After using the network router normally, some simple filtering functions can be implemented. Can we understand that the router can give up the firewall? For the NetEye firewall and the industry The security comparison between the most widely used and most representative CISCO routers explains why a router is required in a user network. First, the background of the two devices is different from the existing one. 1 The root causes of the two devices are different. The generation of the router is based on the routing of network packets. What the router needs to complete is to effectively route the data packets of different networks. As for why the route, whether it should be routed, whether there is a problem after the route, etc., it does not care at all. The concern is: whether the data packets of different network segments can be carried out. Route to communicate. Firewalls are created by people's need for security. Whether the data packet can arrive correctly, the time and direction of arrival, etc. are not the focus of the firewall. The key point is whether this (a series of) data packets should pass or pass, and whether it will cause harm to the network. 2 The fundamental purpose is different The fundamental purpose of the router is to keep the network and data "communication". The underlying purpose of the firewall is to ensure that any non-permitted packets are "unreachable". Second, the core technology is different Cisco router core ACL list is based on simple packet filtering, from the perspective of firewall technology implementation, NetEye firewall is based on state packet filtering application-level information flow filtering. Third, the complexity of the security policy is different. The default configuration of the router is not enough for security considerations. Some advanced configuration is required to achieve some defense against attacks. Most of the security policies are based on the command line, which is aimed at security. The formulation of rules is relatively complicated, and the probability of configuration errors is high. The default configuration of the NetEye firewall can prevent various attacks and achieve the security of the security policy. The security policy is based on the Chinese-language GUI management tool. The security policy is user-friendly, simple to configure, and low in error rate. Fourth, the impact on performance Different routers are designed to forward packets, rather than specifically designed as a full-featured firewall, so when used for packet filtering, the operations that need to be performed are very large, on the router's CPU and memory The requirements are very large, and because of the high hardware cost of the router, the hardware cost of the high-performance configuration is relatively large. NetEye firewall hardware configuration is very high (using a general-purpose INTEL chip, high performance and low cost), its software is also specifically optimized for packet filtering, the main module runs in the kernel mode of the operating system, at the time of design Special consideration is given to security issues, which have very high performance for packet filtering. Because the router is simple packet filtering, the number of rules for packet filtering increases, the number of NAT rules increases, and the impact on router performance increases accordingly. The NetEye firewall uses stateful packet filtering, the number of rules, and NAT. The effect of the number of rules on performance is close to zero. V. Differences in the strength of the audit function The router itself has no storage medium for logs and events. It can only use external log servers (such as syslog, trap) to complete the storage of logs and events. The router itself does not have an audit analysis tool. The description of logs and events is in a language that is not easy to understand; the corresponding incomplete security events of the router against attacks, etc., cannot produce accurate and timely events for many attacks, scans, and the like. The weakening of the audit function prevents administrators from responding to security events in a timely and accurate manner. There are two kinds of log storage media for NetEye firewall, including its own hard disk storage and a separate log server. For both types of storage, NetEye firewall provides powerful audit analysis tools, which makes it easy for administrators to analyze various security. Hidden danger; NetEye firewall's response to security events is also reflected in his various alarm methods, including buzzer, trap, mail, and log; NetEye firewall also has real-time monitoring function, which can monitor the connection through the firewall online. At the same time, it can also capture data packets for analysis, non-analyze network operation, and provide network convenience. 6. The ability to prevent attacks is different for routers like Cisco. The normal version does not have the application layer protection function, and does not have the function of intrusion real-time detection. If you need to have such a function, you need to upgrade the iOS to the firewall feature set. At this time, not only must the software upgrade cost be incurred, but also because these functions require a large number of operations, hardware configuration upgrades are required, which further increases the cost, and many manufacturers' routers do not have such advanced security functions. It can be concluded that: • router cost with firewall features > firewall + router • router function with firewall features < firewall + router • router scalability with firewall features < firewall + router in summary, can be derived Conclusion: The simplicity and complexity of the user's network topology and the difficulty of the user's application are not the criteria for determining whether or not the firewall should be used. A fundamental condition for determining whether the user uses the firewall is the user's need for network security! Even the user's network topology The structure and application are very simple. It is still necessary and necessary to use the firewall. If the user's environment and application are complex, the firewall will bring more benefits. The firewall will be an indispensable part of the network construction. In the usual network, the router will be the first gateway to protect the internal network, and the firewall will be the second gateway and the most strict one.