Firewall and Router
 

Hi! I'm just wondering what really is the difference between a router and a firewall? I've been using IPCop for years and I can compare it with most of the commercial NAT routers. It can also do route, DHCP, etc. Can we say that the NAT router can also act as a firewall (or firewall is just a marketing word)? How about linux? Since linux can also do routes and stateful packet inspection using iptables, is it also safe to say that any linux box can act as a firewall and router at the same time? Thanks.

A router and firewall are two separate concepts, it just so happens that most routers also contain firewalls.

All a router does is join dissimilar networks to each other, acting as a bridge to connect between them. This allows, for example, the computers in your internal network to connect to hosts on the Internet. The router translates between the two networks seamlessly, even though they are very different.

On the other hand, a firewall simply allows or disallows network traffic based on pre-determined criteria or rules (destination IP, destination port, protocol, etc, etc).

These two concepts are combined to create the consumer level routers that most people are accustomed with (and in fact, usually a third and fourth device is combined with them as well; a switch and WiFi AP, respectively).

As for a Linux machine being able to act as a router and firewall, it most certainly can, and often does. That is exactly what IPCop is, a Linux distribution designed to operate as a secure firewall and routing device.

How true is it that most commercial routers including Ciscos and Nortels' core OS is linux? Is it more practical to use a hardware based firewall like the Cisco ASA or just configure a Linux box to allow and disallow network traffic? I've been arguing with a friend of mine and I told him that IPCop is also a hardware-based firewall. He said that its only a software firewall. I told him that software firewalls includes that of ZoneAlarm and Norton. I also told him that IPCop firewall is designed to be a hardware firewall. What can you say about this?

I have never used a Cisco router than ran Linux, nor have I ever heard of one. All of the ones I am aware of use IOS, which is a proprietary Cisco OS. Though I am not a Cisco man myself, so it is possible that they do have a Linux product line available that I have just not heard of.

As for what is more practical, I think that is a rather obvious question. If the choice is between paying thousands of dollars for a Cisco router or installing IPCop on an outdated workstation, it seems to be a no-brainer for the small network administrator. IPCop can easily handle the demands for a home or office network, and I have even employed similar software (SmoothWall at the time) on a relatively large scale (100+ clients) and had no problems at all.

Now, the line between hardware and software firewalls/routers is a little bit blurred. The Cisco machines are in essence small computers, the IOS can be updated and replaced, and IOS itself contains various programs that make it a fully functional OS (albeit completely geared towards a single task). A Cisco router running IOS is really not much different than a computer running IPCop, so I would have to say they both fall into the hardware category.

Programs like ZoneAlarm, which simply run on top of the existing OS as an application, are certainly software based. The difference is that while IPCop is software, it is focused at every level to complete a single task, rather than just being a program running on a stock operating system. But I think this is probably up to interpretation.

high end hardware firewalls, e.g Cisco ASA's contain very specialised hardware designed from the ground up for a single task. the architecture of the systems is designed for a single goal, and as such data flows and processes are geared to ensure that is done to the best it can be. in firewalls specifically, this is for security, so data is moved about in ways that are architecturally secure using often very different techniques than conventional CISC based platforms like you're running with IPCop. whilst yes those ipcop boxes contain vastly less, put through vastly more data, and ostensibly provide the same sort of security, the way the data is treated on the inside is very different, and make netadmin's sleep much better at night.

another key aspect to all of this is the functional roles of devices. whilst you could run everything on one intel based platform it's really really bad design, and any self respecting business will use the right tool for each job, not look to combine things to save money, as there is implicitly a compromise in many other areas, if primarily on paper.

Cisco devices do not run Linux. they do have a heavily modified UNIX file subsystem but it's not Linux, and never will be.

where i work, our most expensive bits of network gear are 4 F5 Networks LTM 6400's. these cost about £50k a pop list price, and they do some awesome, awesome things right at the heart of our data network. they are phsyically quad core x86 platforms, running a redhat derivative, and for load balancing and screwing about with tcp connections they are the absolute dogs... but they aren't a firewall and whilst they have heuristic "security" modules wanting to expose them to internet traffic is still a really dumb idea, and i'd be holding my breath as i left the office each day. a pair of decent hardware Cisco and Checkpoint firewalls in front of them, i'm happy that they'll be ok.

Thanks acid_kewpie. Nice to hear from you again. So you are saying that IPCop and customized linux firewall could not be compared with Cisco Pix/ASAs? What would be your suggestion? Is it really safe to use a linux firewall on a corporate environment or just spend MUCH money and buy stuffs that will give you the protection. IPCop seems nice and user-friendly but I haven't heard of it being compromised badly. I also haven't heard of anyone configured IPCop to run as a firewall on corporate environment. On a gateway i think.

I'll say that my first hand knowledge and understanding on the real low level stuff i'm listing isn't as much as the accepted best practises / white paper side of things. coupled with that i've a postition where i'm an absolute linux zealot saying that you should give your money to a global conglomerate instead of the open source community, also odd. one thing Cisco will say is that cisco aren't a hardware company, they are a software company. they don't make firewall hardware, they develop the IOS code that runs upon it and such, and simply ask someone else to build a physical platform and then ship it. so where they are providing their good stuff, is code coded by smart guys, just like netfilter and co are software written by smart guys, but with sandals on.

in line with this though, the ethos that a device is as secure as the weakest link is going to hold true, and in the case of ipcop, ipcop's management framework is likely to be the weak point in a normal solution, and the netfilter subsystem isn't. remove that middleware and you're left with you vs netfilter, and on average it'll be you who "loses". the more you know about netfilter directly, then better and more secure your system is going to be. in a similar vein, i *never* use any of Cisco's crude web interfaces that the lesser skilled users tend to demand with their money.

Thanks acid_kewpie. Very well said. I think I need to study and go deeper into netfilter. Thanks a lot.