@Matthew-Horvay said in Security+ - router security vs firewall?:
I was watching the Security+ Network Security - Securing Network Devices episode. Around 31 minutes in they start talking about using routers as security devices. It confused me because it sounded like they were saying a router could do everything a firewall could do. Why would I want a separate firewall then? Ronnie said I might, but he doesn't say when I would or wouldn't.
I've never used a stand-alone router. The most advanced network device I manage is a pfSense box.
Can you please clarify the security function of a router, how it differs in security capabilities from a firewall, and when I'd want just a router vs when I'd want both?
Let me start with your last question, first! This can be a little confusing because most of us work with just a single device to connected to internet connection but in a business you might find a couple of scenarios that you might want to use both.
Your company may have multiple departments that require not only a dedicated link outside but also need to provide it's own security due to differing security policies for each department. This is a perfect example, where you might setup a router as being a public interface to the ISP, then take the remaining ports and set them as each a dedicated connection to each separate departmental LAN. Depending on the router's capabilities you could the following if you chose:
One department may not have a firewall it wants to implements but you want to control traffic like a firewall. Some managed routers depending on the licensing and feature set may give you the ability to implement it's built in firewall support (e.g. Cisco IOS with
k9 at the end of the name usually has the firewall feature set.) You could set this up as being a firewall for that department.
Your department may decide that it wants the connection but wants to manage all aspects of perimeter security using a pfSense firewall. You simply connect the router interface to your pfSense WAN interface and no additional security needed but the router segments traffic traffic not meant for your LAN is routed to the proper interfaces on the router.
There are others but this is a good start here. In this instance you have one department and your department. What if each department wants implement VPNs. Because you're in charge of your department and not the other, you cannot implement a VPN tunnel for them but you can do it for you. But they may request the network admin to implement it through the router interface. So a router can function as both firewall and vpn endpoint.
If the company chooses to block traffic coming from each department from directly accessing another department, you don't have to use the firewall feature set on the router but could also use ACLs (Access Control Lists) to block your department from accessing the other department but allow for both let's say to access the HR or Personnel department.
Usually the implementation of choosing just a router is when they don't really need any additional complexity but still need a device at the perimeter. If you're wanting to do some really fancy rules then a dedicated firewall is definitely the way to go. But if you need the meat and potatoes security be assured the router that has the security feature set implemented can really function that way if needed.
Let me know if you have any additional questions!