configs) Those are some of the nice features, but you also have to remember that the devices are built REALLY well and unlike consumer products they rarely fail, and if they do happen to fail, you can call Cisco who will have a replacement to you in record time, or great INTELLIGENT tech support to help you fix whatever you broke with your configuration.

In comparison, a belkin or linksys will probably max out at around 5 - 10 VPN tunnels with maximum throughput usually in the 15 - 20 mbit range, firewall rules are extremely limited in comparison both in numbers and in functionality. You'll also find that it may need power cycles every few weeks to resolve "connection problems". If you need tech support you can try emailing tech support which will likely just keep asking if you can ping the box for a few days before you finally give up and just buy a different brand. The "DMZ" feature also is extremely dangerous and doesn't accomplish anything like a real DMZ will accomplish, in fact it just exposes your whole internal network, just like UPnP can do if one machine happens to get infected with something. Also just because the belkin has gigabit interfaces doesn't mean it's capable of actually <doing> it. Cisco tends to under rate their specs, where as most of the home ones do a nice job of avoiding talking about them. :-)

Sooo... in short, while a belkin or whatever does a good job of fitting the needs of home user, it really doesn't belong in an enterprise environment where uptime, supportability, government and PCI compliance standards, performance, and overall feature sets aren't just "nice to have" but are absolutely necessary. As the old saying goes, "you never get fired for buying Cisco".

Keep in mind the above was in reference to Cisco (since that's what you asked about), but much of the same applies to many of the enterprise brands / products from companies like Juniper, CheckPoint, etc...
m
0
l
February 25, 2011 4:40:24 AM

Hi brian_tii,

Thank you very much for providing me with that thorough explanation. To be honest, I haven't encountered much of the terms you mentioned above...have to Google it later.

This firewall on newegg.com:
http://www.newegg.com/Product/Product.aspx?Item=N82E168...

(6) 10/100/1000 Copper Gigabit Ports
Throughput: 775 Mbps
Concurrent Sessions: 48,000

Is a Throughput of 775 Mbps = 48,000 Sessions? What happens when it goes past 48,000 sessions? Will it freeze and bring things to a standstill? What will the users accessing the website experience?

Thanks
m
0
l
Related resources

Best solution

February 26, 2011 12:00:17 AM

Sessions has more to do with the firewall's ability to create and track connections. Throughput is how much traffic data it's able to move.

For example 20 connections could (not easily) push 775 mbit worth of data through the device doing massive file transfers... conversely you could have 40,000 active connections through the device and only using 3 mbit of bandwidth because there not much data being moved over all of those connections. The 48,000 is how many connections it can track in it's connection state table, 775mbit is how much data it can flow through on those connections. (Basically)

The Sonicwall you linked to isn't exactly a "home" type of solution and is actually a pretty nice piece of equipment. I've worked with them in a lab environment and was fairly impressed with their ease of use... performance, stability, etc... I can't really speak to since I haven't seen them put under stress, but I'd expect them to be pretty solid. It's probably a good choice for a small / medium sized office.

If the firewall exceeds it's connection tracking ability it should just stop accepting new connections which would like show up as the "internet dragging to a halt"... though it shouldn't completely stop as connections do age off of the state table and drop when the tcp session ends. Overall 48,000 is a pretty high number that in most cases would be a bit hard to exceed.
Share
February 28, 2011 3:47:48 AM

Thanks brian_tii, you answered all of my questions with great clarity. Much appreciated!
m
0
l
February 28, 2011 3:47:59 AM

Best answer selected by invulnarable27.
m
0
l
March 1, 2011 1:51:21 AM

invulnarable27 said:
Thanks brian_tii, you answered all of my questions with great clarity. Much appreciated!


Anytime, glad you found it helpful.
m
0
l
!