Routers Vs. Firewall
-
@scottalanmiller said in Routers Vs. Firewall:
@carnival-boy said in Routers Vs. Firewall:
Yes, but a device that is both a router and a firewall does not mean that a router is a firewall (and vice versa)....
In the real world, every router is a firewall and every firewall is a router. You can't find one that isn't the other. We understand that theoretically you can build something that is one and not the other, but they don't really exist.
But not every router implementation utilizes the functionality of the firewall. In that case it would be inaccurate to call the device a firewall because that isn't what it is doing.
-
@kelly said in Routers Vs. Firewall:
But not every router implementation utilizes the functionality of the firewall. In that case it would be inaccurate to call the device a firewall because that isn't what it is doing.
Is that true? That gets a bit more murky. If the firewall is there and just wide open, is it not still there? Does a router stop being a router when it loses power? In a sense, yes. But it's not the generally accepted use of the terminology. Something is a router or a firewall because of what it can do, not because of what it is doing at the moment.
E.g. I can still call the spare SonicWall on the shelf a router, even when not plugged in and actively routing.
-
@kelly
Wouldn't a layer 3 switch be considered a pure router (and switch) but not a firewall? -
@pete-s said in Routers Vs. Firewall:
@kelly
Wouldn't a layer 3 switch be considered a pure router (and switch) but not a firewall?It really depends on the breadth of the definition. @scottalanmiller appears to be arguing that if a device has any type of firewall functionality it should be classified as a firewall. I would personally prefer to classify a device by what it does as a primary role in the organization. If the device handles primarily routing then it is a router. If it handles switching primarily it is a switch. If it handles edge protection then it is a firewall.
-
@pete-s said in Routers Vs. Firewall:
@kelly
Wouldn't a layer 3 switch be considered a pure router (and switch) but not a firewall?An L3 is a "multi-port" router, that's correct. And it is a switch (presumably.) But I've never heard of an L3 switch / multi-port router that had zero firewall functionality. Again, it can exist. But to the best of my knowledge, none does. It's purely a theoretical case to have an L3 switch without any security mechanisms.
-
@kelly said in Routers Vs. Firewall:
I would personally prefer to classify a device by what it does as a primary role in the organization. If the device handles primarily routing then it is a router.
In a situation like this, obviously is someone disabled one function or another, it would be pretty clear how it would fit your definition. But once they do both, and essentially all orgs use them for both, how do you quantify "how much" of each task they do since each task is so different?
Is the ocean more wet or more blue? You can't compare a quantity of wet to a quantity of a colour. Just as a quantity of routing (measured in routes, packets, etc.?) can't be compared against a quantity of firewall rules. They simply aren't comparable.
But even then, under this definition, a product could never be sold as a router, firewall, or UTM. They'd all have to be sold as "mysterious boxes, to be discovered when used" as you couldn't call it anything, as there is no generic term for a blank box of that nature, until you were able to determine its primary role. And if it heavily did many things, you'd run into problems.
......
-
Imagine how "only the primary function" rule would apply....
Auditor: "We require that your network be firewalled, do you firewall your traffic?"
IT: "Yes, we do."
Auditor: "Okay, good, show me your firewall."
IT: "We don't have a firewall."You'd have your business unable to use basic terms, because by combining things, and not being able to call it by a non-primary identity, you loose the ability to claim that you have that identity.
Because while they are "roles", they are also identities. Like male and 42. I'm 100% male and 100% 42. You can't measure an amount of one versus the other. Nor does being one stop me being the other, in any way.
-
Think of the physical device that does routing, firewalling, UTM, etc. as a "network server." Now treat it like any other server. If you put AD and File Services on a single VM, you don't start saying you don't have AD just because the VM is used for file services "more often" than it is used for AD. You say you have an AD server and a file server. They are just the same VM.
Likewise, put a router VM onto a server. How do the rules of "primary use" affect that VM, the host that runs that VM, etc.
-
You went pretty fast up the hyperbole chain there @scottalanmiller. I don't think this discussion is helpful to continue with the ways you're choosing to discuss things.
-
@kelly said in Routers Vs. Firewall:
You went pretty fast up the hyperbole chain there @scottalanmiller. I don't think this discussion is helpful to continue with the ways you're choosing to discuss things.
It's not hyperbole, it's just common sense. You can't say a firewall isn't a firewall because you don't feel it does enough firewalling compared to routing. That's just silly.
Anything that you use to show why that's silly, will sound ridiculous, but it's a silly thing to have to explain. It's clearly not a viable way to name things.
A router is a router, no matter how much firewalling it does. It's status as a router is absolutely based on if it routes, not "if it does other things in some quantity."
Hyperbole would only apply if the silly examples were to some degree sillier than the original language. But they are not. The "I'm a man and I'm 42" is identical in every way to "it's a router and it is a firewall." Not in the slightest way exaggerated.
