Sun Jan 02, 2022 8:07 pm
There are two aspects - what a "firewall" actually means and what is the convenience of the administration.
A stateful firewall looks into the network layer of the packets but not into the application layer. So you can drop attempts of devices in the internet to actively initiate a connection towards devices in your LAN, and you control connections the devices in distinct LAN segments can establish to each other. And it is the way this is configured (and the level of abstraction in defining zones, and the number of pre-cooked traffic classification rules) what makes the difference between the different vendors' products.
But when it comes to malware being added to the web page of a compromised web site, or delivered within an e-mail message, it is not a task for an L3/L4 firewall - you either need an application layer firewall (which RouterOS does not provide) or an "anti-virus" software on the endpoint. Since most of the web sites of today use HTTPS (HTTP over TLS), and also most e-mail clients use TLS-enrypted protocols, the application layer firewal and/or "anti-virus software" have to decrypt the communication in order to be able to scan the actual payload for malware. Which effectively means the so-called "man in the middle attack", where an entity standing in the data path between the two endpoints of a secure communication pretends to be endpoint A towards endpoint B and vice versa. To facilitate this specifically for TLS, it uses a root CA certificate trusted by the endpoints to sign ad-hoc certificates it uses instead of the original ones to sign the re-encrypted traffic.
So it is a double-sided sword - on one hand, it is the only way to detect malware before it can become a file at the target, on the other hand, it breaks the privacy of users, often including passwords (because why should the user credentials be transported securely at application layer if the whole connection is encrypted).
And another point, malware is typically identified by signatures, and hence the system needs periodic (daily) updates by information from malware analysts, hence there's a subscription to cover the costs of this neverending work.
So it depends on what other security software you use - if you already have an endpoint anti-virus that inspects web and e-mail, you may not need the same functionality packed into a box called firewall.