On Jan 23, 2008 11:11 AM, David W. McSpadden <[EMAIL PROTECTED]> wrote: > At this location we have LAN's tied together on a MPLS network which should > be a VPN with ACL's. Why would you have Firewalls instead of routers?
The difference between "firewall" and "router" is mainly what gets written on the side of the box it comes in. :) Unless it's a pure layer two firewall (rare), all "firewalls" also function as IP routers. They might not have as many features or ports as a Cisco 3000, but they forward IP datagrams between IP networks, which is the definition of "router". Likewise, pretty much all "routers" have features which can be used for at least basic access control, which is the definition of "firewall". Some "routers" have more "firewall" features than the "firewalls" you can buy at CompUSA. I think it is better to think of "firewall" and "router" as functions, not products. A "device" is something you can touch. "Firewalling" and "routing" are classes of functionality provided by devices. (Obviously, specific devices are tailored towards providing certain functionality -- this is mainly a mindset thing.) So, depending on one's security needs, having internal firewalls (function, not device) may make very good sense. For example: Controlling access to servers from user stations, so only the expected traffic can reach various servers. More specific examples: Only allowing database protocols to your database servers, or blocking Remote Desktop to servers entirely. Another example: Preventing user stations between branch offices from talking directly to each other. If you can do that firewalling using the existing devices you call "routers", so much the better. :) -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
