Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Regarding Packet Filtering Firewal using Router

Hi Team,

One small query--

I have read somewhere that Routers are packet Filtering Firewalls(which can process the traffic at Layer-3 and Layer-4)but when we configure access-lists in routers ,then we can even mention the upper layer protocols(http,ftp) in the access-lists,then how the router will process the packets of upper layer protocols if router is acting as Packet filtering firewall.

5 REPLIES

Re: Regarding Packet Filtering Firewal using Router

Cisco routes have multiple solutions to provide access control. The following is their list:

1) Access-lists (Stateless Packet Filter)

easier to fool/spoof/compromise

very difficult to manage

stateless except some features like 'established' keyword that provide pseudo-stateful behavior.

2) Reflexive ACLs (Stateful Filter without Application Inspection/Handling)

pretty easy to implement

less control on what to filter

break for most dynamic applications like multimedia,active ftp etc.

3) CBAC (Stateful filter - Now called the classic firewall)

4) Zone-based Firewall (Stateful filter with enhanced zoning support)

As per your question, even ACLs have limited viisbility into upper layer protocols now. But that is limited. As technologies grow, the line between stateful/stateless starts to blur a little bit.

Regards

Farrukh

New Member

Re: Regarding Packet Filtering Firewal using Router

It means we cannot say that Routers are packet filtering Firewalls.

Because if we are allowing http access from some source to destination in the router access-list,the access will be permitted

My actual doubt was why we are calling Routers as packet filetering firewalls

Sorry for confusing-

Re: Regarding Packet Filtering Firewal using Router

We can definitely say routers (can act as) packet filtering firewalls. This is exactly what access-lists do. Please see the following link for a definition of packet-filtering firewalls:

http://en.wikipedia.org/wiki/Firewall

Regards

Farrukh

New Member

Re: Regarding Packet Filtering Firewal using Router

This is confusing---

In a router access-list we can type

access-list test permit host 10.1.1.1 host 20.1.1.1 http

which will allow http access which is an Application layer protocol.It means the router can open the whole packet till application layer and can see that http access is needed.Then how we are saying Routers are Packet filtering firewalls(the packet filtering firewalls can see the information of Layer-3 and layer-4 proocols only)

Re: Regarding Packet Filtering Firewal using Router

All the router is doing is looking at the layer 4 TCP segment and checking if the destination port is 80 (HTTP). Its not going into the higher layers and inspecting the nitty gritty details of the HTTP protocol itself e.g. URL/host/encoding/content-type etc. You have to remember that the OSI model is merely a 'logical' model. Don't think too hard about it :). I would highly recommend to read the Doughlas Comer TCP/IP Book. It would help you build these basic concepts.

Regards

Farrukh

116
Views
0
Helpful
5
Replies
CreatePlease to create content