We’re often asked at SmallNetBuilder what the advantages are of using a “high-end” or “enterprise” grade firewall<\/a>, such as a Cisco PIX, Juniper Netscreen, etc., over a consumer-grade router. To get a good start on the subject, let’s review a few basics, the first being NAT.<\/p>\n I’m sure many of you know what NAT<\/strong> (Network Address Translation) is, since it’s a standard feature of routers these days. While sharing your connection to several computers<\/a>, it also serves as the first line of defense for your LAN from Internet-based exploits.<\/p>\n From the Internet, traffic originating at any of your LAN computers appears to come from the WAN IP address of your router, hiding\/masking your internal network. When the requested data is sent back to the originator (your WAN IP address), it is forwarded from the router itself to the LAN client that actually made the request.<\/p>\n NAT is a sufficiently secure method, if you’re not using port forwarding. NAT creates what’s known as a “Black Hole” blocking all inbound requests (Pings, tracerts) as if the IP address didn’t exist. So port scanners and other applications that troll for responses from unsecured services don’t get any indication that there is anyone home, and go on to rattle the next doorknob.<\/p>\n But if you’re forwarding ports using NAT, you then have a path to that computer<\/a>, which effectively puts you back at square one. To prevent problems here, you then have to install “firewall” software on the PC itself to protect it (or enable Windows’ built-in firewall if you’re using that OS).<\/p>\n SPI<\/strong> (Stateful Packet Inspection), also known as a “Stateful Firewall”, would be the next step up in router security. This is something you now see on virtually every consumer and mid-range router these days, giving you a bit more protection than basic NAT itself. SPI functions by “looking inside” all inbound packets for specific kinds of undesired activity. This adds another layer of protection to people that need to forward ports, because at least some<\/em> exploits can be detected and blocked.<\/p>\n However, SPI has its drawbacks. Depending on the version, a major one would be its distaste for Microsoft Vista, which uses TCP-Window Scaling<\/a> for all connections except HTTP. The other major drawback is the limited nature of the SPI actually performed in consumer and mid-grade routers. It typically is very basic and not very up-to-date on the latest exploits.<\/p>\n The next step up in security would be Deep Packet Inspection<\/strong> (DPI). DPI, however, covers many different things, as not only is it a type of security; it can also be a kind of eavesdropping. DPI from a security standpoint combines Intrusion Prevention Service<\/strong> (IPS) and Intrusion Detection System<\/strong> (IDS), which improve upon the SPI technology<\/a>. DPI, however, isn’t really seen on home\/SOHO routers. You have to move up to at least low-end “enterprise” firewalls or “security appliances” to get DPI.<\/p>\n Moving on to firewalls<\/strong>, the first consideration is software vs. hardware. This is subject of major debate, with pros and cons on both sides. A software firewall is a program that runs on your computer, which, at the very least, monitors all<\/em> network traffic, both inbound and outbound.<\/p>\n The main downside of software firewalls<\/strong> has been experienced by most people who have enabled the Windows Firewall, and then attempted to access networked services on their LAN, such as media, file and print servers. Firewalls usually have to be “trained” or otherwise configured to pass desired<\/em> services. This is often done by a pop-up asking whether it’s ok to allow a particular communication to occur. Since many users don’t know how to answer the question, they run the risk of allowing a “bad” application access to their computer, or blocking a legitimate application from working.<\/p>\n The other downside of software firewalls is that all<\/em> (unfiltered) network traffic reaches your computer. So if an exploit is smart enough, it may be able to avoid or disable the firewall that is running as an application or service and do its dirty deed.<\/p>\n A hardware firewall<\/strong>, on the other hand, is a physical box that sits between your network and the Internet. So the “bad” traffic it filters never even touches the reaches the network, let alone the actual computers. There is also no software to slow down your computer, giving you better system performance.<\/p>\n A hardware firewall also won’t interfere with LAN traffic. Its only concern is with the traffic passing through it. Depending on the firewall, however, you could possibly see a reduction in Internet throughput.<\/p>\n So now we get down to the nitty-gritty, why a Firewall over a Router? The biggest advantage is how outgoing traffic is handled in a firewall vs. a low-end router. In routers, it’s assumed that any Internet-bound traffic is ok by default, and it’s freely passed. But in firewalls<\/a>, traffic in both directions is blocked<\/em> by default and must be specifically enabled.<\/p>\n This is a big thing for security, because the “allow-by-default” approach taken by consumer routers allows anything on the LAN to communicate to anything on the ‘net. And worms, ‘bots and other nasties depend on that unrestricted access.<\/p>\n One of the biggest security risks when it comes to outgoing connections is Key Loggers (hardcore gamers, take note). One of my recent addictions was to a MMORPG that has a key logger scare one or two times a month. Many people have lost accounts, characters, gear, money, and most of all, time. All of this could have been prevented with a good firewall<\/a> filtering outgoing traffic.<\/p>\n For small business owners, the “deny-by-default” approach of firewalls also prevents people from doing things they shouldn’t, which could be a security risk. I deal with HIPAA on a daily basis, and so our work network remains locked down, as does my home network. If for some reason confidential data were transmitted without us knowing, or our allowing it, major fines would apply.<\/p>\n