The difference between firewall and router - common understanding
The difference between firewall and router - common understanding
If you can’t explain it simply, you don' t understand it well enough-Albert Einstein
In fact, I personally feel that no matter how profound theories and techniques can be explained by way of example and example in life. Any complex protocol is designed by people so designers will learn from the most common and stable examples in real life.
For example, people often ask “ What is the difference between the device and firewall?”
In fact, I generally explain in this way. Although it is not necessarily professional in terms of rigorous theory, it is easier for people who do not understand the Internet can through this topic to be more understand and acceptable.
The firewall is blunt. There is a guard between the safe area and the unsafe area that blocking the outside people. People in the department can go out. The theoretical explanation is that data is allowed to pass in one direction under normal circumstances. Everyone pays attention to the fact that the logo of the firewall is actually a resistor but the router normally allows data to pass in both directions. The biggest feature of the router is to find the best path so it determines that the data is all traffic. However, the wall is unidirectional and there are restricted traffic in both directions.
For example, a community without a guard that all people inside and outside the community can enter the community casually. There is no security at all, I believe that everyone living in such a community will feel unsafe without any sense of security. It is easy to lose property, this state is the equipment we use -router.
The firewall is equivalent to having a professional security guard at the gate of the community. Under normal circumstances, people in the community can walk out of the cell at will. People in the small area want to enter the community because the security can identify the people in the community so the normal release. In fact, the security can release the people in the community into and out of the community. It is equivalent to monitoring this normal flow from inside to outside.
However, people outside the community have to enter the community which is generally not allowed. If you must enter, you must explicitly register with your ID card before you can release it. The registration is not possible. You need to contact the people inside the community to make sure that you have business contacts. .
This is the firewall that uses the ACL to write to the OUTSIDE interface to release external traffic into the internal. And to monitor this traffic in real time. This is what we often say based on the adaptive algorithm-based state monitoring packet filtering firewall. It is also the most mainstream firewall mainly Cisco ASA, JUNIPER firewall.
When the flow of outside traffic enters the interior, it is sometimes necessary to isolate an area, such as a security room. This is equivalent to the DMZ area of the monthly server. Mainly to provide a service for the outside. If the server is attacked, then the attacker still can not Going inside the security zone. The concept of sub-regions can solve security problems well.
The firewall is mainly based on security. It is protected by the division of security zones. The configuration of security policies and the implementation of anti-attack methods. Of course, firewalls have the most basic routing functions electrical port,fibre optical Port based.
The router is multi-service: support data, voice, routing, and software firewall, nat various interface types. Here I will introduce you to a personal example I have encountered to understand the firewall. I went to an exchange in Shanghai, China. Here I realized what is called a firewall. First enter the exchange, the staff inside need to actively contact the security, confirm the business, and determine the identity of the entry personnel where the identity is applied in advance and verified. Then the entry personnel need to put their ID card in the security office for a permit. When you come out, you can use the entrance permit to change back to the ID card. Then, after you have the entry permit that you can enter the park but there are many buildings in the park.
When I want to enter the 11th building, I need to check the security. After the security check, I got the first the construction permit for Building No. 11 can only enter Building No. 11. And the construction permit is one-off. When you walk out of Building 11, your construction permit will be invalid. When you come in for the second time, you have to go through the security check and change the construction permit and all of this is not in person. Security inspections carried out out of the park. It can be seen how strict the security of this data center.
This is equivalent to a big firewall. People in the exchange can freely enter and exit but we can not enter when you want to enter. When entering, it must be released explicitly. For example, we have made an appointment in advance so we can enter the park. However, we can't enter the machine room when entering the park. This is equivalent to the security level of the firewall. You have to go to the construction of Building 11. It is also necessary to release it clearly and pass the security check. Therefore,you can't be between different levels Mutual access. As you can see, the design of such a data center is quite tacit with the concept of a firewall. It is also a design with a high level of security. If you encounter security in the data center, you can consider such a design project.
The above content must be known as a CCIE. If you still feel that the CCIE written exam and CCIE LAB exam are difficult to pass, then join SPOTO. We will let you more easily to pass the CCIE exam.
More you may be interested:
How to design a most practical network framework
How should CCIE handle ISRG2 device failure?
Cisco routers and switches online configuration FAQ
- Tags:
- firewall and router
- CCIE LAB
- Cisco