What is the difference between a router, a firewall and NGFW

13.06.2024

Router

A router is a device designed primarily to transmit packets based on IP address information. Its job is to receive a packet on one of its interfaces, look in the routing table and decide which interface and which next gateway to send the traffic to.

Almost every router has a basic security feature – the ability to create access rules – Access Control Lists (ACL). In them, you need to specify the source, destination IP addresses, protocol and port and mark whether such traffic is allowed or prohibited. In this way, you can regulate network traffic, limiting unwanted connections.

Example:

from host 192.168.1.10 to host 8.8.8.8 by protocol TCP and port 443 action Allow

Important!

It is important to note that the logic of ACL operation in routers is similar to a stencil that the device applies to an incoming or outgoing packet. If there is a match, it lets the traffic through. If there is no match, it does not let it through.

As an example of using this feature is when you make such a rule for some external IP address of a site on the Internet where malware is located.

However, you should always remember that a router is designed primarily to transmit traffic, not to control it. Its main task is stability and speed of traffic transmission.

Firewall

A firewall is a security device. It is created specifically for traffic control and has a much larger arsenal of capabilities . There are also access lists and they look exactly the same as in routers – source address, destination address, protocol, port and action (allow or deny). The key difference is that the firewall analyzes the state of established sessions for a number of protocols. This technology is called stateful inspection.

The difference in the logic of ACL operation with a router can be clearly seen in the example of the TCP protocol (HTTPS). Let’s imagine that a user in a corporate network goes to some site on the Internet, sending a request. At this point, the router and the firewall will act the same – having received the user’s request, they will look in their rule bases and pass the traffic through themselves.

Then the web server responds to the user’s request and here the logic of the router and the firewall will also work the same – both will pass the response packet. So what’s the difference?

The difference will be when an evil hacker decides to try to hack your network and tries to trick the device by posing as a web server. He will try to send a packet right away, making it a response to a non-existent request. If you have a router, it will contact its rule base, see a match and safely let such a packet through without suspecting anything amiss. Then the hacker can have a possibility to establish a connection with one of the network hosts inside the network and continue to do his dirty deeds.

But the firewall, having received a response packet after a quick analysis, will understand that there were no requests for it. And it will not let such a packet through. It will also make a corresponding entry in the log so that the administrator will definitely pay attention to such attempts.

The firewall has to pay for the ability to work with this and other security functions with its performance. And the conclusion from all this will be that both devices are important and necessary, but each of them has its own area of application. If you need to transfer large volumes of traffic, then you need a router. And if you need to control network traffic, then you can’t do without a firewall.

NGFW

NGFW – Next Generation FireWall. Technology development has led to the fact that equipment manufacturers have the opportunity to combine several security devices into one. A regular firewall is taken as a base, and additional features are added to it in the form of virtual modules, for example, the IPS module – Intrusion Prevention System.

In simple terms, IPS is a module that contains several thousand predefined rules. These rules are called signatures and each of them describes a set of parameters by which malicious traffic can be identified. NGFW compares incoming traffic with this database and applies specified actions to the traffic (permissions, notifications, blocking …)

The Application Control module is also very useful. It allows you to specify in the access rules not the protocol and port, but a specific application. For example, in a regular firewall, to allow SSH traffic, you need to open TCP 22. But some server or service can work using the SSH protocol, but use a non-standard port. For example, 10022 (or any other). This can be done by a developer for some purpose, or used by attackers who are trying to disguise their activity. NGFW with the App Control module will allow you to specify the SSH protocol in the access rule, after which the device will regulate this type of traffic despite the TCP port. More convenient and safe.

Network Antivirus module – allows you to run an antivirus scan for files passing through the device.

URL filtering module – allows you to open Internet access to certain categories of web sites. For example, allow users to read news, use search engines and online stores, while prohibiting adult content, illegal substances and other obscenities.

SSL Inspection module – allows you to decrypt SSL (HTTPS) traffic in order to search for vulnerabilities and malicious activity. NGFW receives a request from a user to access a web resource on the Internet, decrypts it and sends it further on its behalf. Without this module, NGFW cannot look inside such traffic, since the transmitted data is encrypted.

Visit us on Facebook – Deltaconfig

How does a L2 Switch work

12.06.2024

The main task of a switch is to unite devices into a single network. It transmits data received on one of its interfaces to another based on the source and destination MAC address information contained in the transmitted frame.

Their logic is based on the Switching Table. As soon as a new host appears on the network and tries to transmit any information, the switch records that a new MAC address has appeared on one of its interfaces. A switch records this data in the form of a table like this:

Interface X – MAC address Y

When this newly appeared host tries to access some MAC address, for example, a neighboring host, the switch analyzes the information about the destination MAC address and sees if it is in its switching table. As soon as a match is found, the switch only has to transmit it from one interface to another.

If it does not find a match, it will try to send the frame at once through all its interfaces. If the target host is “alive”, it will definitely respond to such a request. And the switch, having seen a response from another MAC address, will enter the data into the switching table and then will simply forward data from one interface to another.

The lifetime of data in switching tables is usually 5 minutes. If both devices stop sending and receiving information from each other, then gradually the data about their MAC addresses will disappear from the table. The process will repeat again as soon as the hosts need to transmit something to each other again.