sunhux
asked on
Why can't L3 Cisco switches (with ACLs) replace firewalls
This is a very basic question:
Instead of buying firewalls (eg: Checkpoint, Netscreen, ASA),
can we just buy Cisco switches & implement ACLs ?
Unless they're application firewalls (which inspects the content),
thought hardware firewalls (eg: Checkpoint, Netscreen) blocks &
permits by ports which is what ACLs are doing too ?? Yes or No?
So in what ways are those dedicated firewalls (Checkpoint, Netscrn)
more secure than L3 ACLs ?
Instead of buying firewalls (eg: Checkpoint, Netscreen, ASA),
can we just buy Cisco switches & implement ACLs ?
Unless they're application firewalls (which inspects the content),
thought hardware firewalls (eg: Checkpoint, Netscreen) blocks &
permits by ports which is what ACLs are doing too ?? Yes or No?
So in what ways are those dedicated firewalls (Checkpoint, Netscrn)
more secure than L3 ACLs ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
One minor thing comes to mind: I have an Extreme Summit 48i somewhere, and I think that box can actually do NAT... :)
ASKER
Ok, I should be comparing between a router & a firewall.
If I'm not mistaken a Cisco router can do NAT. Suppose
I don't need VPN, then what's the difference between
stateful & stateless inspection?
I heard that even stateful firewalls are not efffective enough
(there's a way that sysadmin/internal staff can permit an
outsiders to come in using this webex tool via the usual
http / Tcp80 which most firewalls permit).
Also to prevent more advanced hacking (URL scan or
cross-site scripting, SQL injection), stateful firewalls
(like ASA, Netscreen) are not enough & we'll need
Application firewalls such as modsecurity which can
do content inspection & generic denial of possible
attacks, blacklisting or greylisting : does ASA or
Netscreen or Checkpoint help with these?
Sometime back, I heard someone saying the old
discontinued Cyberguard firewall is an application
firewall (ie even if Cyberguard permits http Tcp 80,
webex can't go thru via Tcp 80) : is this true or that
guy is saying this to promote Cyberguard?
If I'm not mistaken a Cisco router can do NAT. Suppose
I don't need VPN, then what's the difference between
stateful & stateless inspection?
I heard that even stateful firewalls are not efffective enough
(there's a way that sysadmin/internal staff can permit an
outsiders to come in using this webex tool via the usual
http / Tcp80 which most firewalls permit).
Also to prevent more advanced hacking (URL scan or
cross-site scripting, SQL injection), stateful firewalls
(like ASA, Netscreen) are not enough & we'll need
Application firewalls such as modsecurity which can
do content inspection & generic denial of possible
attacks, blacklisting or greylisting : does ASA or
Netscreen or Checkpoint help with these?
Sometime back, I heard someone saying the old
discontinued Cyberguard firewall is an application
firewall (ie even if Cyberguard permits http Tcp 80,
webex can't go thru via Tcp 80) : is this true or that
guy is saying this to promote Cyberguard?
ASKER
Just to rephrase:
>then what's the difference between stateful & stateless inspection?
or rather what makes a stateful firewall more secure than a stateless router?
>then what's the difference between stateful & stateless inspection?
or rather what makes a stateful firewall more secure than a stateless router?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.