Questions

Firewall vs. Router? (Cisco guys, please read)

Tags:
+
1 Votes
Locked

Firewall vs. Router? (Cisco guys, please read)

rjkirk
Okay first of all, yes, I understand perfectly the difference between a firewall and a router. Here's the story:

I have to layoff my network admin. I'm not a Cisco guy so I called a couple of IT consulting firms to get quotes on managed support. I have a Cisco 2811 managing persistent VPN connections to remote sales offices as well as the user VPN accounts. We've always used the built-in ACL to restrict access to IPs, ports, and doing the NATing, etc but this has always irked me a bit as the device is not a true firewall, like from the ASA line for example. I also have a couple of Barracudas behind the router, filtering spam and web content, but of which get updates.

So anyway, one IT firm says I need a dedicated firewall device ASAP. The other says "that's small business mentality", what you have is perfect. Well I know that at the University I worked at previously, we had a dedicated firewall. However, that was several years ago and obviously a much larger scale environment. Could it really be that firewalls are obsolete? I started to doubt myself.

Furthermore I found this on the product page of the 2811:
http://www.cisco.com/en/US/products/ps5881/

Security
On-board encryption
Support of up to 1500 VPN tunnels with the AIM-EPII-PLUS Module
Antivirus defense support through Network Admission Control (NAC)
Intrusion Prevention as well as stateful Cisco IOS Firewall support and many more essential security features

Cisco guys: Does this thing have intrusion prevention / detection, deep packet inspection, and a stateful firewall? Or does it just "support" being around other Cisco devices that have these features?

And is the 2nd firm just blowing smoke? I have never heard that a dedicated firewall is small business mentality. If they are wrong, well that will make the selection quite easy I suppose.

Linux / OSS guys don't comment and tell me to run IP Tables please. I'm looking for managed support, not endless config files.
  • +
    0 Votes
    Wizard-09

    Keep your system admin, you need a system admin if you think your going to save money then your wrong wait to your network or something goes wrong your down time will cost you I would keep your system admin.

    +
    0 Votes
    rjkirk

    I'm not looking for personnel advice. I am the Director of Technology and unfortunately my network admin has not turned out to be very solid. For example, he couldn't even reboot the router via command-line interface (IOS uses "reload" instead of reboot or restart). When I have to step in and fix every problem and troubleshoot things for him (including problems he's caused), I'm not able to focus on my primary duties. So thanks for the advice but really you didn't answer the question - firewall vs router?

    +
    0 Votes
    fhvasco

    I am a IT Consultant servicing small firms such as your own. I am not a Cisco guy because I believe you can get cheaper hardware to solve the same problem. With that said, I looked over the specs and the device is solid but its not a All-in-One appliance. If you are looking for more control of the type of traffic entering the environment, I would purchase a Sonicwall TZ190 or TZ210. These devices are solid and easy to work with since they are GUI driven but do have a command line interface. They offer subscription based services to filter out content,viruses, spyware, and Intrusion prevention.

    The item to remember is purchasing a device that you can manage in a pickle but powerful enough allow complete control.

    +
    0 Votes
    LanceEG

    The best advice I could give is to do whatever you can to keep your network admin. Outside of that, I'd get the dedicated firewall. That way, you'd be sure of getting the granular inspection and prevention you want. Unless you're dealing with a larger piece of equipment with a FSM (Firewall Services Module), you want to have something you're sure of.

    As for the Linux thing, there are a few GUIs for iptables if you want to go that route.

    +
    0 Votes
    robo_dev

    The 2811 has an 'optional firewall' (Cisco IOS Firewall "support")

    "The Cisco IOS Firewall Feature Set can be added to the existing IOS to provide the functionality of a firewall without expensive hardware upgrades"

    So if you've got that,and it's configured properly then you've got a firewall.

    If you don't, then you don't.

    Is it the best firewall in the world? No. Will it be good enough for what you are using it for? Probably yes.

    A dedicated firewall is going to buy you more performance and the ability to deter more sophisticated attacks, all the way up to the application layer, if that's what you need.

    +
    0 Votes
    career

    For a small or medium sized business, I would side with the 2nd firm more than the first.

    Cisco released the ISRs (2800, 3800, etc) and the ASAs around the same time, and both had the same goal - get a lot of different services in the same chassis. This inadvertently caused some product line overlap, which is why you're getting different answers out of different reps.

    So for starts, yes the 2811 can do all those things. You will need the Security Plus license for the packet inspection and basic signature matching, and then need an additional module for full blown IDS/IPS with reporting capability. However, an ASA5510 also needs a separate module for full IDS/IPS, and costs nearly twice as much.

    With this information, you may ask yourself "Well then, why would I ever need an ASA?" There are five reasons I can think of offhand:

    1) High Throughput. The 2811 will max out at 60Mbps. Fine for just Internet, but will be a choking point if you're trying to do backups through it. An ASA5510 can do 350+.

    2) GUI Interface. The ASA has a GUI called ASDM, which while not great, is decent and can save you or anyone else from having to know CLI. With routers, there's a similar GUI call SDM, but really you need to know CLI to get anything done.

    3) Complex ACLs. The ASA lets you group IP address and ports in to groups, and move rules up/down "on the fly" through. If you might have a firewall rule over 50 lines long, this is something to think about.

    4) Advanced VPN capabilities, such as a network SSL VPN client (Cisco calls theirs "AnyConnect", and it's only available on the ASA). The Routers only support the older IPSec client.

    5) Easy High Availability. The ASA lets you configure devices in pairs, so that even if one ASA loses power or connectivity the other will take over automatically. This can be done with Routers using HSRP or VRRP, but is a lot more complicated to setup and manage.

    In summary, a 2811 router alone will work fine as a Firewall and VPN device for a small/medium business. But there are certain cases where you'd need a separate Firewall, be it Cisco or another vendor.

    P.S. - Before buying the 2811, I'd give some thought to a 2821 instead. Not that much more, but has a lot more upgrade capability. The 2821 and 3845 are the two main models I've worked with, but 2811 is fairly popular as well.

    P.P.S. - Before canning your admin, have you considered training? IOS is both the blessing and curse of Cisco routers - it lets you do anything, but only if you know how to do it. Getting to a professional level with Cisco gear without training and/or a good lab setup is impossible.

  • +
    0 Votes
    Wizard-09

    Keep your system admin, you need a system admin if you think your going to save money then your wrong wait to your network or something goes wrong your down time will cost you I would keep your system admin.

    +
    0 Votes
    rjkirk

    I'm not looking for personnel advice. I am the Director of Technology and unfortunately my network admin has not turned out to be very solid. For example, he couldn't even reboot the router via command-line interface (IOS uses "reload" instead of reboot or restart). When I have to step in and fix every problem and troubleshoot things for him (including problems he's caused), I'm not able to focus on my primary duties. So thanks for the advice but really you didn't answer the question - firewall vs router?

    +
    0 Votes
    fhvasco

    I am a IT Consultant servicing small firms such as your own. I am not a Cisco guy because I believe you can get cheaper hardware to solve the same problem. With that said, I looked over the specs and the device is solid but its not a All-in-One appliance. If you are looking for more control of the type of traffic entering the environment, I would purchase a Sonicwall TZ190 or TZ210. These devices are solid and easy to work with since they are GUI driven but do have a command line interface. They offer subscription based services to filter out content,viruses, spyware, and Intrusion prevention.

    The item to remember is purchasing a device that you can manage in a pickle but powerful enough allow complete control.

    +
    0 Votes
    LanceEG

    The best advice I could give is to do whatever you can to keep your network admin. Outside of that, I'd get the dedicated firewall. That way, you'd be sure of getting the granular inspection and prevention you want. Unless you're dealing with a larger piece of equipment with a FSM (Firewall Services Module), you want to have something you're sure of.

    As for the Linux thing, there are a few GUIs for iptables if you want to go that route.

    +
    0 Votes
    robo_dev

    The 2811 has an 'optional firewall' (Cisco IOS Firewall "support")

    "The Cisco IOS Firewall Feature Set can be added to the existing IOS to provide the functionality of a firewall without expensive hardware upgrades"

    So if you've got that,and it's configured properly then you've got a firewall.

    If you don't, then you don't.

    Is it the best firewall in the world? No. Will it be good enough for what you are using it for? Probably yes.

    A dedicated firewall is going to buy you more performance and the ability to deter more sophisticated attacks, all the way up to the application layer, if that's what you need.

    +
    0 Votes
    career

    For a small or medium sized business, I would side with the 2nd firm more than the first.

    Cisco released the ISRs (2800, 3800, etc) and the ASAs around the same time, and both had the same goal - get a lot of different services in the same chassis. This inadvertently caused some product line overlap, which is why you're getting different answers out of different reps.

    So for starts, yes the 2811 can do all those things. You will need the Security Plus license for the packet inspection and basic signature matching, and then need an additional module for full blown IDS/IPS with reporting capability. However, an ASA5510 also needs a separate module for full IDS/IPS, and costs nearly twice as much.

    With this information, you may ask yourself "Well then, why would I ever need an ASA?" There are five reasons I can think of offhand:

    1) High Throughput. The 2811 will max out at 60Mbps. Fine for just Internet, but will be a choking point if you're trying to do backups through it. An ASA5510 can do 350+.

    2) GUI Interface. The ASA has a GUI called ASDM, which while not great, is decent and can save you or anyone else from having to know CLI. With routers, there's a similar GUI call SDM, but really you need to know CLI to get anything done.

    3) Complex ACLs. The ASA lets you group IP address and ports in to groups, and move rules up/down "on the fly" through. If you might have a firewall rule over 50 lines long, this is something to think about.

    4) Advanced VPN capabilities, such as a network SSL VPN client (Cisco calls theirs "AnyConnect", and it's only available on the ASA). The Routers only support the older IPSec client.

    5) Easy High Availability. The ASA lets you configure devices in pairs, so that even if one ASA loses power or connectivity the other will take over automatically. This can be done with Routers using HSRP or VRRP, but is a lot more complicated to setup and manage.

    In summary, a 2811 router alone will work fine as a Firewall and VPN device for a small/medium business. But there are certain cases where you'd need a separate Firewall, be it Cisco or another vendor.

    P.S. - Before buying the 2811, I'd give some thought to a 2821 instead. Not that much more, but has a lot more upgrade capability. The 2821 and 3845 are the two main models I've worked with, but 2811 is fairly popular as well.

    P.P.S. - Before canning your admin, have you considered training? IOS is both the blessing and curse of Cisco routers - it lets you do anything, but only if you know how to do it. Getting to a professional level with Cisco gear without training and/or a good lab setup is impossible.