Why can't L3 Cisco switches (with ACLs) replace firewalls

This is a very basic question:

Instead of buying firewalls (eg: Checkpoint, Netscreen, ASA),
can we just buy Cisco switches & implement ACLs ?

Unless they're application firewalls (which inspects the content),
thought hardware firewalls (eg: Checkpoint, Netscreen) blocks &
permits by ports which is what ACLs are doing too ?? Yes or No?

So in what ways are those dedicated firewalls (Checkpoint, Netscrn)
more secure than L3 ACLs ?
Who is Participating?
Rich RumbleConnect With a Mentor Security SamuraiCommented:
Ultimately it's separation of duty, and redundancy. You don't need a FW, the router can do just about everything most firewalls can now a days, most still don't go as high as layer 7, but you can find some that do. Switches seldom go over layer 4, and you need layer 5 to do statelful (as stated above).
Stateful is a must for any security. Stateful keeps the bad guys from spoofing a session from outside to inside. If the FW or Router didn't hear your computer start the session, then it's not going to let it through. If you used stateless, it would be easy to penetrate any company at any time. Stateful is needed period. Switches don't have the room for the other processing power, and those that do deal with the higher layers aren't very fast and don't scale well. Having dedicated hardware to tasks is the best way to scale and provides high-availablity by "failing gracefully". If your FW died, you could put up a rudimentary ACL for the router to use. The router is going to get taxed if the FW was doing a lot of work, then the Router too has to do all that plus routing.
It's division of labor, and it's a good thing, mostly because you can mix and match vendors and get diversity. You can use Juniper and Cisco or just Cisco, but having interoperability is actually a security feature. Putting your eggs in one basket is not a good idea, having one device that does it all. UTM and NGFW's are coming out more and more, but people are finding that they are an issue when it comes to High Availability, if those UTM's fail, you don't have a defense anymore because that was the only defense. You  need division of labor.
bill_lynchConnect With a Mentor Commented:
I think you hit the nail on the head with the word inspection.  The ASA for example uses advanced stateful inspection coming with zones by default and it allows and denies traffic based on the zone and then keeps track of sessions to allow return traffic and so forth.  Checkpoint and Netscreen may do the same I'm not sure.  I believe with Cisco Routers you can set up zones and do similar functions as the ASA but I'm not sure about their layer 3 switches.  I don't think they have this function.  Also the ASA is a VPN appliance.  Which again you can probably do with one of their Routers but not layer 3 switch.  So perhaps your question is if you want a Router or Firewall....
Sanga CollinsConnect With a Mentor Systems AdminCommented:
Netscreen does the same thing with security zones. To add to what @bill_lynch said. VPN is a big feature as well as advanced routing techniques such as mutliplt virtual routers, policy based and/or source based routing to name but a few.
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

TimotiStConnect With a Mentor Datacenter TechnicianCommented:
Two problems:
- Network Address Translation (NAT) would be most likely needed,
- PPPoE client functions might be needed (DHCP client should be okay with a L3 switch).

Optional nice-to-haves on routers/firewalls include: DNS forwarder, VPN, etc.

L3 ACLs are stateless, which can be made as secure (or more secure) as stateful inspection (but that would be painful). But you won't get ALG support for multi-port protocols (FTP, SIP, H323, etc.).

InfamusConnect With a Mentor Commented:
The question now is then how many companies out there are using a router or a layer 3 devices as their firewall?

I think simple answer is that routers are for routing, switches are for switching and the firewalls are for security.

Firewall can handle all 7 layer and also many of them come with added features such as antivirus, intrusion protection, web filtering and etc...
Craig BeckConnect With a Mentor Commented:
A bit of a rough example, but Layer3 switches can't do NAT for a start.  There's one main problem with that.  You won't be able to use a Layer3 switch without a router for your external connection.  That kind of defeats the object when using a Layer3 switch.

The main thing you need to ask is, why if you could use a Layer3 switch as a firewall do firewalls actually still exist?
TimotiStDatacenter TechnicianCommented:
One minor thing comes to mind: I have an Extreme Summit 48i somewhere, and I think that box can actually do NAT... :)
sunhuxAuthor Commented:
Ok, I should be comparing between a router & a firewall.

If I'm not mistaken a Cisco router can do NAT.  Suppose
I don't need VPN, then what's the difference between
stateful & stateless inspection?

I heard that even stateful firewalls are not efffective enough
(there's a way that sysadmin/internal staff can permit an
 outsiders to come in using this webex tool via the usual
 http / Tcp80 which most firewalls permit).

Also to prevent more advanced hacking (URL scan or
cross-site scripting, SQL injection), stateful firewalls
(like ASA, Netscreen) are not enough & we'll need
Application firewalls such as modsecurity which can
do content inspection & generic denial of possible
attacks, blacklisting or greylisting : does ASA or
Netscreen or Checkpoint help with these?

Sometime back, I heard someone saying the old
discontinued Cyberguard firewall is an application
firewall (ie even if Cyberguard permits http Tcp 80,
webex can't go thru via  Tcp 80) : is this true or that
guy is saying this to promote Cyberguard?
sunhuxAuthor Commented:
Just to rephrase:

>then what's the difference between stateful & stateless inspection?
or rather what makes a stateful firewall more secure than a stateless router?
Craig BeckConnect With a Mentor Commented:
Stateless firewalls basically just apply restrictions based on source, destination, port number, etc... they do not have the ability to actually see what type of traffic is being passed so if someone tried to send traffic on port 80 it wouldn't matter if it was web traffic or smtp traffic, the firewall would just allow it on port 80.

A stateful firewall adds session tracking (to put it simply).  This allows the firewall to ensure that traffic is part of the same 'conversation' so to speak.  It's a lot harder to pass spoofed data through a stateful firewall, for example.

Here's a link that says it a bit better than me...

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.