Andy Ousterhout wrote: > But I am getting the impression that router does not equal firewall. > Routers do some things that a try firewall does, but not all. Is this > correct?
Correct. The basic purpose of a router is to route traffic between different IP subnets. For that, it looks at just one thing: the destination IP address. Based on that IP address the packet is forwarded on the right interface. This is strictly an OSI layer 3 issue, and usually big routers communicate with eachother using a whole slew of protocols to know which IP address needs to go to which interface. The purpose of a firewall is to examine all traffic that tries to pass and block traffic that does not meet certain criteria. For this, firewalls look at many more parameters then just the IP addresses. For instance: - source / destination IP (3) - SYN flags (3) - transport protocol (4) - source / destination port number (5) - protocol (6) - content (7) Numbers refer to the layer in the OSI model: http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci523729,00.html Nowadays, many routers have some or more of the features of firewalls, going up in the OSI laters, and sometimes firewalls have some of the features of routers. Most routers can also filter traffic based on the transport protocol or the port numbers. Most can also filter traffic based on the SYN flags (but to do this statefull can cost quite a bit performance). So routers are getting more firewall capabilities, and if you look at high end routers (i.e. Cisco 6500) you can even get dedicated firewall modules for them. The high end firewalls can often do some tricks to direct traffic as well. For instance, they function as load balancers and route traffic to different servers. The typical home appliance (Linksys etc.) can do stratic routing (a group of fixed IP adresses on one side, everything else on the other side), NAT, stateful filtering (it can distinguish between links originating from the inside and from the outside) and sometimes a little bit of static filtering (blocking specific ranges of ports / IP addresses). The ones that are a bit higher end can also do address filtering so you can filter out msn.com for your children if you like (although I doubt it stops serious attempts). IMHO, for the home user that is enough. The security conscious home user would probably configure an extra layer behind such a device, but that layer can be very simple, i.e. some IPSec rules. For professional use, the question is really what you need and what you want to spend. If you get a Cisco 6500 you can add firewall modules that can supposedly handle 5 Gbps each. It will nicely filter on OSI layer 3-5 for you. If you don't need that much throughput, a simple system running Linux/BSD can do pretty much the same. (The aforementioned Linksys probably runs Linux of some sorts.) If you want to filter on protocol and content add a reverse proxy. If you choose the Linux/BSD option you can run that on the same machine. It is really up to your needs. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193941 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54