https://community.cisco.com/t5/network-security/regarding-packet-filtering-firewal-using-router/m-p/1037117#M878819 <HTML><HEAD></HEAD><BODY><P>All the router is doing is looking at the layer 4 TCP segment and checking if the destination port is 80 (HTTP). Its not going into the higher layers and inspecting the nitty gritty details of the HTTP protocol itself e.g. URL/host/encoding/content-type etc. You have to remember that the OSI model is merely a 'logical' model. Don't think too hard about it :). I would highly recommend to read the Doughlas Comer TCP/IP Book. It would help you build these basic concepts.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Tue, 16 Dec 2008 06:36:10 GMT Farrukh Haroon 2008-12-16T06:36:10Z https://community.cisco.com/t5/network-security/regarding-packet-filtering-firewal-using-router/m-p/1037112#M878808 <P>Hi Team,</P><P></P><P>One small query--</P><P></P><P>I have read somewhere that Routers are packet Filtering Firewalls(which can process the traffic at Layer-3 and Layer-4)but when we configure access-lists in routers ,then we can even mention the upper layer protocols(http,ftp) in the access-lists,then how the router will process the packets of upper layer protocols if router is acting as Packet filtering firewall.</P><P></P><P></P><P></P> Mon, 11 Mar 2019 14:25:55 GMT https://community.cisco.com/t5/network-security/regarding-packet-filtering-firewal-using-router/m-p/1037112#M878808 palsukh2002 2019-03-11T14:25:55Z https://community.cisco.com/t5/network-security/regarding-packet-filtering-firewal-using-router/m-p/1037113#M878810 <HTML><HEAD></HEAD><BODY><P>Cisco routes have multiple solutions to provide access control. The following is their list:</P><P></P><P>1) Access-lists (Stateless Packet Filter)</P><P>easier to fool/spoof/compromise</P><P>very difficult to manage</P><P>stateless except some features like 'established' keyword that provide pseudo-stateful behavior.</P><P></P><P>2) Reflexive ACLs (Stateful Filter without Application Inspection/Handling)</P><P>pretty easy to implement</P><P>less control on what to filter</P><P>break for most dynamic applications like multimedia,active ftp etc.</P><P></P><P>3) CBAC (Stateful filter - Now called the classic firewall)</P><P></P><P>4) Zone-based Firewall (Stateful filter with enhanced zoning support)</P><P></P><P>As per your question, even ACLs have limited viisbility into upper layer protocols now. But that is limited. As technologies grow, the line between stateful/stateless starts to blur a little bit.</P><P></P><P>Regards</P><P></P><P>Farrukh</P><P></P><P></P></BODY></HTML> Mon, 15 Dec 2008 06:39:15 GMT https://community.cisco.com/t5/network-security/regarding-packet-filtering-firewal-using-router/m-p/1037113#M878810 Farrukh Haroon 2008-12-15T06:39:15Z https://community.cisco.com/t5/network-security/regarding-packet-filtering-firewal-using-router/m-p/1037114#M878812 <HTML><HEAD></HEAD><BODY><P>It means we cannot say that Routers are packet filtering Firewalls.</P><P>Because if we are allowing http access from some source to destination in the router access-list,the access will be permitted</P><P></P><P>My actual doubt was why we are calling Routers as packet filetering firewalls</P><P></P><P>Sorry for confusing-</P></BODY></HTML> Mon, 15 Dec 2008 07:22:13 GMT https://community.cisco.com/t5/network-security/regarding-packet-filtering-firewal-using-router/m-p/1037114#M878812 palsukh2002 2008-12-15T07:22:13Z https://community.cisco.com/t5/network-security/regarding-packet-filtering-firewal-using-router/m-p/1037115#M878814 <HTML><HEAD></HEAD><BODY><P>We can definitely say routers (can act as) packet filtering firewalls. This is exactly what access-lists do. Please see the following link for a definition of packet-filtering firewalls:</P><P></P><P><A class="jive-link-custom" href="http://en.wikipedia.org/wiki/Firewall" target="_blank">http://en.wikipedia.org/wiki/Firewall</A></P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Mon, 15 Dec 2008 09:32:56 GMT https://community.cisco.com/t5/network-security/regarding-packet-filtering-firewal-using-router/m-p/1037115#M878814 Farrukh Haroon 2008-12-15T09:32:56Z https://community.cisco.com/t5/network-security/regarding-packet-filtering-firewal-using-router/m-p/1037116#M878816 <HTML><HEAD></HEAD><BODY><P>This is confusing---</P><P></P><P>In a router access-list we can type</P><P></P><P>access-list test permit host 10.1.1.1 host 20.1.1.1 http</P><P></P><P>which will allow http access which is an Application layer protocol.It means the router can open the whole packet till application layer and can see that http access is needed.Then how we are saying Routers are Packet filtering firewalls(the packet filtering firewalls can see the information of Layer-3 and layer-4 proocols only) </P></BODY></HTML> Mon, 15 Dec 2008 23:31:24 GMT https://community.cisco.com/t5/network-security/regarding-packet-filtering-firewal-using-router/m-p/1037116#M878816 palsukh2002 2008-12-15T23:31:24Z https://community.cisco.com/t5/network-security/regarding-packet-filtering-firewal-using-router/m-p/1037117#M878819 <HTML><HEAD></HEAD><BODY><P>All the router is doing is looking at the layer 4 TCP segment and checking if the destination port is 80 (HTTP). Its not going into the higher layers and inspecting the nitty gritty details of the HTTP protocol itself e.g. URL/host/encoding/content-type etc. You have to remember that the OSI model is merely a 'logical' model. Don't think too hard about it :). I would highly recommend to read the Doughlas Comer TCP/IP Book. It would help you build these basic concepts.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Tue, 16 Dec 2008 06:36:10 GMT https://community.cisco.com/t5/network-security/regarding-packet-filtering-firewal-using-router/m-p/1037117#M878819 Farrukh Haroon 2008-12-16T06:36:10Z