12-14-2008 10:01 PM - edited 03-11-2019 07:25 AM
Hi Team,
One small query--
I have read somewhere that Routers are packet Filtering Firewalls(which can process the traffic at Layer-3 and Layer-4)but when we configure access-lists in routers ,then we can even mention the upper layer protocols(http,ftp) in the access-lists,then how the router will process the packets of upper layer protocols if router is acting as Packet filtering firewall.
12-14-2008 10:39 PM
Cisco routes have multiple solutions to provide access control. The following is their list:
1) Access-lists (Stateless Packet Filter)
easier to fool/spoof/compromise
very difficult to manage
stateless except some features like 'established' keyword that provide pseudo-stateful behavior.
2) Reflexive ACLs (Stateful Filter without Application Inspection/Handling)
pretty easy to implement
less control on what to filter
break for most dynamic applications like multimedia,active ftp etc.
3) CBAC (Stateful filter - Now called the classic firewall)
4) Zone-based Firewall (Stateful filter with enhanced zoning support)
As per your question, even ACLs have limited viisbility into upper layer protocols now. But that is limited. As technologies grow, the line between stateful/stateless starts to blur a little bit.
Regards
Farrukh
12-14-2008 11:22 PM
It means we cannot say that Routers are packet filtering Firewalls.
Because if we are allowing http access from some source to destination in the router access-list,the access will be permitted
My actual doubt was why we are calling Routers as packet filetering firewalls
Sorry for confusing-
12-15-2008 01:32 AM
We can definitely say routers (can act as) packet filtering firewalls. This is exactly what access-lists do. Please see the following link for a definition of packet-filtering firewalls:
http://en.wikipedia.org/wiki/Firewall
Regards
Farrukh
12-15-2008 03:31 PM
This is confusing---
In a router access-list we can type
access-list test permit host 10.1.1.1 host 20.1.1.1 http
which will allow http access which is an Application layer protocol.It means the router can open the whole packet till application layer and can see that http access is needed.Then how we are saying Routers are Packet filtering firewalls(the packet filtering firewalls can see the information of Layer-3 and layer-4 proocols only)
12-15-2008 10:36 PM
All the router is doing is looking at the layer 4 TCP segment and checking if the destination port is 80 (HTTP). Its not going into the higher layers and inspecting the nitty gritty details of the HTTP protocol itself e.g. URL/host/encoding/content-type etc. You have to remember that the OSI model is merely a 'logical' model. Don't think too hard about it :). I would highly recommend to read the Doughlas Comer TCP/IP Book. It would help you build these basic concepts.
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: