Link to home
Start Free TrialLog in
Avatar of sunhux
sunhux

asked on

Why can't L3 Cisco switches (with ACLs) replace firewalls

This is a very basic question:

Instead of buying firewalls (eg: Checkpoint, Netscreen, ASA),
can we just buy Cisco switches & implement ACLs ?

Unless they're application firewalls (which inspects the content),
thought hardware firewalls (eg: Checkpoint, Netscreen) blocks &
permits by ports which is what ACLs are doing too ?? Yes or No?

So in what ways are those dedicated firewalls (Checkpoint, Netscrn)
more secure than L3 ACLs ?
SOLUTION
Avatar of bill_lynch
bill_lynch
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Sanga Collins
Sanga Collins
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
One minor thing comes to mind: I have an Extreme Summit 48i somewhere, and I think that box can actually do NAT... :)
Avatar of sunhux
sunhux

ASKER

Ok, I should be comparing between a router & a firewall.

If I'm not mistaken a Cisco router can do NAT.  Suppose
I don't need VPN, then what's the difference between
stateful & stateless inspection?

I heard that even stateful firewalls are not efffective enough
(there's a way that sysadmin/internal staff can permit an
 outsiders to come in using this webex tool via the usual
 http / Tcp80 which most firewalls permit).

Also to prevent more advanced hacking (URL scan or
cross-site scripting, SQL injection), stateful firewalls
(like ASA, Netscreen) are not enough & we'll need
Application firewalls such as modsecurity which can
do content inspection & generic denial of possible
attacks, blacklisting or greylisting : does ASA or
Netscreen or Checkpoint help with these?

Sometime back, I heard someone saying the old
discontinued Cyberguard firewall is an application
firewall (ie even if Cyberguard permits http Tcp 80,
webex can't go thru via  Tcp 80) : is this true or that
guy is saying this to promote Cyberguard?
Avatar of sunhux

ASKER

Just to rephrase:

>then what's the difference between stateful & stateless inspection?
or rather what makes a stateful firewall more secure than a stateless router?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial