Firewalll vs Firewall router

Bl8ckr0uter · December 2009

This is a serious question and I know I might get slammed for this but I gotta ask.
Besides obvious issues like, single points of failure, etc what is the benefit of having a true blue firewall vs a router acting as a firewall, from a security perspective and software perspective. For an example I have a 1721 that (along with an Access-point) soon be my home router. It will also be my client to site vpn device. Would it be better to have it act as my firewall or have something like a linux box using ip tables or something like that?

Hyper-Me · December 2009

Well i think one of the reasons would be that generally purpose built devices are going to be better than a device mean to be "ok" at many things.

For instance a Cisco PIX firewall and a seperaet Cisco router is a superior solution to a Linksys WRT with a built-in poop firewall.

Maybe not the best example, lol.

Bl8ckr0uter · December 2009

Hyper-Me wrote: »

Well i think one of the reasons would be that generally purpose built devices are going to be better than a device mean to be "ok" at many things.

For instance a Cisco PIX firewall and a seperaet Cisco router is a superior solution to a Linksys WRT with a built-in poop firewall.

Maybe not the best example, lol.

No not the best lol

But what I mean was like an linux firewall using ip tables, and hosting open vpn vs a cisco router hosting my vpn and using the ios firewall

ilcram19-2 · December 2009

to me and to what pix and ASA do they have alot of limitations, i usually try to get a router instead and they are cheaper new models of cisco routers ISRs and ISR G2 are my choice in any case instead of the ASA or a pix. They routers are also good firewalls that can be setp up with IDS/IPS configurations. also when it comes to vpn i rather get a router than a PIX or ASA
becase you have more flavors with vpn including DMVPN, GET VPN, GRE/ipsec vpns,as well as regular ipsec vpns so routers are more scalable.
for firewall you have IOS firewall, zone-based firewall, content filtering, MQC that can be used as well to drop traffic.
also QOS for Audio and Video.
see link for the models avaliable
Routers - Cisco - Cisco Systems
my favorite so far is the Cisco 2821
im hoping to get to play around with a 2921 pretty soon
i also like 871w, 1841

Bl8ckr0uter · December 2009

ilcram19-2 wrote: »

to me and to what pix and ASA do they have alot of limitations, i usually try to get a router instead and they are cheaper new models of cisco routers ISRs and ISR G2 are my choice in any case instead of the ASA or a pix. They routers are also good firewalls that can be setp up with IDS/IPS configurations. also when it comes to vpn i rather get a router than a PIX or ASA
becase you have more flavors with vpn including DMVPN, GET VPN, GRE/ipsec vpns,as well as regular ipsec vpns so routers are more scalable.
for firewall you have IOS firewall, zone-based firewall, content filtering, MQC that can be used as well to drop traffic.
also QOS for Audio and Video.
see link for the models avaliable
Routers - Cisco - Cisco Systems
my favorite so far is the Cisco 2821
im hoping to get to play around with a 2921 pretty soon
i also like 871w, 1841

Is this what you use for your home?
Mind you this is for my house.

ilcram19-2 · December 2009

then ill reccomend and 871w router they are really cheap on ebay and they can do everything that i metion and more, i've mine setup with an Webvpn and sslvpn.
i got mine for 275 a while back

Bl8ckr0uter · December 2009

ilcram19-2 wrote: »

then ill reccomend and 871w router they are really cheap on ebay and they can do everything that i metion and more, i've mine setup with an Webvpn and sslvpn.
i got mine for 275 a while back

I was thinking about 1 but since I have a 1721 I was gonna grab a 1enet and have it act as my main router and then get a access point (I hope to find one that supports vtp and doesn't cost 4000 bucks).

This is actually my ultimately goal
Print Page - HOWTO - OpenVPN + LDAP authentication in pfSense 1.2.2

I want to get openvpn running and authenticating against openldap. Since I want to be a true linux head, I wanted to go ahead and use iptables to secure my net as well, but for the purposes of the CCNA:S I need to know (and know well) how to set up Cisco router based VPNS.

nevolved · December 2009

PFSense rocks, and can handle some serious traffic!

Silentsoul · December 2009

I use a linksys wrt54gL running dd-wrt and it works great. Lots of features. I also have a pix firewall i am getting ready to set up since i will be going for my CCNA this year. I see you are going for the Linux +, why not set up a simple server and do something like

IPCop

an untangle box
Untangle

monowall
DistroWatch.com: m0n0wall

or maybe a squid box running iptables.

Just a couple thoughts. I would like to do an untangle box it's a pretty cool deal.

Bl8ckr0uter · December 2009

Silentsoul wrote: »

I use a linksys wrt54gL running dd-wrt and it works great. Lots of features. I also have a pix firewall i am getting ready to set up since i will be going for my CCNA this year. I see you are going for the Linux +, why not set up a simple server and do something like

IPCop

an untangle box
Untangle

monowall
DistroWatch.com: m0n0wall

or maybe a squid box running iptables.

Just a couple thoughts. I would like to do an untangle box it's a pretty cool deal.

I have tried untangle (not a fan) but the other two seem like good starting points. Good deal.

EDIT: I should mention that I really want to do the iptables thing. Why? For one it seems pretty easy to do, for 2 a linux engineer (that I respect) said iptables show very advanced linux skills, some that even most linux admins don't have, and 3 geek points.

Getting a client based vpn is going to be huge for me as well. Why? Because my goal is to be an MCSE of Linux, that is LPIC-2 knowledge of linux by the end of 2010 so I want to set up my home network to mirror what an enterprise level network would have (including a webserver, databases, ldap authentication, security, remote access/vpn, automated backup solutions, and what ever else I can think of. All in all I will probably have only 1 windows server (vmware based) and 1 windows client (my wifes laptop) to test samba.

dynamik · December 2009

I run an ASA 5505; got it for a few hundred on NewEgg. I just got a WRT54GL that I'm going to flash for my wireless studies, but I'm probably not going to do any routing/VPN with it.

Bl8ckr0uter · December 2009

dynamik wrote: »

I run an ASA 5505; got it for a few hundred on NewEgg. I just got a WRT54GL that I'm going to flash for my wireless studies, but I'm probably not going to do any routing/VPN with it.

I saw those, and to be honest it was very tempting, especially if I want to do ASA specialist/CCSP at some point in life (like within the next 18 months).

Ahriakin · December 2009

There's a huge amount of traffic sanitation (Protocol compliance, Options filtering, low level packet controls etc.) you can do on an ASA that you can't with the IOS firewall set. If all you want is a simple stateful firewall then CBAC will do the trick, but for corporations go with a dedicated firewall appliance. Also with a router you need to manually protect the control-plane by making sure features that are not hardware accelerated (even if just CEF vs. process switched) are not going to be exploited, the ASA for better or worse is a purely software/cpu driven device so you're not going to miss something falling into a less optimized path - for example you are a lot more likely to cripple a router with a poorly placed ACL log statement than an ASA, now say you have that log statement for a rare traffic type, an attacker manages to capture some of your syslog, works out what is being logged and then hammers your router with it....buh bye (unless of course you have spent time securing the control-plane).

Bl8ckr0uter · December 2009

Ahriakin wrote: »

There's a huge amount of traffic sanitation (Protocol compliance, Options filtering, low level packet controls etc.) you can do on an ASA that you can't with the IOS firewall set. If all you want is a simple stateful firewall then CBAC will do the trick, but for corporations go with a dedicated firewall appliance. Also with a router you need to manually protect the control-plane by making sure features that are not hardware accelerated (even if just CEF vs. process switched) are not going to be exploited, the ASA for better or worse is a purely software/cpu driven device so you're not going to miss something falling into a less optimized path - for example you are a lot more likely to cripple a router with a poorly placed ACL log statement than an ASA, now say you have that log statement for a rare traffic type, an attacker manages to capture some of your syslog, works out what is being logged and then hammers your router with it....buh bye (unless of course you have spent time securing the control-plane).

I am going to have to google a few things to under stand what you just said but it sounded good.

Are you saying that something like an ASA would be more able to defend against network attacks then a well placed linux machine with ip tables?

Also which would you use for vpn (for home use) a cisco router or a linux box/open vpn solution?

msteinhilber · December 2009

I also picked up an ASA 5505 from Newegg, pretty good value - ended up with an unlimited user bundle very cheap on an open box gamble which I felt comfortable with since I suspect a lot of people buy them not knowing what they are getting into (thinking it's easy as a Linksys to configure).

My main reasons behind the ASA were partly related to my job as well as my certification goals. Our PIX 506e failed at the office some time ago and I replaced it with an ASA 5510, so the ASA 5505 will give me a good platform to learn a bit more about what we have in the office and how I can better utilize it's features without doing the testing on our production environment first. I also plan to go down the Cisco certification path to the CCSP as well so the ASA might come in handy if I get around to that.

Currently the ASA is my router/firewall and will probably remain that way. I also have directly behind that Untangle operating as a bridge. Wireless is provided by a Linksys WAP54G AP running DD-WRT. Untangle is a decent product I think, it has served us well in our branch offices. SuperMicro offers short depth 1U barebones based off Intel's dual-core Atom CPU. Stick a 80GB SATA disk and a 2GB stick and you have a 1U Untangle device with two ethernet interfaces that can handle an office of 50 users easily for about $250.

Honestly, I would just try a bunch of options with the Linux based solutions on some inexpensive hardware you might have laying around just to do it. It's fun to try out and see what the capabilities are. I've tried a handful of solutions and enjoyed messing around with them like IPCop, Shorewall, Untangle, etc. Do it because it's fun and because you can learn at the same time.

msteinhilber · December 2009

knwminus wrote: »

Also which would you use for vpn (for home use) a cisco router or a linux box/open vpn solution?

I was using two VPN methods prior to running my ASA at home. The first was through a Linksys RV042 router. It worked, very no thrills straight forward usage for this. Then I used OpenVPN through some of the Linux based firewall offerings which catered in with a bit more geek factor.

Overall I'm happiest with the ASA. I just use the dynamic dns feature with a domain I have hosted at Namecheap and use their DDNS update client. Load up my DDNS hostname in a web browser and use the SSL VPN feature on the ASA. No messing around with clients regardless of the computer I happen to be carrying around with me and I can customize what services on my home LAN I want to be easily accessed through shortcuts on the SSL VPN portal.

chrisone · December 2009

Ahriakin wrote: »

There's a huge amount of traffic sanitation (Protocol compliance, Options filtering, low level packet controls etc.) you can do on an ASA that you can't with the IOS firewall set. If all you want is a simple stateful firewall then CBAC will do the trick, but for corporations go with a dedicated firewall appliance. Also with a router you need to manually protect the control-plane by making sure features that are not hardware accelerated (even if just CEF vs. process switched) are not going to be exploited, the ASA for better or worse is a purely software/cpu driven device so you're not going to miss something falling into a less optimized path - for example you are a lot more likely to cripple a router with a poorly placed ACL log statement than an ASA, now say you have that log statement for a rare traffic type, an attacker manages to capture some of your syslog, works out what is being logged and then hammers your router with it....buh bye (unless of course you have spent time securing the control-plane).

couldnt have said it better myself! I agree ASA>IOS Firewall

HeroPsycho · December 2009

Silentsoul wrote: »

I use a linksys wrt54gL running dd-wrt and it works great. Lots of features. I also have a pix firewall i am getting ready to set up since i will be going for my CCNA this year. I see you are going for the Linux +, why not set up a simple server and do something like

IPCop

an untangle box
Untangle

monowall
DistroWatch.com: m0n0wall

or maybe a squid box running iptables.

Just a couple thoughts. I would like to do an untangle box it's a pretty cool deal.

I'm gonna be replacing my IPCop setup with this soon:

Astaro Internet Security - Free Home Use Firewall

Does far more protection with AV, Antispam, etc.

Bl8ckr0uter · December 2009

msteinhilber wrote: »

I also picked up an ASA 5505 from Newegg, pretty good value - ended up with an unlimited user bundle very cheap on an open box gamble which I felt comfortable with since I suspect a lot of people buy them not knowing what they are getting into (thinking it's easy as a Linksys to configure).

My main reasons behind the ASA were partly related to my job as well as my certification goals. Our PIX 506e failed at the office some time ago and I replaced it with an ASA 5510, so the ASA 5505 will give me a good platform to learn a bit more about what we have in the office and how I can better utilize it's features without doing the testing on our production environment first. I also plan to go down the Cisco certification path to the CCSP as well so the ASA might come in handy if I get around to that.

Currently the ASA is my router/firewall and will probably remain that way. I also have directly behind that Untangle operating as a bridge. Wireless is provided by a Linksys WAP54G AP running DD-WRT. Untangle is a decent product I think, it has served us well in our branch offices. SuperMicro offers short depth 1U barebones based off Intel's dual-core Atom CPU. Stick a 80GB SATA disk and a 2GB stick and you have a 1U Untangle device with two ethernet interfaces that can handle an office of 50 users easily for about $250.

Honestly, I would just try a bunch of options with the Linux based solutions on some inexpensive hardware you might have laying around just to do it. It's fun to try out and see what the capabilities are. I've tried a handful of solutions and enjoyed messing around with them like IPCop, Shorewall, Untangle, etc. Do it because it's fun and because you can learn at the same time.

You mind if I steal your asa idea? Because my whole thing is I need a solution that will allow me to remote into my home lab and do what ever I plan to do at the moment. I would prefer not to use a client, and also I would prefer to be able to run it off of a any port I please.

I have looked at the ASAs and it is about 350 so maybe after the holidays I'll pick one up.

dynamik · December 2009

HeroPsycho wrote: »

I'm gonna be replacing my IPCop setup with this soon:

Astaro Internet Security - Free Home Use Firewall

Does far more protection with AV, Antispam, etc.

Astaro is good stuff. Do you still have to pay for the subscriptions (anti-x updates) with the free version?

HeroPsycho · December 2009

Nope, it's all free for the home version, and they just increased the IP limit to 50.

Gogousa · December 2009

I think it all depends on where you want to use it and how serious you want to get. I have always thought that dedicated things are better that general things.
I'm not against linux, but why people always want to solve everything with linux, for free and using cheap hardware. I know it works because I use it myself, but when we are talking about business I don't recommend linux, I always recommend a dedicated hardware, that do what they are suppose to do and with no moving parts. Off course if we are talking about serious business. - I know linux fans are gonna love me

- If it helps, I use linux for some nice things.
Not long ago, things were really separated, a firewall was just a firewall, a router was just a router. Today, companies want to sell, so they add parts of the features to one device and they go out to sell it. So, be careful with what the companies are trying to sell.
I'm not saying that is bad to have one device that do everything, I'm just saying, be careful and know what you get.

chrisone · December 2009

dynamik wrote: »

Astaro is good stuff. Do you still have to pay for the subscriptions (anti-x updates) with the free version?

i have to disagree with both of you, i have worked with Astaro firewalls for a year now at a major company and trust me they suck!

even with the latest code and update they always have ipsec tunnel issues. It seemed every other weekend we had reboot the thing because it keept on getting lockedup. We literraly called their tech support every month and had a case open for months. We finnaly got rid of it for Dual Fail over ASA 5540s

we are a much happier networking team believe me!

You cannot program the Astaro firewall with CLI. You will void your license if you break something in CLI. Everything is done on WEB Based interface which is mega slow! we constantly got IE errors stating "the website is taking forever to load, click cancel to stop loading or press no to continue waiting!" seriously it would take 20 mins to get some thing done that would take on an ASA in 5 minutes.

Just pay the extra money to get a Cisco product. Do not suffer the same headaches we and many others did using Astaros, IP copps, check points, etc. Astaros are not good for a medium to large size enterprise. No joke and im not hating, im speaking from real world experience, do not get an Astaro! You have no idea what kind of pain will be coming your way!

msteinhilber · December 2009

Gogousa wrote: »

I'm not against linux, but why people always want to solve everything with linux, for free and using cheap hardware. I know it works because I use it myself, but when we are talking about business I don't recommend linux, I always recommend a dedicated hardware, that do what they are suppose to do and with no moving parts. Off course if we are talking about serious business. - I know linux fans are gonna love me - If it helps, I use linux for some nice things.

I think it's a common misconception that because someone intends to use a Linux solution that they probably plan to use very cheap hardware. Nothing is wrong with a well implemented solution based on Linux, many commercially available products that fit various needs with network security actually run a Linux kernel. I don't see having dedicated hardware (with or without moving parts) as being any more reliable by default, it all comes down to the quality of the hardware used and if redundancy/failover is available if the need is there.

Ahriakin · December 2009

Bear in mind that most Firewall appliances are Linux or open-source OS based, their advantage lies in very experienced vendors being able to run on custom optimized hardware. My point is there is not a huge gap concept wise between open-source solutions and those of the major players, there often is though in execution.

NightShade03 · December 2009

chrisone wrote: »

i have to disagree with both of you, i have worked with Astaro firewalls for a year now at a major company and trust me they suck!

I'm going to have to agree here. We recently got a trial of their 425 security gateway/web filter and it was a pain. The interface didn't work well, and I got booted from the web portal constantly. I eventually asked one of their engineers to come in and demo how to join it into our domain and setup SSO so I could monitor traffic per user and while showing me the configuration he bridged interfaces with our current gateway and brought down my network (pretty bad for an engineer working on his own product).

I also will have to agree with others about the ASA over the ISR. We recently just bought 2 ASA 5510 (one for main site and one for DR site). The other branch offices we use the ISR firewall. All in all it works pretty well.

Gogousa · December 2009

msteinhilber wrote: »

I think it's a common misconception that because someone intends to use a Linux solution that they probably plan to use very cheap hardware. Nothing is wrong with a well implemented solution based on Linux, many commercially available products that fit various needs with network security actually run a Linux kernel. I don't see having dedicated hardware (with or without moving parts) as being any more reliable by default, it all comes down to the quality of the hardware used and if redundancy/failover is available if the need is there.

Don't get me wrong, I'm not saying that linux doesn't work. I agree with you that linux on a good hardware and well configured is a good product. But not everyone thinks the same way, they just put old hardware (because it runs on it) and they just configure it with out knowing what they are doing. That is why I recommend to use a dedicated hardware and software.
The moving parts on hardware, I work with really old hardware and is common to see hardware without moving parts to keep working over the years, but is not the same thing with hardware that has moving parts.

As older as I get, more picky I get.

ilcram19-2 · December 2009

Ahriakin wrote: »

There's a huge amount of traffic sanitation (Protocol compliance, Options filtering, low level packet controls etc.) you can do on an ASA that you can't with the IOS firewall set. If all you want is a simple stateful firewall then CBAC will do the trick, but for corporations go with a dedicated firewall appliance. Also with a router you need to manually protect the control-plane by making sure features that are not hardware accelerated (even if just CEF vs. process switched) are not going to be exploited, the ASA for better or worse is a purely software/cpu driven device so you're not going to miss something falling into a less optimized path - for example you are a lot more likely to cripple a router with a poorly placed ACL log statement than an ASA, now say you have that log statement for a rare traffic type, an attacker manages to capture some of your syslog, works out what is being logged and then hammers your router with it....buh bye (unless of course you have spent time securing the control-plane).

so you are saying that cisco add this other extra cool stuff that would allow for scalability and security for nothing? how many tunnels will you have to create if you are using ASA ipsec cabalities for 5 remote offices and you want inter-connectivity it will be aleast 4 tunnels peer ASA. with a router you can easely implementing a DMVPN hub and have them create tunnels automatically not adding that the router will be able to decide either to create a tunnel or go ver the mgre/ipsec already inplace, or if you want to kind of centralize thing setup gre/ipsec tunnels which to me are encrypted point to point connections instead of buying private links, last year i migrated all the cbac firewall to zone-based firewall this year i will be adding content filtering with trend micro to the zone-based firewall, i've deal with ASA's and they not worth the money they cost when it comes to what you can do may be cisco need to go lower on the price. the only time i will use and ASA is if it is free and i put it as a transparent firewall i've not been able to enjoy playing with an ASA but i know ill need one for my CCSP lol and when it comes to the control plane and securing your router come one everyone should know that it is the main thinig securing your device is a default.

HeroPsycho · December 2009

chrisone wrote: »

i have to disagree with both of you, i have worked with Astaro firewalls for a year now at a major company and trust me they suck!

even with the latest code and update they always have ipsec tunnel issues. It seemed every other weekend we had reboot the thing because it keept on getting lockedup. We literraly called their tech support every month and had a case open for months. We finnaly got rid of it for Dual Fail over ASA 5540s we are a much happier networking team believe me!

You cannot program the Astaro firewall with CLI. You will void your license if you break something in CLI. Everything is done on WEB Based interface which is mega slow! we constantly got IE errors stating "the website is taking forever to load, click cancel to stop loading or press no to continue waiting!" seriously it would take 20 mins to get some thing done that would take on an ASA in 5 minutes.

Just pay the extra money to get a Cisco product. Do not suffer the same headaches we and many others did using Astaros, IP copps, check points, etc. Astaros are not good for a medium to large size enterprise. No joke and im not hating, im speaking from real world experience, do not get an Astaro! You have no idea what kind of pain will be coming your way!

Never had any of these problems, although, to be fair, CLI support is lacking in Astaro.

Forsaken_GA · December 2009

I've worked with a number of firewall appliances, and honestly, I don't see the point, save for things like SSL and VPN hardware acceleration. If you're not going to be doing a ton of that, then an appliance type distribution run on commodity hardware will do just fine. (This also applies to load balancers, btw, up to a certain level of traffic). I'm a very big fan of PFSense (except when dealing with VPN, it has some limitations there) and IPCop and Untangle can get the job done as well.

Firewalll vs Firewall router

Comments