Whether to choose firewall or router for network egress

With the development of technology, many functions of firewalls and routers overlap, such as routing (static routing, RIP, OSPF, BGP), NAT, ACL, and DHCP.

So network exit after all choose firewall or router?

First, firewall and router difference

A firewall

It is essentially a security device. Although it integrates many routing functions, it is incapable of many advanced router functions, such as MPLS V.P.N and MPLS TE. Multi-service access, such as ATM and POS lines from operators.

The router

Now the router also integrates some of the basic security functions of the firewall, but the focus is still on routing, MPLS V.P.N/TE, WAN optimization and other irreplaceable functions of the firewall, and the entries are more abundant, can support large scale networks.

2. Application scenario analysis

The scene of a

General small and medium-sized enterprises, government government extranet, primary and secondary schools and other network exports will choose the firewall, simple and easy, performance requirements are not high, buy a device what function have (now the mainstream is the next generation firewall, integrated firewall, behavior management, load balancing, flow control, * and other functions)

Whether to choose firewall or router for network egress
Scenario 2

Router must be selected for export of specific industries, such as e-government Intranet, court/procuratorate Intranet (first, policy requirements, must use router; Second, business needs, such as e-government need to run MPLS V.P.N, firewall does not support; Third, in order to achieve the peer-to-peer communications, such as public security network, the Ministry of Public Security to be able to access to the bottom of the civilian police, it is strictly prohibited inside the network firewall, if add some firewall, a lot of traffic will be killed for no reason, and such as video conference, now parts are also connected to the firewall, early control is very strict.

Scenario 3

Large enterprises/colleges and universities campus network network exit using routers, specifically responsible for routing, NAT function, will also deploy firewalls, specifically responsible for security functions, each in its own place, the art industry has specialized! (In fact, many small and medium-sized units are also in this architecture, maybe the firewall/router is 2 redundant, and the outlet is multi-carrier and multi-link)

Large network router and firewall coexist (specialized)

All nodes of the operator/public security/financial backbone network are routers, and the Chinanet backbone node of China Telecom is also a high-end router.

Three, three practical points

1. Small and medium-sized units are recommended to use firewall for Internet export, which is simple and practical, with many functions and cheap. (Or UTM, behavior management, load balancing, WAN optimization, multi-service router, etc.)

2, the specific industry must use router, policy requirements and business needs.

3, large networks will use firewalls and routers at the same time, if only the firewall, the performance may not be able to support.

Leave a Comment