Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
593
Views
0
Helpful
5
Replies

Regarding Packet Filtering Firewal using Router

palsukh2002
Level 1
Level 1

‎12-14-2008 10:01 PM - edited ‎03-11-2019 07:25 AM

Hi Team,

One small query--

I have read somewhere that Routers are packet Filtering Firewalls(which can process the traffic at Layer-3 and Layer-4)but when we configure access-lists in routers ,then we can even mention the upper layer protocols(http,ftp) in the access-lists,then how the router will process the packets of upper layer protocols if router is acting as Packet filtering firewall.

Labels:
0 Helpful
5 Replies 5

Farrukh Haroon
VIP Alumni
VIP Alumni

‎12-14-2008 10:39 PM

Cisco routes have multiple solutions to provide access control. The following is their list:

1) Access-lists (Stateless Packet Filter)

easier to fool/spoof/compromise

very difficult to manage

stateless except some features like 'established' keyword that provide pseudo-stateful behavior.

2) Reflexive ACLs (Stateful Filter without Application Inspection/Handling)

pretty easy to implement

less control on what to filter

break for most dynamic applications like multimedia,active ftp etc.

3) CBAC (Stateful filter - Now called the classic firewall)

4) Zone-based Firewall (Stateful filter with enhanced zoning support)

As per your question, even ACLs have limited viisbility into upper layer protocols now. But that is limited. As technologies grow, the line between stateful/stateless starts to blur a little bit.

Regards

Farrukh

0 Helpful

palsukh2002
Level 1
Level 1
In response to Farrukh Haroon

‎12-14-2008 11:22 PM

It means we cannot say that Routers are packet filtering Firewalls.

Because if we are allowing http access from some source to destination in the router access-list,the access will be permitted

My actual doubt was why we are calling Routers as packet filetering firewalls

Sorry for confusing-

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to palsukh2002

‎12-15-2008 01:32 AM

We can definitely say routers (can act as) packet filtering firewalls. This is exactly what access-lists do. Please see the following link for a definition of packet-filtering firewalls:

http://en.wikipedia.org/wiki/Firewall

Regards

Farrukh

0 Helpful

palsukh2002
Level 1
Level 1
In response to Farrukh Haroon

‎12-15-2008 03:31 PM

This is confusing---

In a router access-list we can type

access-list test permit host 10.1.1.1 host 20.1.1.1 http

which will allow http access which is an Application layer protocol.It means the router can open the whole packet till application layer and can see that http access is needed.Then how we are saying Routers are Packet filtering firewalls(the packet filtering firewalls can see the information of Layer-3 and layer-4 proocols only)

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to palsukh2002

‎12-15-2008 10:36 PM

All the router is doing is looking at the layer 4 TCP segment and checking if the destination port is 80 (HTTP). Its not going into the higher layers and inspecting the nitty gritty details of the HTTP protocol itself e.g. URL/host/encoding/content-type etc. You have to remember that the OSI model is merely a 'logical' model. Don't think too hard about it :). I would highly recommend to read the Doughlas Comer TCP/IP Book. It would help you build these basic concepts.

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card