Go Premium for a chance to win a PS4. Enter to Win


Why can't L3 Cisco switches (with ACLs) replace firewalls

Posted on 2013-11-14
Medium Priority
Last Modified: 2013-11-21
This is a very basic question:

Instead of buying firewalls (eg: Checkpoint, Netscreen, ASA),
can we just buy Cisco switches & implement ACLs ?

Unless they're application firewalls (which inspects the content),
thought hardware firewalls (eg: Checkpoint, Netscreen) blocks &
permits by ports which is what ACLs are doing too ?? Yes or No?

So in what ways are those dedicated firewalls (Checkpoint, Netscrn)
more secure than L3 ACLs ?
Question by:sunhux
  • 2
  • 2
  • 2
  • +4

Assisted Solution

bill_lynch earned 200 total points
ID: 39648333
I think you hit the nail on the head with the word inspection.  The ASA for example uses advanced stateful inspection coming with zones by default and it allows and denies traffic based on the zone and then keeps track of sessions to allow return traffic and so forth.  Checkpoint and Netscreen may do the same I'm not sure.  I believe with Cisco Routers you can set up zones and do similar functions as the ASA but I'm not sure about their layer 3 switches.  I don't think they have this function.  Also the ASA is a VPN appliance.  Which again you can probably do with one of their Routers but not layer 3 switch.  So perhaps your question is if you want a Router or Firewall....
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 120 total points
ID: 39648389
Netscreen does the same thing with security zones. To add to what @bill_lynch said. VPN is a big feature as well as advanced routing techniques such as mutliplt virtual routers, policy based and/or source based routing to name but a few.
LVL 17

Assisted Solution

TimotiSt earned 160 total points
ID: 39648602
Two problems:
- Network Address Translation (NAT) would be most likely needed,
- PPPoE client functions might be needed (DHCP client should be okay with a L3 switch).

Optional nice-to-haves on routers/firewalls include: DNS forwarder, VPN, etc.

L3 ACLs are stateless, which can be made as secure (or more secure) as stateful inspection (but that would be painful). But you won't get ALG support for multi-port protocols (FTP, SIP, H323, etc.).

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

LVL 12

Assisted Solution

Infamus earned 200 total points
ID: 39648649
The question now is then how many companies out there are using a router or a layer 3 devices as their firewall?

I think simple answer is that routers are for routing, switches are for switching and the firewalls are for security.

Firewall can handle all 7 layer and also many of them come with added features such as antivirus, intrusion protection, web filtering and etc...
LVL 47

Assisted Solution

by:Craig Beck
Craig Beck earned 440 total points
ID: 39649205
A bit of a rough example, but Layer3 switches can't do NAT for a start.  There's one main problem with that.  You won't be able to use a Layer3 switch without a router for your external connection.  That kind of defeats the object when using a Layer3 switch.

The main thing you need to ask is, why if you could use a Layer3 switch as a firewall do firewalls actually still exist?
LVL 17

Expert Comment

ID: 39649803
One minor thing comes to mind: I have an Extreme Summit 48i somewhere, and I think that box can actually do NAT... :)

Author Comment

ID: 39650041
Ok, I should be comparing between a router & a firewall.

If I'm not mistaken a Cisco router can do NAT.  Suppose
I don't need VPN, then what's the difference between
stateful & stateless inspection?

I heard that even stateful firewalls are not efffective enough
(there's a way that sysadmin/internal staff can permit an
 outsiders to come in using this webex tool via the usual
 http / Tcp80 which most firewalls permit).

Also to prevent more advanced hacking (URL scan or
cross-site scripting, SQL injection), stateful firewalls
(like ASA, Netscreen) are not enough & we'll need
Application firewalls such as modsecurity which can
do content inspection & generic denial of possible
attacks, blacklisting or greylisting : does ASA or
Netscreen or Checkpoint help with these?

Sometime back, I heard someone saying the old
discontinued Cyberguard firewall is an application
firewall (ie even if Cyberguard permits http Tcp 80,
webex can't go thru via  Tcp 80) : is this true or that
guy is saying this to promote Cyberguard?

Author Comment

ID: 39650074
Just to rephrase:

>then what's the difference between stateful & stateless inspection?
or rather what makes a stateful firewall more secure than a stateless router?
LVL 47

Assisted Solution

by:Craig Beck
Craig Beck earned 440 total points
ID: 39662336
Stateless firewalls basically just apply restrictions based on source, destination, port number, etc... they do not have the ability to actually see what type of traffic is being passed so if someone tried to send traffic on port 80 it wouldn't matter if it was web traffic or smtp traffic, the firewall would just allow it on port 80.

A stateful firewall adds session tracking (to put it simply).  This allows the firewall to ensure that traffic is part of the same 'conversation' so to speak.  It's a lot harder to pass spoofed data through a stateful firewall, for example.

Here's a link that says it a bit better than me...

LVL 38

Accepted Solution

Rich Rumble earned 280 total points
ID: 39662416
Ultimately it's separation of duty, and redundancy. You don't need a FW, the router can do just about everything most firewalls can now a days, most still don't go as high as layer 7, but you can find some that do. Switches seldom go over layer 4, and you need layer 5 to do statelful (as stated above).
Stateful is a must for any security. Stateful keeps the bad guys from spoofing a session from outside to inside. If the FW or Router didn't hear your computer start the session, then it's not going to let it through. If you used stateless, it would be easy to penetrate any company at any time. Stateful is needed period. Switches don't have the room for the other processing power, and those that do deal with the higher layers aren't very fast and don't scale well. Having dedicated hardware to tasks is the best way to scale and provides high-availablity by "failing gracefully". If your FW died, you could put up a rudimentary ACL for the router to use. The router is going to get taxed if the FW was doing a lot of work, then the Router too has to do all that plus routing.
It's division of labor, and it's a good thing, mostly because you can mix and match vendors and get diversity. You can use Juniper and Cisco or just Cisco, but having interoperability is actually a security feature. Putting your eggs in one basket is not a good idea, having one device that does it all. UTM and NGFW's are coming out more and more, but people are finding that they are an issue when it comes to High Availability, if those UTM's fail, you don't have a defense anymore because that was the only defense. You  need division of labor.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question