Solved

Why can't L3 Cisco switches (with ACLs) replace firewalls

Posted on 2013-11-14
11
2,732 Views
Last Modified: 2013-11-21
This is a very basic question:

Instead of buying firewalls (eg: Checkpoint, Netscreen, ASA),
can we just buy Cisco switches & implement ACLs ?

Unless they're application firewalls (which inspects the content),
thought hardware firewalls (eg: Checkpoint, Netscreen) blocks &
permits by ports which is what ACLs are doing too ?? Yes or No?

So in what ways are those dedicated firewalls (Checkpoint, Netscrn)
more secure than L3 ACLs ?
0
Comment
Question by:sunhux
  • 2
  • 2
  • 2
  • +4
11 Comments
 
LVL 9

Assisted Solution

by:bill_lynch
bill_lynch earned 50 total points
ID: 39648333
I think you hit the nail on the head with the word inspection.  The ASA for example uses advanced stateful inspection coming with zones by default and it allows and denies traffic based on the zone and then keeps track of sessions to allow return traffic and so forth.  Checkpoint and Netscreen may do the same I'm not sure.  I believe with Cisco Routers you can set up zones and do similar functions as the ASA but I'm not sure about their layer 3 switches.  I don't think they have this function.  Also the ASA is a VPN appliance.  Which again you can probably do with one of their Routers but not layer 3 switch.  So perhaps your question is if you want a Router or Firewall....
0
 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 30 total points
ID: 39648389
Netscreen does the same thing with security zones. To add to what @bill_lynch said. VPN is a big feature as well as advanced routing techniques such as mutliplt virtual routers, policy based and/or source based routing to name but a few.
0
 
LVL 17

Assisted Solution

by:TimotiSt
TimotiSt earned 40 total points
ID: 39648602
Two problems:
- Network Address Translation (NAT) would be most likely needed,
- PPPoE client functions might be needed (DHCP client should be okay with a L3 switch).

Optional nice-to-haves on routers/firewalls include: DNS forwarder, VPN, etc.

L3 ACLs are stateless, which can be made as secure (or more secure) as stateful inspection (but that would be painful). But you won't get ALG support for multi-port protocols (FTP, SIP, H323, etc.).

Tamas
0
 
LVL 12

Assisted Solution

by:Infamus
Infamus earned 50 total points
ID: 39648649
The question now is then how many companies out there are using a router or a layer 3 devices as their firewall?

I think simple answer is that routers are for routing, switches are for switching and the firewalls are for security.

Firewall can handle all 7 layer and also many of them come with added features such as antivirus, intrusion protection, web filtering and etc...
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 110 total points
ID: 39649205
A bit of a rough example, but Layer3 switches can't do NAT for a start.  There's one main problem with that.  You won't be able to use a Layer3 switch without a router for your external connection.  That kind of defeats the object when using a Layer3 switch.

The main thing you need to ask is, why if you could use a Layer3 switch as a firewall do firewalls actually still exist?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 17

Expert Comment

by:TimotiSt
ID: 39649803
One minor thing comes to mind: I have an Extreme Summit 48i somewhere, and I think that box can actually do NAT... :)
0
 

Author Comment

by:sunhux
ID: 39650041
Ok, I should be comparing between a router & a firewall.

If I'm not mistaken a Cisco router can do NAT.  Suppose
I don't need VPN, then what's the difference between
stateful & stateless inspection?

I heard that even stateful firewalls are not efffective enough
(there's a way that sysadmin/internal staff can permit an
 outsiders to come in using this webex tool via the usual
 http / Tcp80 which most firewalls permit).

Also to prevent more advanced hacking (URL scan or
cross-site scripting, SQL injection), stateful firewalls
(like ASA, Netscreen) are not enough & we'll need
Application firewalls such as modsecurity which can
do content inspection & generic denial of possible
attacks, blacklisting or greylisting : does ASA or
Netscreen or Checkpoint help with these?

Sometime back, I heard someone saying the old
discontinued Cyberguard firewall is an application
firewall (ie even if Cyberguard permits http Tcp 80,
webex can't go thru via  Tcp 80) : is this true or that
guy is saying this to promote Cyberguard?
0
 

Author Comment

by:sunhux
ID: 39650074
Just to rephrase:

>then what's the difference between stateful & stateless inspection?
or rather what makes a stateful firewall more secure than a stateless router?
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 110 total points
ID: 39662336
Stateless firewalls basically just apply restrictions based on source, destination, port number, etc... they do not have the ability to actually see what type of traffic is being passed so if someone tried to send traffic on port 80 it wouldn't matter if it was web traffic or smtp traffic, the firewall would just allow it on port 80.

A stateful firewall adds session tracking (to put it simply).  This allows the firewall to ensure that traffic is part of the same 'conversation' so to speak.  It's a lot harder to pass spoofed data through a stateful firewall, for example.

Here's a link that says it a bit better than me...

http://floppsie.comp.glam.ac.uk/Glamorgan/gaius-/networks/3.html
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 70 total points
ID: 39662416
Ultimately it's separation of duty, and redundancy. You don't need a FW, the router can do just about everything most firewalls can now a days, most still don't go as high as layer 7, but you can find some that do. Switches seldom go over layer 4, and you need layer 5 to do statelful (as stated above).
Stateful is a must for any security. Stateful keeps the bad guys from spoofing a session from outside to inside. If the FW or Router didn't hear your computer start the session, then it's not going to let it through. If you used stateless, it would be easy to penetrate any company at any time. Stateful is needed period. Switches don't have the room for the other processing power, and those that do deal with the higher layers aren't very fast and don't scale well. Having dedicated hardware to tasks is the best way to scale and provides high-availablity by "failing gracefully". If your FW died, you could put up a rudimentary ACL for the router to use. The router is going to get taxed if the FW was doing a lot of work, then the Router too has to do all that plus routing.
It's division of labor, and it's a good thing, mostly because you can mix and match vendors and get diversity. You can use Juniper and Cisco or just Cisco, but having interoperability is actually a security feature. Putting your eggs in one basket is not a good idea, having one device that does it all. UTM and NGFW's are coming out more and more, but people are finding that they are an issue when it comes to High Availability, if those UTM's fail, you don't have a defense anymore because that was the only defense. You  need division of labor.
-rich
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now