On Nov 15, 2011, at 7:54 AM, Joe Greco wrote:
If you put a router where you needed a firewall, then, this is not a = failure of the firewall, but, a failure of the network implementor and the address space will not have = any impact whatsoever on your lack of security.
And the difference between a router and a firewall is ...?
Apparently, one bit.
IMHO, a firewall does not route packets by default, but, rather only forwards those packets which match configured policies.
A router, OTOH, routes packets by default, but, may be configured with some policy about which packets to forward.
The difference functionally is what happens when the configuration is lost or corrupted. Essentially fail open vs. fail closed.
1 vs 0. As I said... one bit. Understanding this fundamental truth is helpful in understanding why people use "routers" as "firewalls" and "firewalls" as "routers". Because they're basically the same thing, with a one bit difference. And some products, say like FreeBSD (which forms the heart of things like pfSense, so let's not even begin to argue that it "isn't a firewall") can actually be configured to default either way. So basically, while we would all prefer that firewalls default to deny, it probably isn't as important a distinction as this thread is making it out to be, because even a "default to deny" firewall fails when a naive admin makes a typo and allows all traffic from 0/0 inadvertently. It's just a matter of statistical likelihood. Or perhaps a better argument would be that routers really ought to default to deny. :-) I'd be fine with that, but I can hear the screaming already. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.