With those facts in mind, most organizations choose to use a router as the first perimeter defense, implementing a simple rule set that blocks all unwanted traffic. For example, if the only acceptable inbound traffic is HTTPS and VPN activity, you could write a simple router rule set that allows those two ports (to any address) and blocks everything else. The firewall would then be responsible for more granular filtering, determining which specific hosts may receive HTTPS and/or VPN traffic, for example, and performing advanced analysis, such as stateful inspection and/or application-layer filtering.
It's possible, however, to bypass this norm. One approach that I've seen attempted in smaller organizations is to use only a firewall, dropping the router entirely. In that scenario, the firewall performs routing functions for the network. The primary benefit to such an approach is that it simplifies the environment, providing only one device that must be managed. It's not, however, a scalable design, as the cost quickly becomes prohibitive as network throughput rises.
This was first published in February 2009