Routers vs Firewalls - 'in a nutshell' type of question...

JohnnyBiggles

Is it safe to say.. in a nutshell.. that a firewall is basically a router with an extensive set of access-lists? How much different, really, is a firewall from a layer 3 device capable of access-lists & VLANs to control traffic (aside from packet analysis/inspection tools such as utilities that analyze the content of web based traffic)? If you're a whiz at configuring complex or even basic access-lists and utilizing the port and device security commands, couldn't that be as or even more effective as a security device?

docrice

There's some overlap at a basic level between a router and what's generally considered a "firewall." They both generally filter, NAT, and move packets from one interface to another.

The immediate difference though is that router ACLs are generally stateless when inspecting traffic flow, although with the right software they can be made stateful. Furthermore, the primary function of routers is to route, handling complex routing via OSPF, BGP, etc. and finding the best path to the next hop for packets.

Firewalls can potentially handle routing protocols as well. However, firewalls are generally designed differently architecturally / internally than routers. Whereas routers place emphasis on packet routing, firewalls are about enforcing a security policy and preventing traffic from moving between interfaces using a "zoning" concept, essentially separating different groups of networks into trust levels.

Stateful inspection ACLs (meaning that if a TCP SYN packet comes in one interface and the access-list / policy configuration allows it to leave out another, the firewall will temporarily record this session into memory and allow the corresponding SYN-ACK to come back via this second interface without having to inspect the ACL that may be on that interface) will scrutinize things like the TCP sequence / acknowledge numbers, remember the "state" for stateless protocols like UDP and ICMP, perform some / a lot of application level inspection which is useful for understanding protocols which dynamically negotiate a high port within the session (think active or passive FTP, for example), look for common attack traffic patterns like port scans, etc..

The newer firewalls which can apply traffic policy based on application (HTTP, HTTP-based apps, SIP, vendor-specific protocols, etc. regardless of the port used such as web traffic over port 7000) are an additional enforcement capability to the security policy beyond traditional stateful inspection. If it's a multi-function firewall (some use the marketing term "unified threat management" / UTM) it may contain additional abilities like IPS, anti-virus, basic data loss prevention inspection, and SSL decryption (these functions come at a processing cost to the overall throughput, naturally).

In other words, firewalls perform a lot of inspection compared to a router. While stateless router ACLs are fine for basic filtering, it's also relatively limited and also next-to-impossible when dealing with protocols which negotiate unexpected ports. If you look at the "established" keyword for an extended ACL on a Cisco router, you'll notice that it's basically a hack to get the router to understand "return traffic." The problem here is that all this keyword does is make the router look for the presence of TCP ACKs and FINs and allows it through. If someone were to spoof traffic for recon, someone can "initiate" traffic from the outside with weird TCP flag / control bit settings and hit internal hosts, hoping for a RST or some other response. Firewalls are supposed to prevent that by design.

Cisco routers are generally equipped with standard and extended ACL capabilities. These are stateless. You could also use reflexive ACLs which are stateful, but they're not stateful inspection. Reflexive ACLs are really cumbersome though because you have to create two ACLs - one for the traffic ingressing to an interface and specifying which sessions to track via the "reflect" keyword, and then another corresponding ACL allowing the return traffic via the "evaluate" keyword. Not exactly intuitive, and it doesn't perform any application inspection either.

Since you have your CCNA Security, you no doubt know that Cisco routers with the right software can become full stateful inspection with CBAC or zone-based firewalling. I generally don't see these used in the field though as most people seem to go to purpose-built appliances like an ASA (or insert your favorite vendor here). At its core, firewalls are built to have the type of resilience for handling protocol attacks while routers are more geared towards handling large routing tables and getting packets to their destination. I'm assuming this means that any ASICs within these devices (if any) are written specifically for their respective needs.