Routers vs. Firewalls

Review of the Basics

We’re often asked at SmallNetBuilder what the advantages are of using a “high-end” or “enterprise” grade firewall, such as a Cisco PIX, Juniper Netscreen, etc., over a consumer-grade router. To get a good start on the subject, let’s review a few basics, the first being NAT.

I’m sure many of you know what NAT (Network Address Translation) is, since it’s a standard feature of routers these days. While sharing your connection to several computers, it also serves as the first line of defense for your LAN from Internet-based exploits.

From the Internet, traffic originating at any of your LAN computers appears to come from the WAN IP address of your router, hiding/masking your internal network. When the requested data is sent back to the originator (your WAN IP address), it is forwarded from the router itself to the LAN client that actually made the request.

NAT is a sufficiently secure method, if you’re not using port forwarding. NAT creates what’s known as a “Black Hole” blocking all inbound requests (Pings, tracerts) as if the IP address didn’t exist. So port scanners and other applications that troll for responses from unsecured services don’t get any indication that there is anyone home, and go on to rattle the next doorknob.

But if you’re forwarding ports using NAT, you then have a path to that computer, which effectively puts you back at square one. To prevent problems here, you then have to install “firewall” software on the PC itself to protect it (or enable Windows’ built-in firewall if you’re using that OS).

SPI (Stateful Packet Inspection), also known as a “Stateful Firewall”, would be the next step up in router security. This is something you now see on virtually every consumer and mid-range router these days, giving you a bit more protection than basic NAT itself. SPI functions by “looking inside” all inbound packets for specific kinds of undesired activity. This adds another layer of protection to people that need to forward ports, because at least some exploits can be detected and blocked.

However, SPI has its drawbacks. Depending on the version, a major one would be its distaste for Microsoft Vista, which uses TCP-Window Scaling for all connections except HTTP. The other major drawback is the limited nature of the SPI actually performed in consumer and mid-grade routers. It typically is very basic and not very up-to-date on the latest exploits.

The next step up in security would be Deep Packet Inspection (DPI). DPI, however, covers many different things, as not only is it a type of security; it can also be a kind of eavesdropping. DPI from a security standpoint combines Intrusion Prevention Service (IPS) and Intrusion Detection System (IDS), which improve upon the SPI technology. DPI, however, isn’t really seen on home/SOHO routers. You have to move up to at least low-end “enterprise” firewalls or “security appliances” to get DPI.

Moving on to firewalls, the first consideration is software vs. hardware. This is subject of major debate, with pros and cons on both sides. A software firewall is a program that runs on your computer, which, at the very least, monitors all network traffic, both inbound and outbound.

The main downside of software firewalls has been experienced by most people who have enabled the Windows Firewall, and then attempted to access networked services on their LAN, such as media, file and print servers. Firewalls usually have to be “trained” or otherwise configured to pass desired services. This is often done by a pop-up asking whether it’s ok to allow a particular communication to occur. Since many users don’t know how to answer the question, they run the risk of allowing a “bad” application access to their computer, or blocking a legitimate application from working.

The other downside of software firewalls is that all (unfiltered) network traffic reaches your computer. So if an exploit is smart enough, it may be able to avoid or disable the firewall that is running as an application or service and do its dirty deed.

A hardware firewall, on the other hand, is a physical box that sits between your network and the Internet. So the “bad” traffic it filters never even touches the reaches the network, let alone the actual computers. There is also no software to slow down your computer, giving you better system performance.

A hardware firewall also won’t interfere with LAN traffic. Its only concern is with the traffic passing through it. Depending on the firewall, however, you could possibly see a reduction in Internet throughput.

So now we get down to the nitty-gritty, why a Firewall over a Router? The biggest advantage is how outgoing traffic is handled in a firewall vs. a low-end router. In routers, it’s assumed that any Internet-bound traffic is ok by default, and it’s freely passed. But in firewalls, traffic in both directions is blocked by default and must be specifically enabled.

This is a big thing for security, because the “allow-by-default” approach taken by consumer routers allows anything on the LAN to communicate to anything on the ‘net. And worms, ‘bots and other nasties depend on that unrestricted access.

One of the biggest security risks when it comes to outgoing connections is Key Loggers (hardcore gamers, take note). One of my recent addictions was to a MMORPG that has a key logger scare one or two times a month. Many people have lost accounts, characters, gear, money, and most of all, time. All of this could have been prevented with a good firewall filtering outgoing traffic.

For small business owners, the “deny-by-default” approach of firewalls also prevents people from doing things they shouldn’t, which could be a security risk. I deal with HIPAA on a daily basis, and so our work network remains locked down, as does my home network. If for some reason confidential data were transmitted without us knowing, or our allowing it, major fines would apply.

So while you might be concerned about undesired traffic getting into your network, you should also seriously think about controlling outgoing traffic. This doesn’t necessarily mean that you need to upgrade to an expensive hardware firewall. Because you can control outbound traffic easily by controlling access to ports using the port filtering feature built into virtually all consumer-grade routers.

Say you don’t want computers 1-5 browsing the web, concerned about slacking. You can add filters blocking port 80 completely, or just allow the computers you want, specific access out over those ports. Even the most basic consumer routers can do this.

But, unfortunately, the feature is known by different names. For example, on the D-Link DGL-4100, 4300 “Gamer” routers, it’s found in the Advanced admin section under “Access Control“. But on the Linksys WRT54G, port filtering is found in the Access Rescrictions section. Both do the same thing, but with different user interfaces.

Making the Choice

So should you get an enterprise-grade firewall, or a consumer router? Well, if you opt for the firewall, you actually might also need a separate router. Enterprise firewalls like the Cisco PIX or Juniper NetScreen series aren’t full-featured routers. They can handle basic routing, but that is not their primary purpose.

You also have to think about ease of use. Ease of use is probably the most important factor that makes or breaks products like this for SOHO/Small Business. Cisco has been fine-tuning its PIX GUI for awhile now, but with no major leaps forward in making it easier to set up.

Firewalls tend to be designed for networking professionals, often with training for the specific product. Most small businesses can’t afford to have people working full-time setting up an infrastructure for three computers, or even to hire “certified” consultants to do it.

Now by saying this, I don’t want to scare people off of buying products like PIXes and NetScreens. But unlike consumer routers, they won’t work out of the box, at least in the sense of plug and play. If you want out, you have to open the ports. It’s all doable, it just takes time and know-how.

I recently purchased a Cisco ASA 5505 for my home network. For some, this would be overkill, but I really value my security. I mainly wanted a security device that allowed good control over outgoing port use. I chose Cisco over Juniper because that’s what I know. And I chose the ASA because of the features it offers over the PIX. (The ASA is built on the PIX system, but with newer security upgrades, as well as a complete VPN overhaul.)

To recap:

  • A normal everyday router, where you just want to be able to share an Internet connection will work perfectly. Just keep your router settings locked down, don’t open any ports and you’ll be fine.
  • For a network that hosts servers that need to be accessed from the Internet (port forwarding) a router with a built-in SPI+NAT-firewall would be better for you. SPI+NAT is available in virtually all consumer routers, so you don’t need to jump up to an “enterprise” router / firewall to get it.
  • Small businesses and really paranoid security types, should definitely consider a low-end “enterprise-grade” firewall for the additional security provided by good outgoing traffic controls.