You see one of the more common questions I get from customers is what is the difference? Well at it’s core, a router is a device that routes data from one network to another. Whereas a firewall is a device that provides security to your network. However most devices these days fall into both categories. Most firewalls are going to provide some sort of basic routing capability and most routers will provide basic firewall capabilities. So what to do?

Well the answer is: it depends. If you have fairly small business needs, either should be fine for you. But if you need high end security, a firewall is your best bet. If you need to do some high end routing such as BGP then you definitely want a dedicated router. And if you need both I would buy both a firewall and a router and dedicate them to their respective tasks.

-RP

So the question you need to ask yourself, is does your firewall do everything you need? For example, there are some firewalls that will crush VoIP and refuse to pass the traffic properly even though they advertise they can. Or there will be some firewalls that will have a GUI or CLI but not implement it in the expected way making firewall administration a nightmare. Some block ports, but don’t do any advanced IPS or IDS.

So when you are buying a firewall, don’t just look at the security aspect of it. There is much more to a firewall than that. Also pay heed to the other features that will affect you everyday but that you just might not think about off the top of your head. Also just because a firewall has every feature under the sun, doesn’t make it a great idea to buy it. Sometimes it pays to seperate out features into different hardware appliances.

My point here is that everything is going to depend on your network needs. There isn’t one firewall that fits all. Do your due diligence and do that research before purchasing!

-RP

A lot of firewalls have the ability to create a rule where you can specify to allow Any traffic from Any to Any. Unfortunately as people have found, Any doesn’t always mean Any. What I mean by this is that despite what Any implies, what in actuality happens is that the firewall still ends up blocking some things. When this happens, a network administrator might end up troubleshooting everything and still come up short trying to figure out why things aren’t working properly in the network. I have heard lots of network admins tell me “But I have the firewall configured with an all-open any to any rule for testing! It should work!” and of course it doesn’t. Now not all firewalls are this way but there are some where you will run into this.

So what’s the solution? Turn on detailed logging, and watch the logs for denied traffic. Also using a packet sniffer like Wireshark or Microsoft’s own Network Monitor (found on your server CD by using add/remove components) can help you to determine how the traffic is flowing and what is happening to it. At that point you will be able to determine if a firewall is blocking the traffic or not and be able to fix your problem by creating a rule to allow that type of specific traffic through.

-RP