Regarding Packet Filtering Firewal using Router

Unanswered Question
Dec 14th, 2008

Hi Team,

One small query--

I have read somewhere that Routers are packet Filtering Firewalls(which can process the traffic at Layer-3 and Layer-4)but when we configure access-lists in routers ,then we can even mention the upper layer protocols(http,ftp) in the access-lists,then how the router will process the packets of upper layer protocols if router is acting as Packet filtering firewall.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Sun, 12/14/2008 - 22:39

Cisco routes have multiple solutions to provide access control. The following is their list:

1) Access-lists (Stateless Packet Filter)

easier to fool/spoof/compromise

very difficult to manage

stateless except some features like 'established' keyword that provide pseudo-stateful behavior.

2) Reflexive ACLs (Stateful Filter without Application Inspection/Handling)

pretty easy to implement

less control on what to filter

break for most dynamic applications like multimedia,active ftp etc.

3) CBAC (Stateful filter - Now called the classic firewall)

4) Zone-based Firewall (Stateful filter with enhanced zoning support)

As per your question, even ACLs have limited viisbility into upper layer protocols now. But that is limited. As technologies grow, the line between stateful/stateless starts to blur a little bit.



palsukh2002 Sun, 12/14/2008 - 23:22

It means we cannot say that Routers are packet filtering Firewalls.

Because if we are allowing http access from some source to destination in the router access-list,the access will be permitted

My actual doubt was why we are calling Routers as packet filetering firewalls

Sorry for confusing-

palsukh2002 Mon, 12/15/2008 - 15:31

This is confusing---

In a router access-list we can type

access-list test permit host host http

which will allow http access which is an Application layer protocol.It means the router can open the whole packet till application layer and can see that http access is needed.Then how we are saying Routers are Packet filtering firewalls(the packet filtering firewalls can see the information of Layer-3 and layer-4 proocols only)

Farrukh Haroon Mon, 12/15/2008 - 22:36

All the router is doing is looking at the layer 4 TCP segment and checking if the destination port is 80 (HTTP). Its not going into the higher layers and inspecting the nitty gritty details of the HTTP protocol itself e.g. URL/host/encoding/content-type etc. You have to remember that the OSI model is merely a 'logical' model. Don't think too hard about it :). I would highly recommend to read the Doughlas Comer TCP/IP Book. It would help you build these basic concepts.




This Discussion