Routers are designed to route data packets from one interface to another, comparatively a firewall is designed to inspect the data packets and adds filtering and blocking of data packets along with services like NAT.
The primary purpose of a router is allowing you to take a single internet connection and share it between multiple devices and computers on a network.
It’s important to note that every firewall is a router, but not every router is a firewall.
There are two broad categories that differentiate routers and firewalls, they are business class and residential-class, which can be further distinguished by throughput speed and features. This article aims to help you make an informed choice when considering a device to use in the future.
Speed
The concept of speed isn’t as simple as it sounds. The speed at which routers pass through traffic will depend on a few things such as; the physical specs of the router/firewall, e.g. the CPU speed, along with to what degree the traffic is being routed/inspected.
Speed can be classed into three tiers, basic routing (no impact), VPN (slightly impacting) and NGFW (high impact):
- Basic Routing. This is the straight-up version, “we are doing nothing with your data except passing it on to the world and vice versa” and will result in the fastest speeds due to the lack of complexity.
- VPN. In this scenario, traffic is encrypted when it hits the router and routed to a specific endpoint on the other side. This can have a significant impact on the performance and throughput of the traffic depending on the level of encryption, the number of simultaneously connected VPNs and traffic going over the VPN.
- NGFW, i.e. Next Generation Firewalling. If a router is capable of packet inspection, usually with an additional license applied, the process of inspecting each packet will again reduce speed. This vital security measure introduces the most significant limitation on router speeds.
Low-end residential routers can often achieve fantastic speeds, but standard business features such as VPN, packet inspection and multiple internet connections (failover or SD-WAN) are not supported options.
As an example, the ONT supplied by Chorus for its new Hyperfibre product can act as a residential gateway router (RGW), and while it can handle the speeds of this high-speed fibre service, it can’t be configured to support a VPN or act as a firewall.
Read our review of the Chorus Hyperfibre ONT
Feature Set
Most of the differentiators that determine a business-grade router from a residential grade equivalent come down to the feature set.
The most common features that residential devices don’t support are:
- VPN
- Firewalling
- Centralised management
VPN
When referring to a VPN, there are two main use cases, Branch Office and Mobile Users.
A Branch Office VPN will be connected over IPSEC using an encrypted connection (tunnel) between two dedicated devices. It is most commonly used to secure network communications between two or more offices. There are two designs to this, the branch will route all traffic through the head office or, they will break out the internet at the branch and only route some traffic to the head office.
The first option (routing all traffic over the VPN) puts significantly more load on a router and depending on the model of router restrict your throughput speeds if the router can’t support IPSEC at the same rate as your internet connection.
IPSEC VPNs offer more throughput that SSL VPN, though SSL is common for mobile workers connecting into the office from the road from laptops. The experience is similar. However, the performance from SSL is significantly less the IPSEC and SSL VPN’s are notorious for requiring constant security updates which can cause disruptions to users when the device terminating the SSL VPN needs updates.
Firewalling
Firewalling and the impact this crucial component can have on performance is often determined by a business’s appetite for risk and approach to security.
The addition of Next Generation Firewalling (NGFW) is often a licence that can be added to business-grade routers such as FortiGate. They unlock a host of security features that do everything from automated threat protection, full SSL visibility through inspection, gateway anti-virus, intrusion prevention, application and web control, the list goes on.
One of the key things to take into account is that by turning on all these features, you will be well protected, but you’re highly likely to reduce the throughput of your devices. Enabling all the features could take you’re 1Gbps internet connection, down to a 30Mbps in some instances!
Basic firewalling, such as specifying what ports and protocol are open or closed off still takes a bit of overhead off a device’s throughput, but less so than the heavy NGFW components.
Regardless, our opinion is you should factor firewalling overheads into your planning. Better to be safe than sorry.
Centralised management
One of the biggest feature business-grade routers and firewalls bring (usually) is centralised management and reporting for all devices.
Centralised management allows all deployed devices to be controlled from a single location or pane of glass, enabling consistent and rapid deployment of policies and patches to all devices.
At scale, this can save administrators significant amounts of time and improves a business’s ability to respond to threats and remediate issues faster.
Centralised management often also brings aggregated reporting so that you can get up to date information from all the devices at all your locations.
Reporting, however, can also take a toll on the performance of the device. The more information and more in-depth information you pull from the device means more resources to compile that data and more data to send to the centralised reporting server.
What about the device itself?
One of the most overlooked components when comparing a residential vs business router is reliability, support and warranty. All come at a price, but often price is only judged as the cost to purchase the item in front of you today.
Many businesses fail to take into consideration the cost of downtime as a result of a device failure, degradation of performance or software bugs that occur more frequently in residential grade devices.
Some Router and Firewall vendors go as far as offering the end customer remote support for their devices, others may include a next business day replacement for failed devices, but where they outshine residential most is by offering updates more frequently to remedy issues and threats.
At Lightwire, we only deploy business-grade hardware. All variants are covered by an SLA that guarantees free next-day device replacement in the event of hardware failure, and unlimited moves/adds/changes performed by the Lightwire Business NOC.
All our engineers are trained and certified by the vendor to ensure all devices are configured correctly, patched promptly and fit for purpose based on requirements and network design. By doing this, it allows us to ensure issues can be resolved quickly to minimise downtime to your business, and you don’t have to worry about the small things.
If you have any questions or need assistance with working out options and requirements, our Sales and Engineering teams are more than happy to assist.