When is a device a firewall?
-
This is a question I've run into a bit lately, mostly with regards to a EdgeRouter Lite from Ubiquity.
By it's name, the ERL is a router, but when does it become a firewall?
Many of the basic configurations I can find for the ERL include setting up NATing between the WAN and LAN side, disabling access to the ERL itself from the WAN and denying all non solicited traffic from the WAN.
Is that all there is to a firewall? Of course we can strap on things like virus scanning and web filtering, or even traffic analysis and protocol analysis. But outside of HUGE corporations, do SMBs need this level of firewalling?
What other settings other than NATing, deny non solicited should be enabled?
-
@Dashrender said:
By it's name, the ERL is a router, but when does it become a firewall?
When it does security functions in addition to routing
-
@Dashrender said:
Of course we can strap on things like virus scanning and web filtering, or even traffic analysis and protocol analysis. But outside of HUGE corporations, do SMBs need this level of firewalling?
Those things are generally considered to be UTM functions, above and beyond firewall.
-
@Dashrender said:
What other settings other than NATing, deny non solicited should be enabled?
It's the ability to filter that generally defines something as a firewall. In the olden days routers couldn't do this and firewalls got very slow when doing this. Today you can't really buy a router than can't do traditional firewall functions. It's more in how you set it up. Effectively all firewalls are routers (with some exceptions) and even moreso all routers are firewalls.
-
@Dashrender said:
But outside of HUGE corporations, do SMBs need this level of firewalling?
Not often, no.
-
So the configuration that I've mentioned above is a great starting point, and one that someone at NTG might suggest for a company who has no internal services?
-
@Dashrender said:
So the configuration that I've mentioned above is a great starting point, and one that someone at NTG might suggest for a company who has no internal services?
Yes, something like an ERL would be a very common firewall, especially with NATing enabled, for an SMB. There is rarely a need for anything more. No inbound services are allowed by default.
-
Thanks - this pretty much confirmed what I believed, I was/am primarily looking for a sanity check.
-
That is also my default starting recommendation.
For just under $200 you get 1 ERL + 1 UAP. Pretty much perfect for almost all SMB offices.
Drop 2 hours of labor in there and you are done with the base proposal.
