Networking Q & A: Can a router replace a firewall?

Firewall has become a key part of enterprise network construction. However, many users think that there are already routers in the network and some simple packet filtering functions can be implemented. So why should we use firewalls? The following is a comparison between the firewall and the most widely used and representative vro in the industry in terms of security. We will explain why a user's network still needs a firewall when there are vrouters.
One or two devices have different backgrounds.
1. The two devices have different origins
The router is generated based on the route of network packets. What the router needs to do is to effectively route data packets of different networks. As for why routing, whether routing should be done, and whether there is a problem after routing, the router is not concerned at all. The concern is: can data packets of different network segments be routed for communication.
Firewalls are derived from people's security requirements. Whether data packets can arrive correctly, the arrival time, and the direction are not the focus of the firewall. The focus is on whether the data packets (a series) should pass through and whether they will cause harm to the network.
2. Different fundamental purposes
The fundamental goal of a vro is to keep the network and data accessible ".
The fundamental purpose of the firewall is to ensure that any non-permitted data packets are "inaccessible ".
Ii. Differences in core technologies
The core ACL list of a Cisco router is based on simple packet filtering. From the perspective of the implementation of the firewall technology, the firewall is based on the State packet filtering application-level information flow filtering.
One of the simplest applications: a host on the Enterprise Intranet provides services over the Intranet through a router (assuming that the port for providing services is tcp 1455 ). To ensure security, you must configure the vro to allow only the client to access the tcp port 1455 of the server.
For the current configuration, the security vulnerabilities are as follows:
1. IP Address Spoofing (abnormal Connection Reset)
2. TCP spoofing (Session replay and hijacking)
The cause of the above risks is that the router cannot monitor the TCP status. If a firewall is placed between the client and the vro in the Intranet, the firewall can detect the TCP status and generate a TCP serial number randomly. This vulnerability can be completely eliminated. At the same time, the one-time password authentication client function of the firewall can implement user access control when the application is completely transparent. Its Authentication supports standard Radius protocol and local Authentication database, it can fully interoperate with third-party Authentication servers and divide roles.
Although the "Lock-and-Key" function of a vrotelnet can authenticate users through the dynamic access control list, the vrotelnet must provide the Telnet service, users also need to Telnet to the vrotelnet for use, which is inconvenient to use and insecure (open ports create opportunities for hackers ).

Iii. Security Policy Formulation complexity
The default configurations of routers do not have sufficient security considerations. Some advanced configurations are required to prevent attacks. Most security policies are based on command lines, the formulation of security rules is relatively complex, and the probability of configuration errors is high.
The default configuration of the firewall can not only prevent various attacks, but also ensure security. The security policy is a management tool based on the Chinese GUI. The security policy is user-friendly, simple configuration and low error rate.
4. Different Effects on Performance
The router is designed to forward data packets, rather than specially designed as a full-feature firewall. Therefore, when used for packet filtering, the operation is very large, the CPU and memory of the vro are both very high, and the hardware cost of the vro is relatively high because of its high hardware cost.
Firewall hardware configuration is very high (using a general INTEL chip, high performance and low cost), and its software is also specially optimized for packet filtering, its main modules run in the kernel mode of the operating system. During the design, security issues are taken into special consideration, and its packet filtering performance is very high.
Because vrouters are simple packet filtering, the number of packet filtering rules increases, the number of NAT rules increases, and the impact on vro performance increases accordingly, the firewall uses status packet filtering, number of rules, and number of NAT rules, which have a performance impact close to zero.
V. great differences in audit functions
The vro itself does not have a storage medium for logs and events. It can only store logs and events by using external log servers (such as syslog and trap). The vro itself does not have an audit analysis tool, logs and events are described in a language that is not easy to understand. vro's corresponding information on security events such as attacks is incomplete, for many attacks, scans, and other operations, it is impossible to generate accurate and timely events. The weakening of the audit function prevents administrators from responding to security events in a timely and accurate manner.
6. Different AttacK Defense Capabilities
For a vro like Cisco, its common version does not have the application layer protection function, and does not have real-time intrusion detection and other functions. If such a function is required, you need to upgrade IOS to a firewall feature set. In this case, you not only need to pay for software upgrades, but also need to upgrade hardware configurations because these functions require a large amount of computing, the cost is further increased, and vrouters of many manufacturers do not have such advanced security features. We can conclude that:
· Vro cost with firewall features> firewall + vro
· Router functions with firewall features <firewall + Router
· Vro scalability with firewall features <firewall + vro
In conclusion, we can conclude that the simplicity and complexity of the user's network topology and the difficulty of the user's applications do not determine whether to use the firewall, A fundamental condition for determining whether a user uses a firewall is the user's need for network security!
Even if the user's network topology and applications are very simple, using the firewall is still necessary and necessary. If the user's environment and applications are complex, the firewall will bring more benefits. The firewall will be an indispensable part of network construction. For a general network, the router will be the first entry to protect the Intranet, the firewall will be the second and most rigorous gateway.