Use firewall or Router for network security

mbroberson1 · ‎10-22-2009

Say you were asked the following question.

Should we use a Firewall (ASA), or Router (such as one with firewall feature set) for security between two company networks. And what is the difference in using one over the other and benefits/cons? I have what I think is the answer I just want to see what the experts say...;-).

Panos Kampanakis · ‎10-22-2009

ASA is your answer!

The ASA was built as a firewall. The Router was built as a router and the FW functionality came after.

There are multiple differences in the implementation, the features and the functionality of the 2. We are talking about two different beasts. Efficiency, performance and functions I could say are much better on the ASA compared to IOS. ZBF on the router is also harder to manage and follow.

I would definitely use an ASA for firewalling instead of a router, if I could afford having one.

I hope it helps.

PK

mbroberson1 · ‎10-22-2009

Thanks PK for your response,

Between just basic packet filtering (router vs. ASA) with ACL's can you describe the main difference if any.

Thanks

Panos Kampanakis · ‎10-22-2009

If you only want to use ACLs there aren't many differences.

There are ACL size and performance differences but for real world ACLs (not huge) both are mostly doing the same job. There is a difference that IOS added object groups recently and there are slight differences. But more or less if you just want to use ACLs both will do the same job.

PK

Panos Kampanakis · ‎10-22-2009

Note that the ASA even with ACLs is smart enough to open return traffic whereas the router checks everything on ACLs if you are not using stateful inspections.

PK

Jon Marshall · ‎10-22-2009

Brandon

Just to put another point of view.

I generally agree with Panos when he says an ASA is the way to go but it is not always that cut and dried. A router comes with a lot more features than an ASA. There is an argument that says the less features the better in terms of bugs in code etc. and there is some truth in this.

But what happens if among your criteria for the device apart from firewalling you needed BGP support and a full QOS feature set. Or you need to terminate a non ethernet connection straight into your firewall. Or you want your firewall to also support MPLS. Then a router is a more logical choice. And yes you could argue for separate devices if you need BGP/full QOS etc. but sometimes the budget just isn't there.

If it is just firewalling then as Panos says ASA is way to go but there can be other considerations.

Jon

cisco24x7 · ‎10-22-2009

Another thing to consider is that with IOS router, you CAN terminate GRE and IPSec on the same device whereas with ASA you can not terminate GRE on the ASA.

If you're looking for just VPN, then IOS offers much more flexibilities than ASA.

my 2c.

Jon Marshall · ‎10-22-2009

Brandon

Just a final point which i forgot to mention.

I have seen a fair few questions on NetPro asking how to send some traffic one way and other traffic another way on an ASA. And it's not possible because the ASA does not support PBR (Policy Based Routing).

This i think is one of the more common things that people want to do with their firewall that would dictate using a router.

Jon