The concept is easy...think about when you travel into another country...the government inspects you (essentially) to see who you say you are and what you are planning on doing in their country. Now image if there were no customs/boarder patrol - anyone could go anywhere and could travel along pre-designed roadways & intersections (routers & switches) and you could cross boundaries like bridges (NAT) but there would be no security authority to govern what you did, where you went, and what your intents were. Basically, if you cannot inspect traffic then what good is your security?
Firewalls/UTMs (Unified Threat Management) devices are not synonymous with NAT or Routers. Yes, firewalls are security appliances & are always needed/essential at the Gateway! Their sole duty is to inspection ingress/egress traffic looking for threats and/or violations of policy. Without a firewall how would one protect against the following:
- Encrypted payloads such as Ransomware, Zero-Day attacks
- Rogue Services within the network such as blocking outbound DNS except for Authorized servers
- Flood attacks
- PoD (Ping of Death) attacks, provided you require ping for the WAN - for monitoring, etc.
- TCP State Manipulation DoS
- DoS (Denial of Service)
- DNS Rebinding attacks
- IP Spoofing attacks
- Intrusions
- Malware & Spyware
- Botnets attacks
- Geo-IP attacks
- Content-related attacks from the LAN (HTTP Proxy, Avoidance Systems)
- Application behavior & control in all Zones - being able to thwart SSLv2, SSLv3, SSLv3.1/TLS1.0 traffic, stopping specific applications outside of your Authorized App Library
You need a firewall to provide inspection as a security baseline, which should include at the very, very minimum DPI (Deep Packet Inspection) & SSL-DPI (encrypted packets). Routers & switches were never designed to be security appliances with the capabilities to perform in this manner and neither was NAT.
