Why can't L3 Cisco switches (with ACLs) replace firewalls

Posted on 2013-11-14
Last Modified: 2013-11-21
This is a very basic question:

Instead of buying firewalls (eg: Checkpoint, Netscreen, ASA),
can we just buy Cisco switches & implement ACLs ?

Unless they're application firewalls (which inspects the content),
thought hardware firewalls (eg: Checkpoint, Netscreen) blocks &
permits by ports which is what ACLs are doing too ?? Yes or No?

So in what ways are those dedicated firewalls (Checkpoint, Netscrn)
more secure than L3 ACLs ?
Question by:sunhux
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +4

Assisted Solution

bill_lynch earned 50 total points
ID: 39648333
I think you hit the nail on the head with the word inspection.  The ASA for example uses advanced stateful inspection coming with zones by default and it allows and denies traffic based on the zone and then keeps track of sessions to allow return traffic and so forth.  Checkpoint and Netscreen may do the same I'm not sure.  I believe with Cisco Routers you can set up zones and do similar functions as the ASA but I'm not sure about their layer 3 switches.  I don't think they have this function.  Also the ASA is a VPN appliance.  Which again you can probably do with one of their Routers but not layer 3 switch.  So perhaps your question is if you want a Router or Firewall....
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 30 total points
ID: 39648389
Netscreen does the same thing with security zones. To add to what @bill_lynch said. VPN is a big feature as well as advanced routing techniques such as mutliplt virtual routers, policy based and/or source based routing to name but a few.
LVL 17

Assisted Solution

TimotiSt earned 40 total points
ID: 39648602
Two problems:
- Network Address Translation (NAT) would be most likely needed,
- PPPoE client functions might be needed (DHCP client should be okay with a L3 switch).

Optional nice-to-haves on routers/firewalls include: DNS forwarder, VPN, etc.

L3 ACLs are stateless, which can be made as secure (or more secure) as stateful inspection (but that would be painful). But you won't get ALG support for multi-port protocols (FTP, SIP, H323, etc.).

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

LVL 12

Assisted Solution

Infamus earned 50 total points
ID: 39648649
The question now is then how many companies out there are using a router or a layer 3 devices as their firewall?

I think simple answer is that routers are for routing, switches are for switching and the firewalls are for security.

Firewall can handle all 7 layer and also many of them come with added features such as antivirus, intrusion protection, web filtering and etc...
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 110 total points
ID: 39649205
A bit of a rough example, but Layer3 switches can't do NAT for a start.  There's one main problem with that.  You won't be able to use a Layer3 switch without a router for your external connection.  That kind of defeats the object when using a Layer3 switch.

The main thing you need to ask is, why if you could use a Layer3 switch as a firewall do firewalls actually still exist?
LVL 17

Expert Comment

ID: 39649803
One minor thing comes to mind: I have an Extreme Summit 48i somewhere, and I think that box can actually do NAT... :)

Author Comment

ID: 39650041
Ok, I should be comparing between a router & a firewall.

If I'm not mistaken a Cisco router can do NAT.  Suppose
I don't need VPN, then what's the difference between
stateful & stateless inspection?

I heard that even stateful firewalls are not efffective enough
(there's a way that sysadmin/internal staff can permit an
 outsiders to come in using this webex tool via the usual
 http / Tcp80 which most firewalls permit).

Also to prevent more advanced hacking (URL scan or
cross-site scripting, SQL injection), stateful firewalls
(like ASA, Netscreen) are not enough & we'll need
Application firewalls such as modsecurity which can
do content inspection & generic denial of possible
attacks, blacklisting or greylisting : does ASA or
Netscreen or Checkpoint help with these?

Sometime back, I heard someone saying the old
discontinued Cyberguard firewall is an application
firewall (ie even if Cyberguard permits http Tcp 80,
webex can't go thru via  Tcp 80) : is this true or that
guy is saying this to promote Cyberguard?

Author Comment

ID: 39650074
Just to rephrase:

>then what's the difference between stateful & stateless inspection?
or rather what makes a stateful firewall more secure than a stateless router?
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 110 total points
ID: 39662336
Stateless firewalls basically just apply restrictions based on source, destination, port number, etc... they do not have the ability to actually see what type of traffic is being passed so if someone tried to send traffic on port 80 it wouldn't matter if it was web traffic or smtp traffic, the firewall would just allow it on port 80.

A stateful firewall adds session tracking (to put it simply).  This allows the firewall to ensure that traffic is part of the same 'conversation' so to speak.  It's a lot harder to pass spoofed data through a stateful firewall, for example.

Here's a link that says it a bit better than me...
LVL 38

Accepted Solution

Rich Rumble earned 70 total points
ID: 39662416
Ultimately it's separation of duty, and redundancy. You don't need a FW, the router can do just about everything most firewalls can now a days, most still don't go as high as layer 7, but you can find some that do. Switches seldom go over layer 4, and you need layer 5 to do statelful (as stated above).
Stateful is a must for any security. Stateful keeps the bad guys from spoofing a session from outside to inside. If the FW or Router didn't hear your computer start the session, then it's not going to let it through. If you used stateless, it would be easy to penetrate any company at any time. Stateful is needed period. Switches don't have the room for the other processing power, and those that do deal with the higher layers aren't very fast and don't scale well. Having dedicated hardware to tasks is the best way to scale and provides high-availablity by "failing gracefully". If your FW died, you could put up a rudimentary ACL for the router to use. The router is going to get taxed if the FW was doing a lot of work, then the Router too has to do all that plus routing.
It's division of labor, and it's a good thing, mostly because you can mix and match vendors and get diversity. You can use Juniper and Cisco or just Cisco, but having interoperability is actually a security feature. Putting your eggs in one basket is not a good idea, having one device that does it all. UTM and NGFW's are coming out more and more, but people are finding that they are an issue when it comes to High Availability, if those UTM's fail, you don't have a defense anymore because that was the only defense. You  need division of labor.

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question