Are there any security benefits to having a dedicated firewall?

Are there any security benefits to having a dedicated firewall rather than having a firewall established on a router? Thanks.


Solution 1:

I think you mean here by firewall a hardware-based firewall as opposed to software-based firewall like netfilter in Linux.

Most if not all routers support some type of access control list (ACL) which can act as a firewall. Dedicated hardware firewalls are better because they are more powerful (can process more traffic) and support stateful inspection and can have more advanced features like attack detection (IDS/IPS). At the end, this depends on your requirements and the chosen hardware.

Solution 2:

A lot of that depends on the router in question. For instance, an ASA Services Module in a Cisco Catalyst switch has a lot more functionality than some low end dedicated firewalls. But then, the argument here is, "is a blade a dedicated firewall?"

Dedicated hardware generally gives you better functionality for the Firewall role, and includes other perimeter services like:

  • IDS / IPS
  • More robust application-level gateways (make sure TCP/80 is really HTTP and not SSH, that kind of thing)
  • VPNs, IPSec and SSL.
  • Integration with authentication systems
  • Ability to proxy certain application traffic

There is also a strong argument to make about having a dedicated device handle your perimeter connection: Should an external attack take out your border device the only thing affected on your network is the connection to the outside world.