Firewalls vs. Routers

So now we get down to the nitty-gritty, why a Firewall over a Router? The biggest advantage is how outgoing traffic is handled in a firewall vs. a low-end router. In routers, it's assumed that any Internet-bound traffic is ok by default, and it's freely passed. But in firewalls, traffic in both directions is blocked by default and must be specifically enabled.

This is a big thing for security, because the "allow-by-default" approach taken by consumer routers allows anything on the LAN to communicate to anything on the 'net. And worms, 'bots and other nasties depend on that unrestricted access.

One of the biggest security risks when it comes to outgoing connections is Key Loggers (hardcore gamers, take note). One of my recent addictions was to a MMORPG that has a key logger scare one or two times a month. Many people have lost accounts, characters, gear, money, and most of all, time. All of this could have been prevented with a good firewall filtering outgoing traffic.

For small business owners, the "deny-by-default" approach of firewalls also prevents people from doing things they shouldn't, which could be a security risk. I deal with HIPAA on a daily basis, and so our work network remains locked down, as does my home network. If for some reason confidential data were transmitted without us knowing, or our allowing it, major fines would apply.

So while you might be concerned about undesired traffic getting into your network, you should also seriously think about controlling outgoing traffic. This doesn't necessarily mean that you need to upgrade to an expensive hardware firewall. Because you can control outbound traffic easily by controlling access to ports using the port filtering feature built into virtually all consumer-grade routers.

Say you don't want computers 1-5 browsing the web, concerned about slacking. You can add filters blocking port 80 completely, or just allow the computers you want, specific access out over those ports. Even the most basic consumer routers can do this.

But, unfortunately, the feature is known by different names. For example, on the D-Link DGL-4100, 4300 "Gamer" routers, it's found in the Advanced admin section under "Access Control". But on the Linksys WRT54G, port filtering is found in the Access Rescrictions section. Both do the same thing, but with different user interfaces.

Making the Choice

So should you get an enterprise-grade firewall, or a consumer router? Well, if you opt for the firewall, you actually might also need a separate router. Enterprise firewalls like the Cisco PIX or Juniper NetScreen series aren't full-featured routers. They can handle basic routing, but that is not their primary purpose.

You also have to think about ease of use. Ease of use is probably the most important factor that makes or breaks products like this for SOHO/Small Business. Cisco has been fine-tuning its PIX GUI for awhile now, but with no major leaps forward in making it easier to set up.

Firewalls tend to be designed for networking professionals, often with training for the specific product. Most small businesses can't afford to have people working full-time setting up an infrastructure for three computers, or even to hire "certified" consultants to do it.

Now by saying this, I don't want to scare people off of buying products like PIXes and NetScreens. But unlike consumer routers, they won't work out of the box, at least in the sense of plug and play. If you want out, you have to open the ports. It's all doable, it just takes time and know-how.

I recently purchased a Cisco ASA 5505 for my home network. For some, this would be overkill, but I really value my security. I mainly wanted a security device that allowed good control over outgoing port use. I chose Cisco over Juniper because that's what I know. And I chose the ASA because of the features it offers over the PIX. (The ASA is built on the PIX system, but with newer security upgrades, as well as a complete VPN overhaul.)

To recap:

• A normal everyday router, where you just want to be able to share an Internet connection will work perfectly. Just keep your router settings locked down, don't open any ports and you'll be fine.
• For a network that hosts servers that need to be accessed from the Internet (port forwarding) a router with a built-in SPI+NAT-firewall would be better for you. SPI+NAT is available in virtually all consumer routers, so you don't need to jump up to an "enterprise" router / firewall to get it.
• Small businesses and really paranoid security types, should definitely consider a low-end "enterprise-grade" firewall for the additional security provided by good outgoing traffic controls.

Comments (13)

Show/Hide comments

Show/Hide comment form

Tags: firewalls, Routers,

Related Articles: