While deploying security solutions in setups, administrators may be challenged with verdict on whether to consider ACL (Access Control List) or use Firewall to secure the LAN Network setup. From a Bird’s eye view, it may seem that ACL also filter the traffic (mostly LAN and WAN communication) like Firewalls do. However, there is more to it than meets the eye – Firewalls are much more than just traffic filtering.
To start with, Firewalls perform Stateful inspection while ACLs are limited to being Stateless only. Stateful is a per-flow packet inspection, whereas Stateless (ACL) is a per-packet packet inspection. In other words, ‘state’ of flow is tracked and remembered by traditional firewall .Infact firewalls can also understand the TCP SYN and SYN-ACK packets which can’t be performed by ACL on Routers or Layer 3 Switches. In addition to address/port matching and connection state management, many more advanced firewalls are able to use deep packet inspection to track application-layer behaviour.
Firewalls can be software or hardware based. Hardware based firewalls are preferred choice when it comes to large deployments requiring dedicated appliances to address security requirements. Unlike Firewalls, ACLs are features on Routers and Layer 3 devices. Further, ACLs (Standard or extended) can perform traffic control upto Layer 4 i.e. ports and protocols while Firewalls can reach upto Layer 7 (Application Layer) of OSI model.
Below table illustrates difference between ACL and Firewall –