Thoughts on how I could improve my network security?
-
@dave247 said in Thoughts on how I could improve my network security?:
If I said that a switch and router are the same thing, people would be quick to correct me because they are not the same thing.
But an L3 switch and a router ARE the same things. This is a not even like the router and firewall piece where it is two parts of the same device that always get merged even when the functionality isn't technically synonymous. But L3 Switch and Router are literally two words for the same thing.
Even the general term "switch" is just short for "multi-port bridge." There was a time when we had both L2 and L3 switches, but the term switch didn't exist yet.
-
@dave247 said in Thoughts on how I could improve my network security?:
How about if I start calling the switch a server? I wouldn't, because it's not correct.
Depends on the implication. It's not a general purpose server, which is what most people use that term to mean. But is it a DHCP server? Absolutely.
-
There are places where router and firewall merge and can't be pulled apart - and that is NAT. A NAT translation is assumed to be part of the routing functions, but is a firewall. NAT literally makes the router and the firewall be the same component and function. Of course, in theory, you can have a router that doesn't do NAT, but in the real world, no one has made one since the early 1990s, and maybe not even then.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
There are places where router and firewall merge and can't be pulled apart - and that is NAT. A NAT translation is assumed to be part of the routing functions, but is a firewall. NAT literally makes the router and the firewall be the same component and function. Of course, in theory, you can have a router that doesn't do NAT, but in the real world, no one has made one since the early 1990s, and maybe not even then.
Exactly. When packets reach the NAT and have nowhere to go, they get dropped. That's firewall.
-
@dave247 I totally get your point that in most cases, routers and firewalls are different aspects of the device. And that is good for everyone to understand. But it is also important, I'd say far more important, for everyone to understand that in the real world, and for all utility even in the theoretical world, you can't have a router that isn't a firewall and anything that is a firewall can be a router.
It's less important that people understand that L3 Switches are always routers, but it is the same concept. If someone asks if you have a router in between point A and B and all you have there is an L3 switch, your answer is "yes".
The reason that it is more important that people understand that router always means firewall and firewall always means router (at least optionally) is because there is a new epidemic of people thinking firewall means something totally different and crazy things are being thought now - where people actually think that they have routers that aren't firewalls.
-
The key reason that we state that firewalls and routers are one and the same is because the one thing that is most important is that no one come away thinking that there is a router that isn't a firewall. The terms are literally used interchangeably to the point that you never know what someone means when they say one or the other. There is value to understanding every aspect of how they are different aspects of the same device - but you can't risk someone thinking that you can have a non-firewall router in order to do that. And the problem is, anyone that needs this explained is at risk of that confusion. So being over the top about how much they are one and the same, and downplaying how they are two different aspects, is important because anyone in the position of needing this explained only needs to know that the terms are interchangeable for all intents and purposes. By knowing that, and not knowing that they are different aspects, they are perfectly functional. But if they only learn that they are different aspects, they've not learned the one thing that they need to know.
So to protect people from confusion and not knowing how to protect themselves, we state it in that way. Specifically to avoid confusion where it is most likely, and most dangerous.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
Basically, I see "IT Advice" as defining "what good looks like" so that we have a bar against which to measure, because we can't look at real world businesses, as they rare do things well.
I like the term "what good looks like" a lot, it's a good way to discuss things.
I'm still learning "what good looks like" for many things, since over the last couple of years I've discovered I'm in an environment of terrible-but-sort-of-functions.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
The key reason that we state that firewalls and routers are one and the same is because the one thing that is most important is that no one come away thinking that there is a router that isn't a firewall. The terms are literally used interchangeably to the point that you never know what someone means when they say one or the other.
Then this is part of the problem. Why not refer to them as router/firewalls or something more reasonable? If I said, "I'm going into the firewall to program these static routes", it wouldn't sound right.
So to protect people from confusion and not knowing how to protect themselves, we state it in that way. Specifically to avoid confusion where it is most likely, and most dangerous.
Yet it has caused confusion.
-
@tim_g said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
There are places where router and firewall merge and can't be pulled apart - and that is NAT. A NAT translation is assumed to be part of the routing functions, but is a firewall. NAT literally makes the router and the firewall be the same component and function. Of course, in theory, you can have a router that doesn't do NAT, but in the real world, no one has made one since the early 1990s, and maybe not even then.
Exactly. When packets reach the NAT and have nowhere to go, they get dropped. That's firewall.
Yeah, NAT is also not the firewall.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
@dave247 I totally get your point that in most cases, routers and firewalls are different aspects of the device. And that is good for everyone to understand. But it is also important, I'd say far more important, for everyone to understand that in the real world, and for all utility even in the theoretical world, you can't have a router that isn't a firewall and anything that is a firewall can be a router.
It's less important that people understand that L3 Switches are always routers, but it is the same concept. If someone asks if you have a router in between point A and B and all you have there is an L3 switch, your answer is "yes".
The reason that it is more important that people understand that router always means firewall and firewall always means router (at least optionally) is because there is a new epidemic of people thinking firewall means something totally different and crazy things are being thought now - where people actually think that they have routers that aren't firewalls.
Ok I'm glad you get my point. This whole argument (just like many others on here and on SpiceWorks) has ultimately come down to semantics.
-
@dave247 said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
The key reason that we state that firewalls and routers are one and the same is because the one thing that is most important is that no one come away thinking that there is a router that isn't a firewall. The terms are literally used interchangeably to the point that you never know what someone means when they say one or the other.
Then this is part of the problem. Why not refer to them as router/firewalls or something more reasonable? If I said, "I'm going into the firewall to program these static routes", it wouldn't sound right.
I agree, it sounds odd. BUT, I think it is done. People who have UTMs, say a Palo Alto, will often say that they are putting routes into their UTM or into their firewall. The issue is that people think of those only as firewalls, but they are routers as much as any other router, too.
-
@dave247 said in Thoughts on how I could improve my network security?:
@tim_g said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
There are places where router and firewall merge and can't be pulled apart - and that is NAT. A NAT translation is assumed to be part of the routing functions, but is a firewall. NAT literally makes the router and the firewall be the same component and function. Of course, in theory, you can have a router that doesn't do NAT, but in the real world, no one has made one since the early 1990s, and maybe not even then.
Exactly. When packets reach the NAT and have nowhere to go, they get dropped. That's firewall.
Yeah, NAT is also not the firewall.
But it is. NAT is a form of firewall. You can't NAT without firewall. But you also can't NAT without router. It's where the two are forced to overlap.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
@dave247 said in Thoughts on how I could improve my network security?:
@tim_g said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
There are places where router and firewall merge and can't be pulled apart - and that is NAT. A NAT translation is assumed to be part of the routing functions, but is a firewall. NAT literally makes the router and the firewall be the same component and function. Of course, in theory, you can have a router that doesn't do NAT, but in the real world, no one has made one since the early 1990s, and maybe not even then.
Exactly. When packets reach the NAT and have nowhere to go, they get dropped. That's firewall.
Yeah, NAT is also not the firewall.
But it is. NAT is a form of firewall. You can't NAT without firewall. But you also can't NAT without router. It's where the two are forced to overlap.
oh right... forgot about the base NAT policies. I was wrong there.