replacing firewall with just router

[tohhwee72]

Hi,

l got a customer that is planning to replace the function of firewall with the ACL on cisco routers. Their argument is that if they block the access of network elemets at the border router from external network, their equipment is safe.

Is this a good idea of perimeter security? They will be missing stateful inspection of traffic.

Can anyone provide a very good argument not to do such move?

Thanks a lot.

[Thorpuse]

Use the house analogy - a $10 lock you buy at the hardware store will keep the door shut. But what they're losing is the swipe card, the security camera, the access log the video camera and the alarm system to detect what's going on. As well as a much, much better lock....

If their equipment (and their data) is only worth a $10 lock, then that's their issue. I'd never sign off on that.

For more technical examples, think not just about stateful inspection, but authentication, logging, VPN access (both Site-Site and Remote Access) and any/all sorts of intrusion detection. Also it's well worth making the point that the majority of threats these days are *internal*, not external, so a perimeter security solution should work both ways. ACLs generally will only protect external threats, although it depends on their network setup.

[Testing-123]

Hi tohhwee72,

I think Thorpuse has summed it up well.

In my opinion Cisco IOS is very advance in routing/switching but not in security as it was designed with the primary function to intelligently routing/switching and NOT securing. The security features we use access-lists etc are additions/benefits in my opinion. Although the crypto base IOS that terminates VPN does look good.

Stateful inspection would definitely have to be the biggest convincer to purchase a firewall. Do you not use anti-spoofing? This is a good feature of Checkpoint firewalls in my opinion.

Interested to hear other view on this. I'm sure we'll all be asked this question once during our career.

Regards
Testing-123

[tohhwee72]

Hi,

Thanks a lot for all the answers.

Somehow the customer (an mobile operator) thinks that they their network should be like an ISP with big pipes, hence they want to remove away firewalls. The big router company is trying to sell them this concept of an service provider network. Personnally, l don't think is correct as they have to purchase the internet bandwidth from bandwidth providers and their internet bandwidth is much less than an ISP.

[FDDIcent]

For a SOHO, I've used a Cisco 871 with ACLs pretty effectively, and they can provide stateful inspection (IOS Firewall).

I wouldn't recommend this in an Enterprise environment for these reasons:

1. Defense in Depth. You should have a border router with ACLs on it AND a firewall, minimum.

2. Manageability. If you want to set up multiple DMZ, this is going to be bit of a pain, with ACLs. In this interface, out that, in that, out that.

3. Logs. Checkpoint in particular has really nice logs, and IOS logging for firewall events leaves a lot to be desired. I suppose if you syslogged into some third party aggregator it might be better.

4. IDS: If you're using SmartDefense, and planning on using the built in IOS IDS, I've seen it reload routers a number of times.

That being said, I've used a 7204 as a L2L VPN head end (871s on the other side) and it rocked. No complaints for that.