> On Nov 15, 2011, at 7:54 AM, Joe Greco wrote: > >> If you put a router where you needed a firewall, then, this is not a = > >> failure of the firewall, but, a > >> failure of the network implementor and the address space will not have = > >> any impact whatsoever > >> on your lack of security. > > > > And the difference between a router and a firewall is ...? > > > > Apparently, one bit. > > IMHO, a firewall does not route packets by default, but, rather only forwards > those packets which match configured policies. > > A router, OTOH, routes packets by default, but, may be configured with some > policy about which packets to forward. > > The difference functionally is what happens when the configuration is > lost or corrupted. Essentially fail open vs. fail closed.
1 vs 0. As I said... one bit. Understanding this fundamental truth is helpful in understanding why people use "routers" as "firewalls" and "firewalls" as "routers". Because they're basically the same thing, with a one bit difference. And some products, say like FreeBSD (which forms the heart of things like pfSense, so let's not even begin to argue that it "isn't a firewall") can actually be configured to default either way. So basically, while we would all prefer that firewalls default to deny, it probably isn't as important a distinction as this thread is making it out to be, because even a "default to deny" firewall fails when a naive admin makes a typo and allows all traffic from 0/0 inadvertently. It's just a matter of statistical likelihood. Or perhaps a better argument would be that routers really ought to default to deny. :-) I'd be fine with that, but I can hear the screaming already. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
