The Difference Between IPsec and Firewalls

  • Article

====================== DISCLAIMER ====================
This posting is provided "AS IS" with no warranties, and confers no rights.
====================================================

At first glance (and second glance too) IPsec and firewalls seem to fulfill the same technological niche, or at least significantly overlapping niches.

Indeed this impression is partially true and caused some confusion as we battle to understand the subtleties of both technologies. So what are the differences between IPsec and firewalls that make them complimentary cousins in the network security world?

What Firewalls Do Best - Centralization
Firewalls monitor incoming and outgoing traffic to determine whether the traffic is allowed. More specifically, firewalls monitor the ports and protocols that the traffic originates from and is designated for, to determine the traffic’s “acceptability” before allowing the traffic through. Basically firewalls are border guards that check the passports of any packets coming into, or going out of, the networks they are protecting. If they don’t see the right stamps in the passports, they quote the Black Knight from Monty Python and the Holy Grail, “None shall pass!”

Firewalls can be set up and configured quickly and rules for allowing traffic can be changed easily and without having to distribute policies as is necessary with IPsec. This makes firewalls a popular choice for network protection.

What IPsec Does Better Than Firewalls - Encryption and Flexibility
However, firewalls do not secure the actual traffic going back and forth - IPsec (using ESP) does. Firewalls protect a network and not specific servers or groups of servers, thus they do not have the flexibility that IPsec and server and domain isolation provide. Also, firewalls, because they are centralized, can become a traffic bottleneck if you have a lot of traffic going in and out of your network. However, IPsec is computer-specific and once authentication happens, the rest of the negotiation and traffic is between one computer and another (IPsec doesn’t do multicast). This means, other than the negotiation phases, IPsec does not significantly reduce the overall traffic efficiency in your environment.

Difference In Default Behavior
By default a firewall is closed unless opened and it will drop packets until told to not drop them. IPsec, however, has no default behavior - it just sits there doing nothing until you tell it to do something. [In a technical sense, the IPSEC Service is always running and always doing things, like looking at traffic and then realizing it has no rules to match the traffic against - but this is a lot of busy work until it has a policy on the computer to run against].

Centralized vs. Distributed
The central and most important distinction between firewalls and IPsec is one of centrality vs. distribution. Firewalls are central and operate on all traffic the same way, whereas IPsec is distributed and the way you design your IPsec policies and distribute them determines the “distribution of protection” in your environment. [When you use AD to distribute IPsec policies, you are using “centralized distribution” and getting the best of both worlds]

Cause For Confusion
“But,” the question is, “why do we not have many problems with setting up, configuring and troubleshooting firewalls, but we just can’t get this IPsec thingy figured out?” One part of the answer is that IPsec is highly flexible. In fact, it is this highly-flexible nature of IPsec that can make policy creation and configuration a “nerd” chore. With a firewall you set it up with the standard exceptions and any customizations you need and you plug it in - voila, it is working. With IPsec you have to create rules with filter lists and actions and then add these to a policy, and then distribute them and...

Another part of the answer is that IPsec is much newer than firewall technology and the operational “bugs” have been sorted out and the learning curve flattened with time. IPsec hasn’t had enough time in the field for this curve to begin to flatten. Also, IPsec hasn’t gained the type of market-share that firewalls have (although it is catching up), so there isn’t as much experience in the field as with firewalls. This means there are fewer experts and fewer newsgroups and blogs, etc.

Thirdly, the similar nature of these two complimentary technologies can cause some confusion itself. “Do I use a firewall or IPsec?” is one of the questions being batted about. The answer is “Use both.”

Both Are Important To The Security Of Your Environment
Because you need both centralized protection and flexible protection, you need both a firewall AND domain and/or server isolation using IPsec.