Are there any security benefits to having a dedicated firewall?
Are there any security benefits to having a dedicated firewall rather than having a firewall established on a router? Thanks.
Solution 1:
I think you mean here by firewall a hardware-based firewall as opposed to software-based firewall like netfilter in Linux.
Most if not all routers support some type of access control list (ACL) which can act as a firewall. Dedicated hardware firewalls are better because they are more powerful (can process more traffic) and support stateful inspection and can have more advanced features like attack detection (IDS/IPS). At the end, this depends on your requirements and the chosen hardware.
Solution 2:
A lot of that depends on the router in question. For instance, an ASA Services Module in a Cisco Catalyst switch has a lot more functionality than some low end dedicated firewalls. But then, the argument here is, "is a blade a dedicated firewall?"
Dedicated hardware generally gives you better functionality for the Firewall role, and includes other perimeter services like:
- IDS / IPS
- More robust application-level gateways (make sure TCP/80 is really HTTP and not SSH, that kind of thing)
- VPNs, IPSec and SSL.
- Integration with authentication systems
- Ability to proxy certain application traffic
There is also a strong argument to make about having a dedicated device handle your perimeter connection: Should an external attack take out your border device the only thing affected on your network is the connection to the outside world.